If a password is securely stored, is a password breach really that bad?

187 views

I understand that if passwords are stored plaintext, then that is awful because that’s a user’s actual password. However, many companies will [hash](https://en.wikipedia.org/wiki/Cryptographic_hash_function) and [salt](https://en.wikipedia.org/wiki/Salt_(cryptography)) user’s passwords and then store that in the database.

I will admit that any data breach is not great as far as security is concerned because you could get data on usernames, DOBs, emails, etc.

But if we’re talking just passwords, if a password is hashed (using secure hash functions – SHA256 – and not MD5) and salted, and subsequently stolen, isn’t that not as big of a deal? I trust the mathematics behind one-way hashing and sure, the attackers got a random string of text but they can’t do anything with it.

If attackers broke into your house and stole a locked safe, the actual breaking into your home is bad (and you should really think about fixing that) but the fact that they have a locked safe that they’ll never be able to mathematically crack in millions of years (turns out actually longer than the known age of the universe) is not that big of a deal right?

In: 1

5 Answers

Anonymous 0 Comments

If you personally have a good password, there’s no real worry, though it’s good practice to change your password anyways.

For the entire userbase it is a problem, because not everyone has a good password, so some amount of users will have passwords that are on or close to wordlists, and they will have their passwords cracked. A lot of them are likely to reuse passwords across sites, so their other accounts may also be in danger. It’s quite bad for the overall online ecosystem.

You are viewing 1 out of 5 answers, click here to view all answers.