Hacker News new | ask | show | jobs
by cristoperb 2487 days ago
I'm one of them :/

The haveibeenpwned description says password hashes are md5, which sucks. But phpBB has used bcrypt by default since version 3.1 (2014)... I wonder if all the hashes are md5 or only those for older accounts?

https://haveibeenpwned.com/PwnedWebsites#XKCD
2 comments
lucb1e 2487 days ago
Impacted as well, but I'm happy to be part of it. Either they'll crack an old password or, more likely, this is a new style password and they waste a lot of cracking time on it. Using a password manager for everything except a few offline things and my bank account was definitely the right move.
link
jsjohnst 2487 days ago
What do you use for your bank account?
link
lucb1e 2487 days ago
Same as for my master password: a randomly generated, memorized password.

The trick to remembering them is to use them regularly. This is also why I don't use a passphrase: a password is much shorter and less frequently typo'd, thus less annoying for frequent use.

link
jarfil 2487 days ago
phpBB... I wonder how many of those accounts are just fake spam bot accounts.
link