|
|
|
|
|
|
by Others
2202 days ago
|
|
|
I feel like hashed passwords are somewhere in between “completely okay to publish” and secret. With good crypto, it should be difficult to make a password hash useful even if it is public. (Although weak passwords can make this worse if salts are also made public.) However as part of a defense in depth strategy, you probably don’t want to release them publicly. I feel like there are different levels of secrecy at play here. I think the article means things more like ssh keys or api keys specifically. |
|
|
This is different from a public key - its unfeasible to derive a secret key from a public key.
Its by design trivial to verify a correct password guess against a salted hash.
In general, you won't have a lot of candidate secret keys to try against public keys - but all you need to get candidate passwords is to offer up a service that "check if your password is secure/compromised/etc".
You might not crack root@box,but can easily verify that you have access to ceo@box...