Shlee fooled around &"this is a common password."
mirabilos@shlee by even knowing that, you know they cannot be storing your password securely
Ben W@mirabilos @shlee Incorrect, Telstra check known hashes in-browser using the public pwnedpasswords api.
https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity
Validating Leaked Passwords with k-Anonymity
Today, v2 of Pwned Passwords was released as part of the Have I Been Pwned service offered by Troy Hunt. Containing over half a billion real world leaked passwords, this database provides a vital tool for correcting the course of how the industry combats modern threats against password security.
@benjidubs @shlee interesting! That was a way that hadn’t occurred to me.
And (thanks for the link) the anonymisation of the query applied also makes the unsalted hash problem not really applicable.
It’s a GDPR violation, though…
OnlyMe@mirabilos @shlee They might be (hopefully are) using k-Anonymity with HIBP, which would be ok
https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/
I've Just Launched "Pwned Passwords" V2 With Half a Billion Passwords for Download
Last August, I launched a little feature within Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) I called Pwned Passwords [https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/]. This was a list of 320 million passwords from a range of different data breaches which organisations could use to better protect their own systems.
LambdaDuck@shlee @mirabilos assuming it’s from their own database and not based on public lists of common passwords from old breaches. e.g. something like this service: https://haveibeenpwned.com/Passwords
