Hacker News new | past | comments | ask | show | jobs | submit login

You can use it for checking whether your password was leaked. You don't need usernames for that.



Are the hashed passwords not salted?


You can perform this check even if they were salted.

Otherwise how could linkedin check if you correctly entered your password?

The salt is contained in cleartext as part of the hashed password, so that you can repeat the hashing the secret and match the two hashes.

The salt improves the security because:

1. even if two users use the same password, you cannot tell that by simply comparing the hashes

2. makes brute force checks much slower because you have to recompute the hash for every hashed password entry rather than once for every dictionary entry

3. Prevents building rainbow tables

(probably other reasons, I'm not a crypto expert)


The salt may have been stored in a separate database table and not distributed with this list (if they were salted, which apparently they aren't).


No. I was just confirming that myself when I saw madsr's comment: http://news.ycombinator.com/item?id=4073454




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: