A service recently forced me to reset my password recently, so I asked them:

Was there an incident that caused passwords to be reset? Was an analysis done on passwords to determine their "strength" such that mine was deemed unfit?

I eventually got this back.

It in fact is exactly what you had guessed. We implemented some measures such as this one to protect yours and all customer information, which is why we had asked you to strengthen your password.

@GeoffWozniak The only way this would be reasonable is if they compared hashed passwords and asked anyone who shared a password with someone else to change it.

If they're able to see passwords that's just bad security.

@Anarkat It's still unclear what is going on. I'm trying to get at whether they actually stored passwords or compared (unsalted?) hashes to see that there were too many weak ones.

@GeoffWozniak @Anarkat Or just decided they couldn't tell, and it was easier to force everyone to change their password.

@thegibson @Anarkat My guess is incompetence of some kind. They probably deleted them all by accident.

@thegibson @Anarkat More generous: they did store everything using, say, unsalted MD5, someone realized how bad that was and just nuked the whole thing from orbit.

It was the only way to be sure.

@GeoffWozniak @thegibson @Anarkat Or more likely, they don't actually know what went wrong but apparently something did, and now everyone has to wave the dead chicken over their heads. But nobody knows why. Except for that one engineer who has since been fired.

Sign in to participate in the conversation

A bunch of technomancers in the fediverse. Keep it fairly clean please. This arcology is for all who wash up upon it's digital shore.