Score:1

Matching accounts across multiple data leaks via their hashed passwords

it flag

I've heard about several instances where OSINT researchers were able to match user accounts from multiple data leaks purely based on their hashed passwords, assuming accounts had the same password on different sites. (Yes, even when there were no other identifying characteristics, such as re-used usernames, re-used email addresses, browser fingerprints, or IPs.)

As far as I know, these data leaks all had salted passwords, so the researchers couldn't just compare the plain hashes between leaks.

How did they do it? Would they just try to brute-force both leaks and then compare the plaintext where they got matches? Are there any tricks that can be used to reduce the computational effort? E.g., how feasible is it in practice to pre-compute huge rainbow tables for salted passwords? Doesn't the extra "dimension" make this intractable?

I assume these analyses only succeed with very simple passwords (e.g., <7 characters without special symbols), or when the site admins used some very flawed hashing implementations (e.g., easily predictable salts). True?

PS: Password re-use is bad in any case. Please don't re-use passwords.

DannyNiu avatar
vu flag
I'm pretty sure the salt was not used or was improperly generated in those cases. Anyway, we need to see their published results to know for sure.
cn flag
if one of the leaks had actual passwords rather than a salted hash, the other salted hashes can be computed if the salts are also leaked with the hashes. It may also be possible if one of the passwords was stored without a salt.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.