We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide
Changing Forum Password
Comments
-
Just searched for this as I got a password change notice. The fact that they are targeting users to change their passwords means either the passwords are stored in plain text, they are not using a one way hash or they are using unsalted hashes which are subject to rainbow table attacks. Either one isn't good......
Not necessarily. Suppose you have one million users, each with a distinct salt, using SHA1, which a few years ago would have been considered pretty good practice. Suppose you have one of these. At 63 billion hashes per second, you can check 63 thousand candidate passwords per user per second, or about 0.2 billion candidate passwords per user per hour. Renting a box like that for an hour would be a pretty good way to check your large website for vulnerable passwords.
I've just changed my password to 32 random characters drawn from the full printable ASCII range, which (unusually) MSE accepts. That's about 211 bits. The device above would need several billion, billion, billion times the life of the universe to crack it. That's probably OK :-)0 -
Just searched for this as I got a password change notice. The fact that they are targeting users to change their passwords means either the passwords are stored in plain text, they are not using a one way hash or they are using unsalted hashes which are subject to rainbow table attacks. Either one isn't good......
It may be time to delete my account
How are you going to do that?0 -
What I want to know is, how do MSE know that my password is weak?0
-
....I refer you to reading #post 5.What I want to know is, how do MSE know that my password is weak?
:A:dance:1+1+1=1:dance::A
"Marleyboy you are a legend!"
MarleyBoy "You are the Greatest"
Marleyboy You Are A Legend!
Marleyboy speaks sense
marleyboy (total legend)
Marleyboy - You are, indeed, a legend.0 -
Just checked, good news, they do hash.
Bad news they use md5 which is the easiest hashing algorithm available to break. So it won't take much brute forcing to reverse the passwords out. I'm guessing its not salted either.0 -
MD5 :eek: Keeping passwords safe since 19920
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 353.5K Banking & Borrowing
- 254.2K Reduce Debt & Boost Income
- 455K Spending & Discounts
- 246.6K Work, Benefits & Business
- 602.9K Mortgages, Homes & Bills
- 178.1K Life & Family
- 260.6K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards