|
|
|
|
|
|
by eeZah7Ux
2306 days ago
|
|
|
k-Anonymity is not particularly clever. Every time you use a cryptographic hash to look something up you have a tradeoff around the length of the hash. A long hash will identify your password very precisely. A very short hash e.g. down to 1 byte will have so many matches to be useless. Cloudflare chose: > For example; the Hash Prefix 21BD1 contains 475 seemingly unrelated passwords, including: ...and this allows attackers to easily create a list of short hashes of common passwords and try them against matching accounts, as they point out: > It is important to note that where a user's password is already breached, an API call for a specific range of breached passwords can reduce the search candidates used in a brute-force attack |
|
|