 Okay, anyone have ideas how you could practically scan the Mastodon database for accounts using breached e-mail/password combinations, to send warnings? The haveibeenpwned.com API requires buying an API key for $3.50 per month, plus since Mastodon (of course) irreversibly hashes passwords with bcrypt that sort of task becomes non-trivial. No comments | Expand all CWs
[DATA EXPUNGED]
 Maybe keep the timestamp of the last login and if more than (e.g.) two months send a warning email the next time someone logs in? Or suspend the account and require the user click a link on an email to reactivate.  @Gargron a simple way to do this, could be to check for old popular domains, like caramail.com , aol.com, hotmail.com, yahoo.com, msn.com and so on. at these jurassic times, people never had incentives to build strong passwords, and from now on they have not be warned about how insecure it is to use the same 6 alphanums on all their accounts. so for some domains, a warn is always welcome :D I’m just gonna leave this here: https://github.com/mozilla/blurts-server/blob/master/README.md @Gargron I’m just gonna leave these here: - https://github.com/mozilla/blurts-server/blob/master/README.md I’m just gonna leave these here: - https://github.com/mozilla/blurts-server/blob/master/README.md @Gargron I think the best you can do is to check when a user changes their password. Or maybe after X logins the password is checked against HIBP. That's the only time you have the plaintext password. @Gargron 1) Find Passwordlists in web (e.g. https://github.com/danielmiessler/SecLists)  @Gargron Unfortunately I think most of these strats won't work, because Devise salts passwords by default and you'd have to hash every password for every user =\ Can someone confirm this? |
Gregory's Server
@Gargron checking hashes for current users is a lost cause in my opinion. Warn them about emails maximum.
You should check the passwords at creation time only for future users. ;)