Hacker News new | past | comments | ask | show | jobs | submit login

Isn't there a massive security concern in exposing the username of whom you share a password with?

I type `password123` or a range of other passwords, find a silly user using that, try every other major account providers with the username/password and I have access to that person's account?

It's also often not difficult to guess someone's email address from their username (to find more logins) since there are only a few major providers, which such silly user would definitely use.




> Isn't there a security concern in exposing the username of who you share a password with?

Yes, because now you know their password. Which is bad.

It also means if you want to bruteforce something, you dont have to bruteforce every account separately.

Last of all, to even implement that you would need to be storing the passwords unsalted in the db, which is huge no-no.

In any case, this is an article about bad practises, but the first screenshot was fake according to the text.


The first screenshot is a joke.


> Isn't there a massive security concern in exposing the username of whom you share a password with?

The big security problem there is that the stored password hashes are not salted with the username+$RANDOM_NUMBER. If it were, there'd be no way to check if two users shared the same password.


Unless you recompute the hash of the new password for each (username,salt) in your database.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: