(links.plex.tv)

104 points andyexeter | 3 comments | 08 Sep 25 22:11 UTC | HN request time: 0s | source

Show context

Someone1234 ◴[08 Sep 25 22:46 UTC] No.45175111[source]▶

> Any account passwords that may have been accessed were securely hashed, in accordance with best practices, meaning they cannot be read by a third party.

I am glad they were hashed, but that's a misleading statement. The point of hashing is to slow an attacker down, even with full best security practices (e.g. salt + pepper + argon2 w/high factors) they can still be reverse engineered. It is a matter of when, not if.

replies(6): >>45175194 #>>45175199 #>>45175211 #>>45175220 #>>45175316 #>>45175644 #

1. mr90210 ◴[08 Sep 25 22:56 UTC] No.45175194[source]▶

>>45175111 #

> (e.g. salt + pepper + argon2 w/high factors) they can still be reverse engineered. It is a matter of when, not if

How much compute/gpu and hard dollars would hackers need in order to reverse engineers those stollen passwords?

replies(2): >>45175294 #>>45175342 #

2. kstrauser ◴[08 Sep 25 23:05 UTC] No.45175294[source]▶

>>45175194 (TP) #

Approximately “infinite”.

3. reactordev ◴[08 Sep 25 23:11 UTC] No.45175342[source]▶

>>45175194 (TP) #

They borrow unsecured k8s clusters on AWS. That’s not redis running…

↑

Plex Security Incident