Hacker News new | ask | show | jobs
by k7sune 1299 days ago
How does LastPass implement their security challenge, where they rate your passwords and compare them to known mass password leak incidents? Does that require an upload of plaintext passwords to the server?
3 comments
andirk 1299 days ago
Oh like 1st interview question is: "What's your password?".

A few jobs ago I needed some IT help and the guy asked me that. I told him my very vulgar password loudly. Then went back to my desk and changed it.

link
wizofaus 1299 days ago
Not sure why you would think that was necessary or at all likely. We have these things called hashes...
link
8n4vidtmkvmk 1299 days ago
that doesn't explain anything. they shouldn't be uploading unsalted hashes either. and if it's salted, it won't match with any database
link
wizofaus 1299 days ago
True, the best solution is to download the list of hashed "bad passwords" and check if the one entered matches against that.
link
neevans 1299 days ago
if salted hash is leaked then it doesn't matter and does not need to be detected anyway.
link
marklyon 1299 days ago
Doesn't it run zxcvbn to calculate the score on the logged-in client?
link