|
|
|
|
|
|
by xoa
2759 days ago
|
|
|
Bleh. Maybe it's too much to hope for a company like that to give any specifics but that's pretty empty by itself. I mean, great, they didn't use plain text(!), but "MD5 with no salt" would fit that blurb just fine too. I really hope Dell was properly using an adaptive hash, but usually when companies do a good job there they want to tout it because it does in some small way show they care somewhat despite the breach. Even if it should be the norm saying "we used bcrypt with 65k+ rounds" or whatever is legitimately reasonable to put in there. |
|
|
As it stands if my mother asked whether this means her password is protected, my answer realistically is "No". Her passwords are not great (it is, after all, not a great sign that I'm saying "her passwords" meaning I know what they are) but they're not in the Pwned Passwords list for example, still a reasonable brute force of MD5 would get most of them. Whereas if they said they had even a crummy salted and pessimised hash, say PHK-MD5-crypt, I'd feel comfortable saying that "Yes", nobody is going to break her password. Which isn't to say nobody could in theory, just that salt means they'd need to target her and pessimisation means it'd cost money, and so why her?
I guess the reason not to is that it invites Monday Morning Quarterbacks. "Oh, why did they use PBKDF2 with this many rounds? Why not Bcrypt? Why not not Argon2?" and so on.