Comment on OP finds vulnerability where a forum sends you your password in plaintext over email and everyone misses the forest for the trees

• MajorHavoc@lemmy.world ⁨8⁩ ⁨months⁩ ago

  Reversible hashed password storage isn’t meaningfully better than clear text.

  • The key to reverse the hash is typically (necessarily) stored in the same infrastructure as the password. Bad actors with access to one have access to the combination.
  • Even if an attacker fails to exfiltrate the key to the reversible hash, it’s typically only a matter of days at the most before they can reverse engineer it, and produce plain text copies of every password they obtained the hash of.

  A reversible hash provides a paper thin layer of protection against accidental disclosure. A one way hash is widely considered the bare minimum for password storage.

  Anyone claiming a password has been protected, and then being able to produce the original password, is justly subject to ridicule in security communities.

  source

  • Bitrot@lemmy.sdf.org ⁨8⁩ ⁨months⁩ ago

    The one they were sending at registration was prior to hashing.

    source

    • MajorHavoc@lemmy.world ⁨8⁩ ⁨months⁩ ago

      That’s technically less terrible, then.

      Good for them.

      source
• KairuByte@lemmy.dbzer0.com ⁨8⁩ ⁨months⁩ ago

  I wasn’t trying to claim what was happening here, simply that one (extremely) bad practice increases the chance of another.

  source