@Khan - eviltoast
  • 2 Posts
  • 11 Comments
Joined 1 year ago
cake
Cake day: June 30th, 2023

help-circle
  • It’ll be less secure.

    If they hash a subset, then those extra characters are literally irrelevant, since the hash algorithm will exclude them. Like if they just hashed the first 5 characters, then “passw” is the same as “password” and all those permutations. Hashing is safe because it’s one-way, but simple testing on the hashing algorithm would reveal certain characters don’t matter.

    Protecting a smaller subset of characters in addition to the whole password is slightly better but still awful. Cracking the smaller subset will be significantly easier using rainbow tables, and literally gives a hint for the whole password, making a rainbow table attack significantly more efficient. Protecting the whole thing (with no easy hints) is way more secure.

    It also adds nothing to keylogging, since it’s not even a new code, it’s part of the password.

    There was a time where that level of security was acceptable, and it still could be ok on a closed system like an ATM, as the other reply to my comment pointed out, but this kind of protection on a standard computer is outdated and adds holes.




  • I have never heard of anything secure doing that. Assuming they have taken security steps, it would mean they recorded those characters in plaintext when you set your password, but that means that at least those characters aren’t secure, and a breach means some hacker has a great hint.

    When the hashing occurs, it happens using the code you downloaded when you visit the site, so it’s your computer that does the hash, and then just the hash is sent onwards, so they can’t just pull the letters out of a properly secure password.

    A secure company would use two-factor authentication to verify you above and beyond your password, anyway, since a compromised password somewhere else automatically compromises questions about your password.



  • You can go into your account and under two-step, generate a one-time code. Store that code somewhere secure, like a note in your password manager if you trust it with both steps, and you can do it.

    Pretty sure Google authenticator will have something equivalent but likely more secure, but haven’t used it.








  • Yes and no.

    Structurally, it’ll remain decentralized, so one clear advantage here is that if the admins of a very large instance start trying something, my current understanding of how this works would let users ignore them. They don’t control account creation, since any federated instance can see everything, so there’s no meaningful way to actually block someone, they can make a new account and the rogue instance has no further powers to stop individuals. They could block whole instances that don’t conform, but unlike Reddit, that doesn’t get rid of them. Instead, it fractures the communities, which hurts everyone. In that case, a user protest wouldn’t be a blackout like Reddit had, it would be a migration to another instance, and if other instances blocked them back, replacement communities would form.

    Of course, this is a double-edged sword, it’s harder for Lemmy to permanently end communities of hate and others that deserve permanent bans, as is always the case with decentralized authority, but that’s the tradeoff.