Reply to post: Re: Storing passwords in plain text?

For Foxit's sake: PDF editor biz breached, users' passwords among stolen data

Bill Gray

Re: Storing passwords in plain text?

Hmmm... Maybe I'm missing something, but it sounds to me as if you're addressing a different set of issues.

My thought is as follows. For randomsite.com, my password is my first pet's maiden name, ⅔‫‫ש‬ל‬фщ®куè (I used to pick some odd names for my pets). Within the browser, this is salted/hashed and we get, say, DEADBEEF5318008, all ASCII hex digits. That's what gets passed to randomsite.com. They don't know how long my password is, or if it has non-ASCII characters.

Because I can see the script, I can verify that randomsite.com doesn't know my pet's name; they just know that when salted/hashed, it's DEADBEEF5318008. They really ought to salt/hash it, store the result, and forget about DEADBEEF5318008. But I may not trust them. Or they may screw up.

So then they get hacked. World+dog promptly checks my banking and e-mail and other accounts to see if I used that password elsewhere. Which, of course, I did (doesn't everybody?) But -- because randomsite.com never knew my real password and only saw DEADBEEF5318008, and nobody else knows about my beloved pet ⅔‫‫ש‬ל‬фщ®куè -- they're out of luck.

They can access my randomsite.org account, though. Unless randomsite.com isn't run by bozos after all, and _did_ take the DEADBEEF5318008 I sent them and salted/hashed it.

But this scheme only protects against password re-use (and allows me to use a non-ASCII password). randomsite.com still ought to use https and otherwise follow best practices.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021