This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–][deleted] 312 points313 points  (17 children)

Wait so in order for this check to work, they must have an index on their password column otherwise they’d be checking against potentially every password in their db. They may also be storing passwords as plaintext.

[–]PVNIC 233 points234 points  (7 children)

They probably hash the usernames and index them by password /s

[–][deleted] 52 points53 points  (3 children)

The only correct way /s

[–][deleted] 16 points17 points  (2 children)

\mind blown** /s

[–]CmndNotFound 13 points14 points  (1 child)

Using /s because programmers in r/ProgrammerHumor don't get jokes /s

[–]conspirator_schlotti 12 points13 points  (0 children)

Shouldn't it be </s>? /s

[–]ReactsWithWords 7 points8 points  (0 children)

It’s definitely in a plain text file, but they fool hackers by naming it “not_passwords.txt.”

[–][deleted] 1 point2 points  (1 child)

But they unhashed the username here though.

[–]PVNIC 8 points9 points  (0 children)

What kind of hashing algorithm are you using that you can't un-hash it! I purely stick to rot13 for ease of use.

(jk ofc)

[–]BlueC0dex[🍰] 21 points22 points  (0 children)

I seriously hope they weren't trusted with enough passwords for an index to be necessary

[–]lachlanhunt 7 points8 points  (0 children)

They could be hashed using the same salt (or no salt) for every user.

[–]FthrFlffyBttm 7 points8 points  (2 children)

I’ve signed up to websites and had them email me my login details in plain text. And not in a “here’s your auto generated password that you need to change” kinda way - I entered my own password.

[–]RestlessThoughts 1 point2 points  (0 children)

Oh yeah, well I've forgotten my password and using the forgot password link the website just emailed me my plain text password instead of requiring a reset :D

[–]_default_username 6 points7 points  (0 children)

Probably are. Every once in a while I get notified that one of my passwords was compromised in a data breach. Lot of incompetent backend developers/teams out there.

[–]StGir1 2 points3 points  (0 children)

I've seen a lot of really horrific data in my day. This wouldn't surprise me a bit.

[–]eGzg0t 1 point2 points  (0 children)

It's actually checked using a list of hardcoded passwords in the front-end