Re: Sites sharing passwords with each other?
@JohnFen wrote:
"Done correctly, no passwords are being shared. They'd be sharing password hashes instead"
Done "correctly" the hashes would be all completely different, on different sites, even for the SAME password, even different for the SAME password used for another, account on the SAME site.
If you change your password for the SAME password, (assuming this was allowed) the resultic data again should then appear completely different.
They should be using stored per login stored random salts, preferably long ones of 64 bits minimum, and at least 128 bits in my opinion, with iterative hashing, with a minimum number of iterations, the number of extra iterations being somehow controlled by the user's salt data and/or some other data. They could also perhaps add a site-wide salt (or pepper) to differentiated the site from others.
The hash itself, should therefore be completely randomized and without running through the algorithm with its stored data AND the password it should be impossible to tell otherwise if any particular passwords match anything used on other sites.
If they shared any other data with other sites to compare passwords used on those other sites, then that too would be grossly insecure and I would be very angry indeed with them.
To me the fact that they think they could do this, says much about their own (in)security,
Personally I wouldn't store hashes at all. It would be something different, but require hashing of course.
But just storing the raw output from a known hash algorithm is completely dumb to say the least
Shaun.