I understand that if passwords are stored plaintext, then that is awful because that’s a user’s actual password. However, many companies will [hash](https://en.wikipedia.org/wiki/Cryptographic_hash_function) and [salt](https://en.wikipedia.org/wiki/Salt_(cryptography)) user’s passwords and then store that in the database.
I will admit that any data breach is not great as far as security is concerned because you could get data on usernames, DOBs, emails, etc.
But if we’re talking just passwords, if a password is hashed (using secure hash functions – SHA256 – and not MD5) and salted, and subsequently stolen, isn’t that not as big of a deal? I trust the mathematics behind one-way hashing and sure, the attackers got a random string of text but they can’t do anything with it.
If attackers broke into your house and stole a locked safe, the actual breaking into your home is bad (and you should really think about fixing that) but the fact that they have a locked safe that they’ll never be able to mathematically crack in millions of years (turns out actually longer than the known age of the universe) is not that big of a deal right?
In: 1
Most websites, in addition to hashing and salting, have some form of rate limiting to prevent brute force attacks. Having access to the password file lets you test all the passwords you want locally without that stopping you.
Latest Answers