How on earth can you both not accept the password I copied from my password safe and tell me that I cannot use the same pasaword again?

  • kautau@lemmy.world
    0·
    4 months ago

    Why? Probably some wild row length limit being hit where a table storing user data was storing an asinine amount of data, just terrible DB organization in an org where someone said “who even needs a DBA.”

    How? If you can truncate user passwords, you should never handle user passwords again, unless you’re a student or hobbyist learning a valuable lesson.

    • MajorHavoc@programming.dev
      0·
      4 months ago

      How? If you can truncate user passwords, you should never handle user passwords again, unless you’re a student or hobbyist learning a valuable lesson.

      Yeah. The real reason to be alarmed is worse than the obvious one.

      If a partial version of what was originally set actually works later, it implies a scary chance they’re not even hashing the password before storing it.

      • sloppy_diffuser@sh.itjust.worksEnglish
        0·
        4 months ago

        Also suggests the user may be reusing the same prefix if only the changed bits are getting truncated.

        Should use different random passwords every time. Completely random or a random string of words. While it doesn’t solve the cleartext password storage issue, a data breach won’t compromise all your other accounts to same degree.

        Doesn’t hurt to also randomize usernames, emails, and even security question answers.

        edit: or my new favorite passkeys, just make sure you trust whatever tool is managing your private keys.

        • kautau@lemmy.world
          1·
          4 months ago

          Not how password hashing works. Demonstrated with sha256:

          hunter2butitsreallylong:
          a9953dfbfec699349341edc857dcfe5c7a617c81f312cf57297d5b852881bab3

          hunter2:
          f52fbd32b2b3b86ff88ef6c490628285f482af15ddcb29541f94bcf526a3f6c7

          a hash algorithm encompasses all provided data and returns a single fixed length data response

          https://en.wikipedia.org/wiki/Cryptographic_hash_function

          Any changes, even just removing a few characters, drastically changes the output of the hash function (https://en.wikipedia.org/wiki/Avalanche_effect)

          You have no way of knowing a user password when you are storing hashes, you can’t truncate them, and the user password length doesn’t matter (up to a certain point where it’s technologically dumb to hash user input over a certain amount of data)

          I do agree however that changing / randomizing your password is important, as someone brute forcing or running rainbow tables etc on a hash dump can quickly attack a common password across different dumps