Hacker News new | past | comments | ask | show | jobs | submit login

But the whole point of the api is that you don't use the password if it is found in the list. So the attacker will know about the 200 strings that are definitely not the password.



Assuming you managed to instantly change the password on every single service you've used it, yes.


Nobody is talking about it, but to compromise someone, you also need the username, which is not sent.


Ah, that's true. In any case, I don't think this is really a reasonable vector of attack, I was just being pedantic at jgc's "the password is not sent" comment.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: