←back to thread

Plex Security Incident

(links.plex.tv)
104 points andyexeter | 2 comments | 08 Sep 25 22:11 UTC | HN request time: 0s | source
Show context
Someone1234 ◴[08 Sep 25 22:46 UTC] No.45175111[source]
> Any account passwords that may have been accessed were securely hashed, in accordance with best practices, meaning they cannot be read by a third party.

I am glad they were hashed, but that's a misleading statement. The point of hashing is to slow an attacker down, even with full best security practices (e.g. salt + pepper + argon2 w/high factors) they can still be reverse engineered. It is a matter of when, not if.

replies(6): >>45175194 #>>45175199 #>>45175211 #>>45175220 #>>45175316 #>>45175644 #
Dedime ◴[08 Sep 25 22:59 UTC] No.45175220[source]
Maybe this is naive, but in a good crypto system, I would hope "when" is measured in millions or billions of years given current hardware capabilities.
replies(1): >>45175284 #
smallerize ◴[08 Sep 25 23:04 UTC] No.45175284[source]
If you have a long enough and random enough password, you're probably good. The trouble with short passwords is that there just aren't that many of them. An attacker can just compute the hash of all of them.
replies(1): >>45175382 #
jcgl ◴[08 Sep 25 23:14 UTC] No.45175382[source]
As long as the salt is secret from the attackers (which is not a given, of course), the length of the passwords shouldn't matter all too much; the input to the hash (i.e. password + hash) would still have enough entropy to not be brute-force-able.
replies(2): >>45175532 #>>45175533 #
OkayPhysicist ◴[08 Sep 25 23:37 UTC] No.45175532{3}[source]
If you have the hashed password, in most systems you have the salt. Salt+hash is for preventing the attackers from getting to try all your passwords in parallel.
replies(2): >>45175980 #>>45176024 #
1. solid_fuel ◴[09 Sep 25 00:39 UTC] No.45176024{4}[source]
Maybe this is what you're saying, I'm not sure - my understanding was that the salt prevents reused passwords from resulting in the same hash. So, if I use 'password' and you use 'password' the salt+hash will be different. That way attackers can't just hash all the common passwords once and immediately associate them with different accounts.
replies(1): >>45183248 #
2. OkayPhysicist ◴[09 Sep 25 15:23 UTC] No.45183248[source]
Yeah, exactly. Commonly, the salts are stored right next to the hashes in the DB, because they serve their purpose even if the attacker knows what the salts are. By using a different salt for every password, the attacker needs execute a full "guess, hash, compare, repeat" attack on each user, as opposed to "guess, hash, compare against all user passwords, repeat" on the entire database.