[Cryptography] Zero Knowledge: Have I Been Pwned?
Barney Wolff
barney at databus.com
Sun Sep 10 19:06:16 EDT 2017
On Sun, Sep 10, 2017 at 11:25:30AM -0700, Henry Baker wrote:
> I also don't think that it is safe to type a SHA1 hash of a password into the HIBP either. Why? Because the database contains the complete list of pairs (password,SHA1(password)), so inverting these particular hashes is trivial, so this is equivalent to simply typing in the unhashed password.
I don't understand your concern with typing the SHA1 hash. If you get a hit you are going to change the password and never use it again. If you don't get a hit what can an attacker do with the hash? Is there any system so stupid as to store passwords as unsalted SHA1 hashes?
More information about the cryptography
mailing list