Hacker News new | past | comments | ask | show | jobs | submit login

> What matters is whether your users are using the same passwords across multiple services, services out of your control. But ATM no tech out there would allow you to test for this.

Checking against a list of known passwords from breaches does accomplish this, albeit with a high false positive rate.




Does it? If I have used the same password at a dozen sites, and none of those sites have ever suffered a public breech, then my password isn't in any public database.[1] So you will also have a high false negative rate, something far more dangerous than false positives.

I don't think I'm alone in using passwords across multiple sites. Every here lives in that glass house.


> and none of those sites have ever suffered a public breech

Yet. That you know of.

> Every here lives in that glass house.

No, some of us use password manager software for exactly this reason - so we don't use the same password across multiple accounts and have a smaller blast radius when/if a password is compromised.


Lol, until your password manager suffers a breech. Even without a full breech of data, if your password manager's password creation algorithm is made public then your passwords are just as open as anyone else's, perhaps more so. Managers are better, but they aren't the home run people think they are.


You realize there are password managers that aren't cloud based? Also, even if cloud based, they offer TFA. Some offer automatic password rotation/update for your sites. I don't see how the creation algorithm being made public would make my data "just as open as anyone else's, perhaps more so"?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: