How on earth can you both not accept the password I copied from my password safe and tell me that I cannot use the same pasaword again?

  • MajorHavoc@programming.dev
    link
    fedilink
    arrow-up
    0
    ·
    5 months ago

    How? If you can truncate user passwords, you should never handle user passwords again, unless you’re a student or hobbyist learning a valuable lesson.

    Yeah. The real reason to be alarmed is worse than the obvious one.

    If a partial version of what was originally set actually works later, it implies a scary chance they’re not even hashing the password before storing it.

    • sloppy_diffuser@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      5 months ago

      Also suggests the user may be reusing the same prefix if only the changed bits are getting truncated.

      Should use different random passwords every time. Completely random or a random string of words. While it doesn’t solve the cleartext password storage issue, a data breach won’t compromise all your other accounts to same degree.

      Doesn’t hurt to also randomize usernames, emails, and even security question answers.

      edit: or my new favorite passkeys, just make sure you trust whatever tool is managing your private keys.

      • kautau@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        5 months ago

        Not how password hashing works. Demonstrated with sha256:

        hunter2butitsreallylong:
        a9953dfbfec699349341edc857dcfe5c7a617c81f312cf57297d5b852881bab3

        hunter2:
        f52fbd32b2b3b86ff88ef6c490628285f482af15ddcb29541f94bcf526a3f6c7

        a hash algorithm encompasses all provided data and returns a single fixed length data response

        https://en.wikipedia.org/wiki/Cryptographic_hash_function

        Any changes, even just removing a few characters, drastically changes the output of the hash function (https://en.wikipedia.org/wiki/Avalanche_effect)

        You have no way of knowing a user password when you are storing hashes, you can’t truncate them, and the user password length doesn’t matter (up to a certain point where it’s technologically dumb to hash user input over a certain amount of data)

        I do agree however that changing / randomizing your password is important, as someone brute forcing or running rainbow tables etc on a hash dump can quickly attack a common password across different dumps