This’ll happen if there’s been a suspected data breach with poor password encryption or requirements. Gotta be safe and change the algorithm, breaking everyone’s existing passwords. But yeah, it is annoying…
I wouldn’t have a problem with this if the website just told us there was a breach and we need to change our password. The problem is when they gaslight me about it.
Oh, I thought it had something to do with password hashes, where websites don’t actually know your password, but if the hash is the same, then it assumes that you entered the right PW. At least that’s how my non-technical brain understands how it works.
That’s correct, let’s say a database was breached and the hacker has every user and their password hashes. They can login with testuser@email.com with password “password123” and see if the generated hash matches any other user’s password hash. If so, they might be able to hack many accounts with the same password or even reverse engineer and decrypt every other password.
Developers can make the hash more secure by adding arbitrary characters to the password (aka a salt), and this becomes the site’s “authentication algorithm”. But if the hashes are stolen, it may be a matter of time before the algorithm is figured out, which leads to updates, which leads to your pre-existing hash no longer matching.
This’ll happen if there’s been a suspected data breach with poor password encryption or requirements. Gotta be safe and change the algorithm, breaking everyone’s existing passwords. But yeah, it is annoying…
I wouldn’t have a problem with this if the website just told us there was a breach and we need to change our password. The problem is when they gaslight me about it.
It also happens with the following process:
Oh, I thought it had something to do with password hashes, where websites don’t actually know your password, but if the hash is the same, then it assumes that you entered the right PW. At least that’s how my non-technical brain understands how it works.
That’s correct, let’s say a database was breached and the hacker has every user and their password hashes. They can login with testuser@email.com with password “password123” and see if the generated hash matches any other user’s password hash. If so, they might be able to hack many accounts with the same password or even reverse engineer and decrypt every other password.
Developers can make the hash more secure by adding arbitrary characters to the password (aka a salt), and this becomes the site’s “authentication algorithm”. But if the hashes are stolen, it may be a matter of time before the algorithm is figured out, which leads to updates, which leads to your pre-existing hash no longer matching.
deleted by creator