This is a serious breach and I'd suggest "gloss over" does not characterize Reddit's statement appropriately.
Given how the report is structured, it seems like the amount of leaked data is purposefully being hidden behind red herring info about SMS 2FA that is not important to users who want to know where they stand.
When this DB is leaked, there should be more than enough weak passwords to both pwn and dox many, many reddit users. Do we know the encryption scheme reddit used to encrypt their password database involved in the leak?
Also, how is it that Reddit gained a head of security 2.5 months ago? Who was in charge of this prior to that date?
While not unexpected, it is very bad for these users. This salt will do nothing to stop a cracking effort. A system with pairs of GTX 960 and GTX 1060 cards can easily check 12 billion hashes a second. This database is hosed.
"""If reallyrandom = False, generates a random alphanumeric string
(base-36 compatible) of length len. If reallyrandom, add
uppercase and punctuation (which we'll call 'base-93' for the sake
of argument) and suitable for use as salt."""
The function has specifically a flag for use as salt, but the hashing code does not actually use it. Whoops. Of course the loss here is not really that significant (~4bits of entropy), but I find it still bit funny.
Picking on the code bit more while we are at it, random.choice that randstr uses is of course not backed by CSPRNG so its not ideal for salts. Although I would be shocked if attackers would be able to exploit that in any way.
Kinda interesting is how they decided on specifically 3 characters for salt, which seems really low. Its not like the characters cost anything, why not 30 characters instead?
I used "gloss over" because I wanted to give them the benefit of the doubt. I can see an argument that 99.9% of the users are going to just care about what user information was stolen.
However, the fact that private messages were stolen is... I mean, it is just mind boggling to me. There has to be so much shit in there.
Given how the report is structured, it seems like the amount of leaked data is purposefully being hidden behind red herring info about SMS 2FA that is not important to users who want to know where they stand.
When this DB is leaked, there should be more than enough weak passwords to both pwn and dox many, many reddit users. Do we know the encryption scheme reddit used to encrypt their password database involved in the leak?
Also, how is it that Reddit gained a head of security 2.5 months ago? Who was in charge of this prior to that date?