Hacker News new | comments | ask | show | jobs | submit login
[flagged] Show HN: A dating app that matches people based on their password (wordsofheart.com)
38 points by kazet on Feb 1, 2018 | hide | past | web | favorite | 46 comments

This is a fascinating premise. I wonder what "02rcV@gwBiE14N2e" says about me...

It should go without saying, but don't use your regular password for this site. There's no way they're using a unique salt for every password in their database, because otherwise it'd be impossible to match people based on the password. Without a unique salt, they're much more vulnerable to a rainbow table attack.

Yes, I am not using salt to decrease the time complexity of matching people. And I do agree that using your regular password here is a terrible idea :-)

Wouldn't that effectively render the whole 'matching people based off the passwords they hold dear' premise pointless then?

It is an interesting premise but the more I think about it, the less I am impressed in the password aspect. I feel as if this reduces to the N = 1 case of: Ask N questions to all participants, match those that answer similarly for the most questions.

Why would you only ask a single question to determine best matches? And why would that question be of your password? Taking into account more information can only be better for matching people, right?

That’s basically the concept of OKCupid. Unless they’ve changed it in the last ten years or so.

What is a "regular password" in this context? For anything I'm concerned for the security of, I use a unique password, and for other things (accounts for job applications, my accounts on sites like Duolingo, Coursera, and others that I don't spend money on), I use the same password. I can't think of why I'd reuse a password for an account I actually care about.

It says that you use a password manager and did not try to invent a slick password to be someone else.

So if you also were a woman in her 30-40, fair hair, sporty, liked art and science, did not like to travel, liked spending time with friends or code - you would be a great match.

Otherwise nice password!

They could definitely use a unique salt if they just check for matches on registration, login, or password change (when they have it in plain text). Still insecure because then you have the info that two different salted passwords have the same plaintext.

But then what would they match it against?

It seems to be looking for exact matches only, so a linear search against the entire user list should be fine, and should quite comfortable be adequate even for thousands of users, depending on hashing algorithm.

But the rest of the passwords wouldn't be in plain text...

But you know the password that has just been entered. Iterate over every hashed password. Hash the plaintext password you know, using the salt from the hashed password. If it's a match, record that the 2 users matched. Loop to next hashed password.

If they were plaintext it wouldn't need a linear search because the column could be indexed.

Hashed and salted.

Does this mean people using password generators will never meet anyone?

You an have security or a date, but not both.

The Romantic Uncertainty Principle

If you have a 'regular password' it's already game over.

So if I match with someone we now both know each other's passwords?

This ensures you can never ever break up.

Meant to be! Also trust!

This would be a great addition to my other sites. One finds matches based on your mothers maiden name, and the other finds matches based on your social security number.

This submitter has basically no history on this site. Smells like a honeypot to me.

His only previous submission was https://web.archive.org/web/20150203155420/http://loseyourbi...

which seems to be a cheap (albeit honest) trick to get money out of people, so it's quite plausible that this project is simply a cheap trick to get passwords out of people.

Hopefully it comes with a followup blog post with some interesting analysis, although I'm not sure what the overlap is between "interesting" and "ethical" with a data set like this.

Hopefully it does not come with a followup blog post from somebody else who finds all the data up for sale on a darknet market...

You'd have to be a moron to use a password that already you use anywhere else. Then again, people are generally morons. (Or, more charitably, they know very little about technology and opsec. Granted, that doesn't seem to be the Hacker News target audience.)

You'd have to be a moron to use your password AND give some other information that can be traced back to you or your accounts by the creator, passwords by themselves are practically useless.

I think you'd have to be a moron to give your password even if you don't knowingly give some information that can be traced back to you.

Even if nothing at all traces it back to you, it would be easy to add every received password to a dictionary for later consultation.

But besides that, the data can be linked to you if you ever knowingly give any identifying data to another website that the attacker here has control over (or, at least, can observe). If he sets a cookie, or remembers your ip address, or your browser fingerprint, there's every chance that he might later be able to find out your real email address.

Do not give your real passwords to this site.

But that's the whole point of the site. If I enter a randomly-generated password, how's it supposed to match me with anybody?

You could use a password that you feel represents you despite being newly conceived.


You could use something akin to the principle behind the Socialist millionaires problem, to compare two values without revealing them to another party.

Does this mean that they don't hash your passwords? They save it in plain text somewhere? ... Also, this is a terrible idea...

No, they can still hash it. Just not with unique salt, I believe.

I use entirely random, machine generated passwords. I assume my matches would also be similarly random?

Well, random only in the set of people who use machine generated password!

I don't care if it's a honeypot, it's the best laugh I had today. Also, I'd be so interested in a large-scale study if this single data point correlates with anything.

Soooooo... if people use their standard password on this you'll be able to login as them as soon as you get any personally identifiable info - like email or FB account, right?

this must be the first polyamory matchmaker. the '12345678' village and the 'password' megacity are waiting just around the corner

In order to maximize my pool, should I choose 123... variants? Would I be lowering my chances of success by reducing the median quality of members?

Y'all could just use a previous password.

Can I have an app based on 23andme data already?

Are you trying to match against people who share your DNA? That doesn't sound like a brilliant idea!

Ha, no I was more thinking along the lines of a ML approach based on successful couples.

Seems like a really bad idea for a honeypot.

This website seems a little fishy.

I think you misspelled “phishy”.


camaro69... is that you???

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact