Hacker News new | past | comments | ask | show | jobs | submit login

(sticking with the obliviousness for a moment,) Would they need to store the plaintext password? Hashing every word typed isn't efficient but it's possible to achieve without knowing the plaintext.

It reminds me of Facebook allowing login even when you've mistyped your password: https://security.stackexchange.com/questions/214814/why-can-...




Yes, that's true. But since HN is famously hosted on a single not-so-powerful server, that would be unlikely to be the employed solution.


Considering how laggy the comment box is on reddit, it makes me wonder if they're not already doing something similar, but client-side in js. I guess it would expose the salt though.


Exposing the salt isn't an issue, it can (and should) even be a different one for each account.


> Hashing every word typed

Wouldn’t work if your password contains spaces.


But it does! They, instead, hash each letter independently, that's how they can do this.


They just hash every substring that can be a password.

Don't write long comments. Show some love to HN's server carrying its O(n^2) burden.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: