04:04 <ocdtrekkie> Ian, your mobile change is much appreciated.

04:05 <ocdtrekkie> Is minor, yet significant.

04:10 <isd> Glad to hear it.

22:09 <xet7> Does someone understand what is this about? https://github.com/meteor/meteor/discussions/11812

22:18 <ocdtrekkie> Basically all they're saying is that passwords aren't salted, so the pre-hashing is mostly useless for security.

22:19 <isd> Does not affect sandstorm fortunately, since we don't use password auth

22:19 <ocdtrekkie> (Sandstorm is presumably unaffected as it does not store passwords.)

22:22 <ocdtrekkie> IMHO I would rather a rudimentary prehash than sending the password plaintext, although they are using TLS outside of that as well.

22:23 <ocdtrekkie> But like... the solution of salting your hash is like 90s era basic stuff. If you are hashing, you probably should be salting.

22:24 <ocdtrekkie> It's cheap and it just adds another stupid thing for an attacker to cope with.

22:43 <TimMc> Not sure I buy the arguments at the scottbrady91 page.

22:43 <TimMc> It's very hazy on the example scenario.

22:45 <ocdtrekkie> I wasn't 100% positive either, tbh

22:46 <TimMc> You'd first want to compare the probabilities that the user's password was in a cleartext breach vs. a SHA1 (etc.) breach.

22:47 <TimMc> That ratio would have a *dramatic* effect on whether any of this makes sense.

22:48 <TimMc> Next, how many of those SHA-1 (etc.) hashes *haven't* been cracked? My sense was that the crack rate is pretty high!

22:57 <TimMc> OK, so let's pretend most or all breaches are SHA1, cracking SHA1'd passwords is annoyingly hard but not impossible, and you're using pre-hashing (on the client). I think another (important, but unstated) assumption here is that your own DB has been leaked. I *think* the claim here is that the attacker will now go through all of your bcrypt hashes and try each SHA1 they've seen elsewhere. Does that sound

22:57 <TimMc> like a correct characterization?

23:03 <TimMc> Under those assumptions, the attacker would have to try about 600,000,000 hashes (assuming Pwned Passwords dataset) against every bcrypt hash, since each of the latter is salted. At maybe 100ms of work per hash, that's 2 years of compute time just to check *each* user's bcrypt.

23:04 <TimMc> Given that in reality people choose pretty crackable passwords, avoiding this attack (in a pre-hashed passwords scenario) gives marginal benefit, and there's a pretty compelling argument to pre-hash on the client side if you don't know if TLS will be in use in real-world deployments.

23:05 <TimMc> (Counter-argument: There's benefit in the server knowing the cleartext password at login or registration time so that it check the Pwned Passwords DB and force a password reset for bad passwords!)

23:07 <TimMc> Uh... happy to weigh in on the thread if that would help. :-P

23:08 <ocdtrekkie> Arguably you could have the client check Pwned Passwords too.

23:08 <ocdtrekkie> It's mostly a safety feature for people who do not know better. If you want to defeat yourself by circumventing it, go ahead, IMHO.

23:18 <TimMc> Hah, true, no reason the client couldn't do it.

23:19 <TimMc> ...maybe we should do that at work.

23:20 <TimMc> ...nah, easier to do on the server, otherwise we'd have to implement it for the mobile apps as well.

23:49 <xet7> TimMc: I added some comments to issue. It would be excellent if you could weight in to help :D

23:49 <xet7> add some comments there

23:51 <xet7> Most likely sometime there will be some audit of WeKan too

23:52 <xet7> I'm so happy WeKan just got some fixes :D https://github.com/wekan/wekan/pull/4252

23:52 <xet7> I'm also updating some WeKan dependencies