This thread is frustrating. Everyone seems more interested in nitpicking the specifics of what OP is saying and are ignoring that a forum sends you your password (not an automatically generated one) in an email on registration.

  • MajorHavoc@lemmy.world
    link
    fedilink
    arrow-up
    4
    arrow-down
    1
    ·
    1 year ago

    Reversible hashed password storage isn’t meaningfully better than clear text.

    • The key to reverse the hash is typically (necessarily) stored in the same infrastructure as the password. Bad actors with access to one have access to the combination.
    • Even if an attacker fails to exfiltrate the key to the reversible hash, it’s typically only a matter of days at the most before they can reverse engineer it, and produce plain text copies of every password they obtained the hash of.

    A reversible hash provides a paper thin layer of protection against accidental disclosure. A one way hash is widely considered the bare minimum for password storage.

    Anyone claiming a password has been protected, and then being able to produce the original password, is justly subject to ridicule in security communities.

    • Bitrot@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      1 year ago

      The one they were sending at registration was prior to hashing. It would not be reversible afterwards.

      • MajorHavoc@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        edit-2
        1 year ago

        That’s technically less terrible, then.

        Good for them. /s

        Edited to add the /s for clarity, because the NIST recommended remediation in 2023 for emailing a password is “burn everything down and pretend the organization never existed”. /s

        Again, adding that /s since that’s not actually what NIST says to do, and I am, at best, paraphrasing.