Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You’re assuming an attacker can access this database somehow? And that the LSH of “somebody else” is reversible? I’ve don’t understand the vulnerability you’re describing.


> You’re assuming an attacker can access this database somehow?

Well yeah. Protecting against this is the exact reason passwords aren't stored in plaintext.


Yes, obviously, I'm just saying it's a potential vulnerability that doesn't exist if you don't store the LSH. The LSH doesn't need to be reversible - I'm just saying that you now have a situation where if you can find multiple people with the same LSH, if one their passwords becomes known to an attacker for any reason (the attacker could be one of those people!), the other passwords are now much easier to guess.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: