[Robin_Message]

It matters a great deal (well, not to me, I don't use the service). Password reuse is common, and the way to fix that is good quality password hashing. If I used OVH, I'd need to change my password everywhere now.

If I used someone competent (i.e. they still have bugs but they use bcrypt), they'd have lost: $2a$10$NkYCXBjWeVP0rJUlfl0VL.d66EvJjbVUA/YEsmBSyTZOnbY0/anxa which is a bcrypt hash of my most secure password.

I'm happy to publish that. The salted SHA-512? Not so much!

[Tobu]

Password reuse is still bad, your password doesn't have to be breached through a database dump. You could be accessing a compromised site, or get caught by any number of network attacks from stripping to mixed scripting to dumping a stream that doesn't have forward secrecy. https://www.imperialviolet.org/2012/07/19/hope9talk.html

[Robin_Message]

My point was, if they hash properly, a simple db dump is not a big deal (although obviously considering the password compromised is sensible, and password reuse is a bad idea which is not a proof people don't do it).

I'm signing out of this thread as my point seems to have been lost somewhere. Thanks for the interesting link though.

[makira]

Password reuse is a really bad idea, regardless of how the password is stored. Depending on how the server is comprised, your password could be intercepted before it is hashed. Don't reuse passwords for sensitive stuff.

[Robin_Message]

And yet.

[eli]

No, the password should now be considered compromised regardless of how it was hashed and regardless of how many other sites you used it on and how annoying it would be to change them all.

[agsamek]

> I'm happy to publish that

foolhardiness is not bravery ;)

[pavs]

$2a$10$NkYCXBjWeVP0rJUlfl0VL.d66EvJjbVUA/YEsmBSyTZOnbY0/anxa == hunter2