On 04/05/2016 11:21 AM, Chris Swingler wrote:
Possibly, though I'd lean more toward the password list coming from a phishing site, in which case everything would be in the clear, and testing it against their own properly salted, hashed password database would be trivial.
That does make sense, and I have no objection to that scenario. --Joey Kelly
On Apr 5, 2016, at 11:18 AM, Joey Kelly via Outages <outages@outages.org> wrote:
On 04/05/2016 10:51 AM, DJ Anderson via Outages wrote:
I got one of those a few weeks ago.
When I inquired about it I was told that the password I was using was found on some leaked password list and due to that they had set a temporary password to protect my account.
-DJ
Does that not imply they are not using salted hashes, but storing the passwords in plaintext? Or maybe they're intercepting the passwords and testing them against a dictionary? I might be OK with the latter, maybe (but who appointed them to be the world's password police?)
--Joey Kelly
<snip>
-- Joey Kelly Minister of the Gospel and Linux Consultant http://joeykelly.net 504-239-6550