1. 35
  1.  

  2. 3

    It should be enough by salting the password with a site secret before hashing the password, right? Or Am I missing something

    1. 10

      He is not sharing compromised hashes. The list is full of passwords that were associated with one or more account in plaintext or otherwise cracked. The reason he gives out the information as SHA1 hashes is to increase the effort required to have the full list of passwords in plaintext. This allows people knowing their own passwords to hash them and see if the hash is in the gigantic file but someone else wanting to use this ie. as his john the ripper seed would need to spend significant time on brute-forcing all of those first.

      1. 3

        I don’t honestly see much difference than just releasing the passwords, I know people in the competitive password cracking scene will chew through the vast vast majority of these in days time. I actually use the hashes.org leaked list on penetration tests, and they have a wonderful % cracked statistic for each of the password lists as well as the plaintext download. I predict that it’ll be 95% cracked by the end of the weak.

        1. 5

          know people in the competitive password cracking scene will chew through the vast vast majority of these in days time

          People in the competitive password cracking scene most likely already have access to this data - it’s all publicly accessible anyway somewhere or other.

          1. 2

            Troy said some passwords reveal personal information. I can only imagine what could potentially be around behind those hashes.

            I predict that it’ll be 95% cracked by the end of the weak.

            It at least gives the general public a week to check if their re-used password is there, with an easy web interface to test that. People who know what they are doing are not really impacted by that release… but it can serve as a nice way to make some less technical people more aware.

            1. 2

              Passwords that “normal users” use almost exclusively have personally identifying info (pets, family, street addresses, phone numbers, job titles, etc). I feel like this is just casting FUD about whether accounts are compromised, the effect of showing someone a hash vs showing their passwords in plaintext is surprisingly psychological in my experience. Plus, if I have learned anything since things like the linkedin dumps, no one actually checks to a degree that attackers normally care.

              HIBP has been around for ages, this isn’t just a week thing, and it hasn’t changed much in my experience. I always like HIBP because Troy didn’t release it, it always made the barrier to attack having to first find the user information, enter it into the API, check if the list for a match of compromised account with public wordlist, actually match the account. This is essentially releasing it without a couple percent of passwords.

          2. 1

            Thanks, i missed that part