Hacker News new | ask | show | jobs
by rlpb 5054 days ago
You receive an email from a sheepish website owner admitting that your password has been compromised and asking you to change it. Now what do you do?
2 comments
e12e 5054 days ago
Add a counter. For a nice discussion on a few of the tradeoffs involved in such a system as this, see this thread:

http://www.mail-archive.com/cryptography@randombit.net/msg02...

So for this example, instead of:

  (sha512sum ~/.salt -<<<www.example.com;sha512sum -)|cut -d\  -f1|sha512sum|cut -c-32
eg:

  (sha512sum ~/.salt -<<<www.example.com0;sha512sum -)|cut -d\  -f1|sha512sum|cut -c-32
which can be changed to:

(sha512sum ~/.salt -<<<www.example.com1;sha512sum -)|cut -d\ -f1|sha512sum|cut -c-32

You can "rediscover" the correct password for a site, relatively easy by using this method -- iterating up to your current (correct) password. Another alternative might be using the year or month/year of last password change/set... all these methods have drawbacks -- but again see the thread for some interesting points on a similar system.

[edit: typo/formatting]

link
icebraining 5054 days ago
Usually I just delete my account.
link