On 3/27/20 1:27 AM, Larry M. Smith via mailop wrote:

> .. I see _no_ value in the millions of hashes (over 196M) that appear to
> have only ever been exposed once.  No one is going to load up and
> attempt a dictionary attack of those used-only-once hashes.  It sure as
> heck doesn't mean a thing about if a specific user has been compromised
> without any context to go with the password.

I know what you mean, but there's also another way of looking at it,
which is that if a complex password like "4!Jqkxn#cwRekaxqc" is on the
list, it's there because someone's "secure" password has been stolen.

And if it's been stolen, the person who stole it probably also knows a
username or email password that goes with the password.

And if they know that, it's best that the user doesn't sign up for new
services using that same username/email and password.

Put another way, the "HaveIBeenPwned" database contains two kinds of
passwords: trivially weak passwords, which nobody should ever use; and
complex passwords that you would never see as a checksum match unless
the original person who had their password stolen is still trying to use
it elsewhere, which is also a bad idea.

-- 
Robert L Mathews, Tiger Technologies, http://www.tigertech.net/

_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Reply via email to