Hacker News new | past | comments | ask | show | jobs | submit login

I don't think that's necessarily true. Let's say they have all of the passwords stored as bcrypt hashes, and they also know the last time you changed your password. They could just update the application logic to check that your password is of the form <pw><pw> if your last change date is before X. Then to check the password, they just take the first half and check that against the hash.



So, in other words, this is an elaborate prank?


It's a moderately aggressive way to get people to change their passwords (more aggressive than an email or prompt, less aggressive than forcing upon login)


If that happened to me I'd just keep the doubled password. It seems more secure (it's not), and I already remember it.

This approach just seems dumb.


This would break passwords like "foofoo", since they'd think it was already doubled, they'd check "foo" against the hash and it would fail. Then again, you can get around that with doubling it again after checking, so I don't know.


Why is this a problem? If your password is "foofoo" and was set after the cutoff, then it won't be halved; if it is "foofoo" and was set before the cutoff, it will be halved, and then not match the password in the database, as intended.


this, i'm not sure why it is hard to see that this is easy to implement without storing passwords in plaintext.


You have to have stored the last password change date, which many systems don't do.


If they didn't before, they can start storing it to implement this.


Passwords prior to the doubling were a fixed length, so they could always assume the first eight characters of a 16 character password (which hasn't been changed manually) is the original password.

Of course, anyone who has a leak of the original passwords can equally just send a a double of it, so I'm not sure what benefit this is supposed to be offering.


Yep, basically:

    if(userHasUpdatedPw) { checkPw(hash(pw)) }
    else{ checkPw(hash(pw+pw)) }


More like:

    if(userHasUpdatedPw) { checkPw(hash(pw)) }
    else{ checkPw(hash(assertDoubledAndTakeHalf(pw)))}


Probably


  "password123password123".match(/^(.+)\1$/)[1]


[deleted]


Doubling doesn't provide a benefit, no matter how well they hash or don't hash.


It annoys people into updating their password, for one.


Which they could of accomplished with a password reset via email.


It's a .edu. The password you just reset is the same as the password for their email.


Whether it provides a benefit or not is unrelated to the fact that they don't need to know your plaintext password to use something like the regex I wrote to detect a string duplicated twice and extract the first match prior to hashing/checking against the DB.


Oh God...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: