Hacker News new | ask | show | jobs
by Nogwater 4225 days ago
I don't think that's necessarily true. Let's say they have all of the passwords stored as bcrypt hashes, and they also know the last time you changed your password. They could just update the application logic to check that your password is of the form <pw><pw> if your last change date is before X. Then to check the password, they just take the first half and check that against the hash.
5 comments
oxryly1 4225 days ago
So, in other words, this is an elaborate prank?
link
tlrobinson 4225 days ago
It's a moderately aggressive way to get people to change their passwords (more aggressive than an email or prompt, less aggressive than forcing upon login)
link
oxryly1 4224 days ago
If that happened to me I'd just keep the doubled password. It seems more secure (it's not), and I already remember it.

This approach just seems dumb.

link
StavrosK 4225 days ago
This would break passwords like "foofoo", since they'd think it was already doubled, they'd check "foo" against the hash and it would fail. Then again, you can get around that with doubling it again after checking, so I don't know.
link
azernik 4225 days ago
Why is this a problem? If your password is "foofoo" and was set after the cutoff, then it won't be halved; if it is "foofoo" and was set before the cutoff, it will be halved, and then not match the password in the database, as intended.
link
rafekett 4225 days ago
this, i'm not sure why it is hard to see that this is easy to implement without storing passwords in plaintext.
link
StavrosK 4225 days ago
You have to have stored the last password change date, which many systems don't do.
link
jtheory 4224 days ago
If they didn't before, they can start storing it to implement this.
link
semanticist 4223 days ago
Passwords prior to the doubling were a fixed length, so they could always assume the first eight characters of a 16 character password (which hasn't been changed manually) is the original password.

Of course, anyone who has a leak of the original passwords can equally just send a a double of it, so I'm not sure what benefit this is supposed to be offering.

link
cheez 4225 days ago
Yep, basically:

    if(userHasUpdatedPw) { checkPw(hash(pw)) }
    else{ checkPw(hash(pw+pw)) }
link
saifelse 4225 days ago
More like:

    if(userHasUpdatedPw) { checkPw(hash(pw)) }
    else{ checkPw(hash(assertDoubledAndTakeHalf(pw)))}
link
cheez 4224 days ago
Probably
link
Aldo_MX 4225 days ago 

  "password123password123".match(/^(.+)\1$/)[1]
link
pwr22 4225 days ago
Oh God...
link