Possible vulnerability in checking saved password in database

For those not reading the resources linked above, the passwords being checked are never sent in clear-text. In the unlikely event that someone intercepts the network traffic using a SSL decrypter while you are running a report, all they would get is the first 5 characters of a SHA-1 hash of the passwords being checked, a so-called hashprefix.

Bottom line: If your passwords have not been previously been leaked (“pwned”), it would be impossible to deduce the password from the hashprefix information.

If you have a password that has been pwned, then someone who has the hashprefix and who also has a hash table of all leaked passwords could narrow down your password to a subset of around 400-600 entries in that table. Is this a security vulnerability? I would argue that it is not really, because your password is already on the list of leaked passwords (available for anybody to see). With modern hardware, it really isn’t that much harder to brute force the entire list of leaked passwords (a few billion) vs. just brute-forcing a shortlist of 400 candidates. As long as you immediately change any password that is identified as having been leaked, you should be safe.

3 Likes