this post was submitted on 26 May 2025
560 points (96.2% liked)

Cybersecurity - Memes

2916 readers
1 users here now

Only the hottest memes in Cybersecurity

founded 2 years ago
MODERATORS
Sam1232188@lemmy.world
neurohost@lemmy.world
Sam1232188@lemmy.fmhy.ml
Alphadef@programming.dev
CannaVet@lemmy.world
560
Uh oh, somebody's not following best practices, that's a paddlin (infosec.pub)
submitted 1 month ago by cm0002@lemmy.world to c/cybersecuritymemes@lemmy.world
103 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] anguo@lemmy.ca 51 points 1 month ago (17 children)

What gets me is the "password is too similar to old password".

How do they know? Are they storing them in plain text? I would imagine the hash would change drastically even if I change a single character, no?

[–] owenfromcanada@lemmy.ca 26 points 1 month ago (11 children)

I can imagine one legitimate case: when you create a password, they save the hash for the full password as well as the hash for the password without the last character. So if you attempt to change only the last character, they can detect it. They'd need to salt the two separately though.

In theory, they could do the same for every character, but they'd have to save 20+ combinations for that (plus all the salt), so I doubt anyone is doing that.

[–] Biyoo@lemmy.blahaj.zone 5 points 1 month ago* (last edited 1 month ago)

No need to store it, you can do the opposite, create 20 variations of the new password, hash them, check if any match with the old password.

Edit : nevermind, it would only work if they added data instead of editing it.

load more comments (10 replies)
load more comments (15 replies)