[ndrake]

From https://www.dell.com/customerupdate

What is a “hashed password”? Hashing is a cryptographic security mechanism, similar to encryption, that scrambles customers’ passwords into an unreadable format. Dell ‘hashes’ all Dell.com customer account passwords prior to storing them in our database using a hashing algorithm that has been tested and validated by an expert third-party firm. This security measure limits the risk of customers’ passwords being revealed if a hashed version of their password were to ever be taken.

[xoa]

Bleh. Maybe it's too much to hope for a company like that to give any specifics but that's pretty empty by itself. I mean, great, they didn't use plain text(!), but "MD5 with no salt" would fit that blurb just fine too. I really hope Dell was properly using an adaptive hash, but usually when companies do a good job there they want to tout it because it does in some small way show they care somewhat despite the breach. Even if it should be the norm saying "we used bcrypt with 65k+ rounds" or whatever is legitimately reasonable to put in there.

[tialaramex]

It seems like they could add a parenthetic which is more specific to help those of us who actually understand the question gauge for others who ask.

As it stands if my mother asked whether this means her password is protected, my answer realistically is "No". Her passwords are not great (it is, after all, not a great sign that I'm saying "her passwords" meaning I know what they are) but they're not in the Pwned Passwords list for example, still a reasonable brute force of MD5 would get most of them. Whereas if they said they had even a crummy salted and pessimised hash, say PHK-MD5-crypt, I'd feel comfortable saying that "Yes", nobody is going to break her password. Which isn't to say nobody could in theory, just that salt means they'd need to target her and pessimisation means it'd cost money, and so why her?

I guess the reason not to is that it invites Monday Morning Quarterbacks. "Oh, why did they use PBKDF2 with this many rounds? Why not Bcrypt? Why not not Argon2?" and so on.

[NoPicklez]

They've provided some pretty reasonable information.

Not just, your account details are safe.

[shakna]

To me, it looks like just 'Your account details are safe.'

> Additionally, Dell cybersecurity measures are in place to limit the impact of any potential exposure. These include the hashing of our customers’ passwords and a mandatory Dell.com password reset.

Hashed, how? Still using MD5? Is there even a salt?

Verified, by whom? Tim's brother-in-law's new startup who have no security expert staff? Verified as in had the encryption technique tested for collisions? That Dell were using it in the correct manner? Or just, 'Hey, I know that library, it works if you use it right.'

> Dell also retained a digital forensics firm to conduct an independent investigation

Who? Is this just someone who will tick boxes? Or is it a group who know what they're doing? Or were they just hired by marketing based on a pretty website?

> We are disclosing this incident now based on findings communicated to us by our independent digital forensics firm about the attempted extraction.

Wait... This investigation has already been done? Okay... They would have told you a hell of a lot more than you're telling us... So we can't look forward to more information?

> Though it is possible some of this information was removed from Dell’s network, our investigations found no conclusive evidence that any was extracted.

> Credit card and other sensitive customer information was not targeted.

One cannot be said conclusively, whilst the other can... Why? Tell us that CC data is kept separately, and tell us it is safe too. Just saying it's hashed doesn't mean bupkus, so feel free to say it publicly, you reveal nothing about your security features.

> The potentially extracted customer information is limited to names, email addresses and hashed passwords. There is no conclusive evidence any customer information was extracted. Additionally, Dell cybersecurity measures are in place to limit the effects of a potential exposure.

What additional cybersecurity measures? If the data is gone, it's in the wind. Names, and emails and possibly-breakable passwords. Are you talking about how you closed the hole? Then say how you accidentally exposed your victims.

---

Finally, before anyone says that this is an excessive amount of information for Dell to give out... It's what other tech companies relay in their post-mortems. [0]

All this is, is Dell admitting they had a problem. Not saying what that problem was, and not saying what they're doing to prevent it in future. And assuring their victims that they're taking care of them, despite their victims possibly sitting on lost information (a password, possibly in the wild) for nearly a month.

[0] https://github.com/danluu/post-mortems