←back to thread

Plex Security Incident

(links.plex.tv)
104 points andyexeter | 4 comments | 08 Sep 25 22:11 UTC | HN request time: 1.66s | source
Show context
Someone1234 ◴[08 Sep 25 22:46 UTC] No.45175111[source]
> Any account passwords that may have been accessed were securely hashed, in accordance with best practices, meaning they cannot be read by a third party.

I am glad they were hashed, but that's a misleading statement. The point of hashing is to slow an attacker down, even with full best security practices (e.g. salt + pepper + argon2 w/high factors) they can still be reverse engineered. It is a matter of when, not if.

replies(6): >>45175194 #>>45175199 #>>45175211 #>>45175220 #>>45175316 #>>45175644 #
mvdtnz ◴[08 Sep 25 22:58 UTC] No.45175211[source]
For all practical purposes what you're saying is just wrong.
replies(1): >>45175676 #
1. Someone1234 ◴[08 Sep 25 23:54 UTC] No.45175676[source]
I've done so within the last year, successfully. Cost $7 for a single password in just compute and took about 17 hours (lowest, cheapest priority).

So please explain your reply further. Also recall their claim for context of what I was replying to, and what you're here defending now.

If their claim is credible what I did and what you're reiterating wasn't possible.

replies(3): >>45175698 #>>45178824 #>>45183134 #
2. mvdtnz ◴[08 Sep 25 23:57 UTC] No.45175698[source]
No you haven't, not for a reasonably strong password.
3. 0points ◴[09 Sep 25 07:48 UTC] No.45178824[source]
You brute forced a random argon2 hashed password using cheap compute in 17 hours?

Granted the suggested defaults for argon2 is like ~0.1 second per verification on a rather beefy CPU, in 17h that's about 620 000 guesses.

Your cheap compute would likely perform worse.

That is beyond improbable. You are making it up.

4. IAmBroom ◴[09 Sep 25 15:17 UTC] No.45183134[source]
Your story lacks important context. Was the password "password"? "123456"? Or a 12-character mix of cases, numbers, and special characters?