It will help when my unique password get exposed through any of the many likely ... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

bigiain on July 30, 2015 | parent | context | favorite | on: GitHub Raises $250M at $2B Valuation

It will help when my unique password get exposed through any of the many likely routes that don't give the attacker complete code execution on the servers - SQLi or using XSS to steal admin tokens for example.

homakov on July 30, 2015 [–]

Interesting, sqli that works only for reading encrypted_hash from DB? But since password is unique it cannot be bruteforced even locally.

bigiain on July 31, 2015 | [–]

True - it's the (many many documented[1]) cases where the SQLi grabs the password_cleartext column, not the encrypted_hash one that worry me here.

[1] http://plaintextoffenders.com/

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact