On 3/27/20 1:27 AM, Larry M. Smith via mailop wrote: > .. I see _no_ value in the millions of hashes (over 196M) that appear to > have only ever been exposed once. No one is going to load up and > attempt a dictionary attack of those used-only-once hashes. It sure as > heck doesn't mean a thing about if a specific user has been compromised > without any context to go with the password.
I know what you mean, but there's also another way of looking at it, which is that if a complex password like "4!Jqkxn#cwRekaxqc" is on the list, it's there because someone's "secure" password has been stolen. And if it's been stolen, the person who stole it probably also knows a username or email password that goes with the password. And if they know that, it's best that the user doesn't sign up for new services using that same username/email and password. Put another way, the "HaveIBeenPwned" database contains two kinds of passwords: trivially weak passwords, which nobody should ever use; and complex passwords that you would never see as a checksum match unless the original person who had their password stolen is still trying to use it elsewhere, which is also a bad idea. -- Robert L Mathews, Tiger Technologies, http://www.tigertech.net/ _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop