In general, you don't. You store hashes. Exceptions sometimes apply when it's a credential used to access some other system - for example, Plaid's gonna have to store your bank account password to scrape it - but there you'd at least hope for encryption.
Media coverage tends not to get the distinction right, so it's always hard to tell if the company fucked up or the attacker is exaggerating on early coverage.
(Assuming this is what you meant by *but there you'd at least hope for encryption*, but expanding to verify): Even in this case, it seems unreasonable to store the password. Rather, the user's Plaid login should act as a part of multi-token access setup, where Plaid's backend services' tokens can also be used to decrypt the user's credentials in order to authenticate to those other service.
In short: even then, storing plaintext passwords seems... like choosing convenience for security, and that seems very wrong.
The article states "the group provided 100 credential pairs". That indicates one of a couple things; a) lying attacker providing old hacked accounts, b) unsalted or weakly salted credentials vulnerable to rainbow tables or brute force or c) plaintext storage.
Or it's just credential stuffing matching email with plaintext passwords from other old breaches, or they created 100 accounts and thus know the password, etc.
Until a more detailed investigation/write comes out it's difficult to say for certain what they have, if anything.
It could also be colloquial use of "credential pairs." In that it could be that they were, in fact, hashed; but the report went with a quick verbiage to say they were leaked. Especially considering that most hashing/encoding tricks will go out of date and many common passwords will still be as effectively leaked.
No a one-way hash is not "the password". If you have the hash you can't use it to login or reverse it to a password without brute force comparison which is why you always store a hash with salt using slow hashing algo, and not "the password", this has been best practice for years so a DB breach does not mean the password are compromised.
I agree, but it's still the password in that it's the secret set of characters needed to be compared against to login. It's just not the same text a user would enter when prompted for the password.
Keeps in mind these hackers are the ones saying they have passwords and this is Microsoft. Most likely hashes.
Be warned that this makes your authentication system less secure because it caps the maximum entropy of the password to the entropy of the hash function.
You need crazy long passwords for that to become the limiting factor. With random printable characters on the keyboard there are a bit less than 7 bits per character (unless a crazy amount of different accents are used). So you need passwords longer than 18 characters to surpass the entropy of even MD5.
A simple change if you don't want to change it too much eg. moving away from passwords would be to use a sponge function instead of a hash and and squeeze out the same number of bits as the plaintext.
Good point. How about splitting the password into chunks, then use a key streching algorthim on each chunk with difficulty tuned to be easier based off the total amount of chunks, and concatenating them.
