I understand that if passwords are stored plaintext, then that is awful because that’s a user’s actual password. However, many companies will [hash](https://en.wikipedia.org/wiki/Cryptographic_hash_function) and [salt](https://en.wikipedia.org/wiki/Salt_(cryptography)) user’s passwords and then store that in the database.
I will admit that any data breach is not great as far as security is concerned because you could get data on usernames, DOBs, emails, etc.
But if we’re talking just passwords, if a password is hashed (using secure hash functions – SHA256 – and not MD5) and salted, and subsequently stolen, isn’t that not as big of a deal? I trust the mathematics behind one-way hashing and sure, the attackers got a random string of text but they can’t do anything with it.
If attackers broke into your house and stole a locked safe, the actual breaking into your home is bad (and you should really think about fixing that) but the fact that they have a locked safe that they’ll never be able to mathematically crack in millions of years (turns out actually longer than the known age of the universe) is not that big of a deal right?
In: 1
The problem is that passwords are predictable, reused, and can be brute-forced. There are many password lists with the most common passwords from other data breaches. These are gold mines for crackers. They’ll just use these lists and throw them at their GPUs which can guess millions of passwords per second. They rehash these passwords (perhaps using the salt that was also stolen) and see if there’s a match.
If you don’t want data breaches to not affect you, use a password manager and different passwords for every single site. And MFA wherever available.
So yeah, it’s bad.
Latest Answers