Password re-use by another person or on another service

Clash Royale CLAN TAG#URR8PPP

up vote
1
down vote

favorite

How does having the same password in different services make it less secure? How does having the same password as someone else make it less secure? Very basic question that I've always wondered about; I've been reminded by GitHub recently seen this message,

The password you provided has been reported as compromised due to re-use of that password on another service by you or someone else.

and,

Generate a unique password for GitHub. If you use your GitHub password elsewhere and that service is compromised, then attackers or other malicious actors could use that information to access your GitHub account.

Theoretically, how would that work? Shouldn't a different salt render it almost useless to any attacker?

different salt values will create completely different hashed values, even when the plaintext passwords are exactly the same [Wikipedia]

passwords salt

share|improve this question

asked 7 hours ago

Neil Edelman

1062

New contributor

Neil Edelman is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

up vote
1
down vote

favorite

How does having the same password in different services make it less secure? How does having the same password as someone else make it less secure? Very basic question that I've always wondered about; I've been reminded by GitHub recently seen this message,

The password you provided has been reported as compromised due to re-use of that password on another service by you or someone else.

and,

Generate a unique password for GitHub. If you use your GitHub password elsewhere and that service is compromised, then attackers or other malicious actors could use that information to access your GitHub account.

Theoretically, how would that work? Shouldn't a different salt render it almost useless to any attacker?

different salt values will create completely different hashed values, even when the plaintext passwords are exactly the same [Wikipedia]

passwords salt

share|improve this question

asked 7 hours ago

Neil Edelman

1062

New contributor

Neil Edelman is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

up vote
1
down vote

favorite

up vote
1
down vote

favorite

How does having the same password in different services make it less secure? How does having the same password as someone else make it less secure? Very basic question that I've always wondered about; I've been reminded by GitHub recently seen this message,

The password you provided has been reported as compromised due to re-use of that password on another service by you or someone else.

and,

Generate a unique password for GitHub. If you use your GitHub password elsewhere and that service is compromised, then attackers or other malicious actors could use that information to access your GitHub account.

Theoretically, how would that work? Shouldn't a different salt render it almost useless to any attacker?

different salt values will create completely different hashed values, even when the plaintext passwords are exactly the same [Wikipedia]

passwords salt

share|improve this question

asked 7 hours ago

Neil Edelman

1062

New contributor

Neil Edelman is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

How does having the same password in different services make it less secure? How does having the same password as someone else make it less secure? Very basic question that I've always wondered about; I've been reminded by GitHub recently seen this message,

The password you provided has been reported as compromised due to re-use of that password on another service by you or someone else.

and,

Generate a unique password for GitHub. If you use your GitHub password elsewhere and that service is compromised, then attackers or other malicious actors could use that information to access your GitHub account.

Theoretically, how would that work? Shouldn't a different salt render it almost useless to any attacker?

different salt values will create completely different hashed values, even when the plaintext passwords are exactly the same [Wikipedia]

passwords salt

passwords salt

share|improve this question

asked 7 hours ago

Neil Edelman

1062

New contributor

Neil Edelman is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

asked 7 hours ago

Neil Edelman

1062

New contributor

Neil Edelman is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

share|improve this question

asked 7 hours ago

Neil Edelman

1062

New contributor

Neil Edelman is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 7 hours ago

Neil Edelman

1062

asked 7 hours ago

Neil Edelman

1062

1062

New contributor

Neil Edelman is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

New contributor

Neil Edelman is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

Neil Edelman is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

add a comment | 

2 Answers
2

active

oldest

votes

up vote
2
down vote

Salt is usually stored along with the hashed password. When an attacker knows that your password is "abc123" in "pqr.com", he can try your username and password "abc123" in site "efg.com". Now "efg.com", would retrieve the stored hash against your username and extract the salt from it. Then the extracted salt is used to calculate the hash of the entered password and then matched with the stored hash.

The purpose of salt is to ensure that just by looking at two hashed passwords, the attacker can't tell whether they are same or not.

Salt is not a secret. The only requirement is, it has to be unique within a given DB. Its existence is just for preventing attacker to prepare a pre-computed lookup table with passwords and their hashes to do a dictionary attack. But if the password itself is known to the attacker, salt cannot save the user.

share|improve this answer

edited 1 hour ago

answered 6 hours ago

Saptarshi Basu

1436

New contributor

Saptarshi Basu is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  why the downvote?
  – Saptarshi Basu
  5 hours ago
  

  
  
  
  

add a comment | 

up vote
1
down vote

If the password has been known to be compromised then certainly the password won't be all too unique. It is probable that an adversary will try and use that password when trying to compromise accounts by simply testing that password for each user.

"If a service is compromised" does not need to mean that the data at rest - i.e. the storage device holding the database - is stolen. It may be that the server is compromised and that the attacker will intercept any password typed into the service by the user. As the server generates the code that asks for the password, an attacker should then always be able to retrieve your password, before a password hash with the salt is applied to it.

share|improve this answer

answered 6 hours ago

Maarten Bodewes

49.8k569182

add a comment | 

Your Answer

StackExchange.ifUsing("editor", function ()
return StackExchange.using("mathjaxEditing", function ()
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
);
);
, "mathjax-editing");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

Neil Edelman is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f63268%2fpassword-re-use-by-another-person-or-on-another-service%23new-answer', 'question_page');

);

Post as a guest

Name Email

2 Answers
2

active

oldest

votes

2 Answers
2

active

oldest

votes

active

oldest

votes

active

oldest

votes

up vote
2
down vote

Salt is usually stored along with the hashed password. When an attacker knows that your password is "abc123" in "pqr.com", he can try your username and password "abc123" in site "efg.com". Now "efg.com", would retrieve the stored hash against your username and extract the salt from it. Then the extracted salt is used to calculate the hash of the entered password and then matched with the stored hash.

The purpose of salt is to ensure that just by looking at two hashed passwords, the attacker can't tell whether they are same or not.

Salt is not a secret. The only requirement is, it has to be unique within a given DB. Its existence is just for preventing attacker to prepare a pre-computed lookup table with passwords and their hashes to do a dictionary attack. But if the password itself is known to the attacker, salt cannot save the user.

share|improve this answer

edited 1 hour ago

answered 6 hours ago

Saptarshi Basu

1436

New contributor

Saptarshi Basu is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  why the downvote?
  – Saptarshi Basu
  5 hours ago
  

  
  
  
  

add a comment | 

up vote
2
down vote

Salt is usually stored along with the hashed password. When an attacker knows that your password is "abc123" in "pqr.com", he can try your username and password "abc123" in site "efg.com". Now "efg.com", would retrieve the stored hash against your username and extract the salt from it. Then the extracted salt is used to calculate the hash of the entered password and then matched with the stored hash.

The purpose of salt is to ensure that just by looking at two hashed passwords, the attacker can't tell whether they are same or not.

Salt is not a secret. The only requirement is, it has to be unique within a given DB. Its existence is just for preventing attacker to prepare a pre-computed lookup table with passwords and their hashes to do a dictionary attack. But if the password itself is known to the attacker, salt cannot save the user.

share|improve this answer

edited 1 hour ago

answered 6 hours ago

Saptarshi Basu

1436

New contributor

Saptarshi Basu is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  why the downvote?
  – Saptarshi Basu
  5 hours ago
  

  
  
  
  

add a comment | 

up vote
2
down vote

up vote
2
down vote

Salt is usually stored along with the hashed password. When an attacker knows that your password is "abc123" in "pqr.com", he can try your username and password "abc123" in site "efg.com". Now "efg.com", would retrieve the stored hash against your username and extract the salt from it. Then the extracted salt is used to calculate the hash of the entered password and then matched with the stored hash.

The purpose of salt is to ensure that just by looking at two hashed passwords, the attacker can't tell whether they are same or not.

Salt is not a secret. The only requirement is, it has to be unique within a given DB. Its existence is just for preventing attacker to prepare a pre-computed lookup table with passwords and their hashes to do a dictionary attack. But if the password itself is known to the attacker, salt cannot save the user.

share|improve this answer

edited 1 hour ago

answered 6 hours ago

Saptarshi Basu

1436

New contributor

Saptarshi Basu is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

Salt is usually stored along with the hashed password. When an attacker knows that your password is "abc123" in "pqr.com", he can try your username and password "abc123" in site "efg.com". Now "efg.com", would retrieve the stored hash against your username and extract the salt from it. Then the extracted salt is used to calculate the hash of the entered password and then matched with the stored hash.

The purpose of salt is to ensure that just by looking at two hashed passwords, the attacker can't tell whether they are same or not.

Salt is not a secret. The only requirement is, it has to be unique within a given DB. Its existence is just for preventing attacker to prepare a pre-computed lookup table with passwords and their hashes to do a dictionary attack. But if the password itself is known to the attacker, salt cannot save the user.

share|improve this answer

edited 1 hour ago

answered 6 hours ago

Saptarshi Basu

1436

New contributor

Saptarshi Basu is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this answer

share|improve this answer

edited 1 hour ago

edited 1 hour ago

edited 1 hour ago

answered 6 hours ago

Saptarshi Basu

1436

New contributor

Saptarshi Basu is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered 6 hours ago

Saptarshi Basu

1436

answered 6 hours ago

Saptarshi Basu

1436

1436

New contributor

Saptarshi Basu is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

New contributor

Saptarshi Basu is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

Saptarshi Basu is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  why the downvote?
  – Saptarshi Basu
  5 hours ago
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  

  
  
  
  
  
  

  
  why the downvote?
  – Saptarshi Basu
  5 hours ago
  

  
  
  
  

why the downvote?
– Saptarshi Basu
5 hours ago

why the downvote?
– Saptarshi Basu
5 hours ago

add a comment | 

up vote
1
down vote

If the password has been known to be compromised then certainly the password won't be all too unique. It is probable that an adversary will try and use that password when trying to compromise accounts by simply testing that password for each user.

"If a service is compromised" does not need to mean that the data at rest - i.e. the storage device holding the database - is stolen. It may be that the server is compromised and that the attacker will intercept any password typed into the service by the user. As the server generates the code that asks for the password, an attacker should then always be able to retrieve your password, before a password hash with the salt is applied to it.

share|improve this answer

answered 6 hours ago

Maarten Bodewes

49.8k569182

add a comment | 

up vote
1
down vote

If the password has been known to be compromised then certainly the password won't be all too unique. It is probable that an adversary will try and use that password when trying to compromise accounts by simply testing that password for each user.

"If a service is compromised" does not need to mean that the data at rest - i.e. the storage device holding the database - is stolen. It may be that the server is compromised and that the attacker will intercept any password typed into the service by the user. As the server generates the code that asks for the password, an attacker should then always be able to retrieve your password, before a password hash with the salt is applied to it.

share|improve this answer

answered 6 hours ago

Maarten Bodewes

49.8k569182

add a comment | 

up vote
1
down vote

up vote
1
down vote

If the password has been known to be compromised then certainly the password won't be all too unique. It is probable that an adversary will try and use that password when trying to compromise accounts by simply testing that password for each user.

"If a service is compromised" does not need to mean that the data at rest - i.e. the storage device holding the database - is stolen. It may be that the server is compromised and that the attacker will intercept any password typed into the service by the user. As the server generates the code that asks for the password, an attacker should then always be able to retrieve your password, before a password hash with the salt is applied to it.

share|improve this answer

answered 6 hours ago

Maarten Bodewes

49.8k569182

If the password has been known to be compromised then certainly the password won't be all too unique. It is probable that an adversary will try and use that password when trying to compromise accounts by simply testing that password for each user.

"If a service is compromised" does not need to mean that the data at rest - i.e. the storage device holding the database - is stolen. It may be that the server is compromised and that the attacker will intercept any password typed into the service by the user. As the server generates the code that asks for the password, an attacker should then always be able to retrieve your password, before a password hash with the salt is applied to it.

share|improve this answer

answered 6 hours ago

Maarten Bodewes

49.8k569182

share|improve this answer

share|improve this answer

answered 6 hours ago

Maarten Bodewes

49.8k569182

answered 6 hours ago

Maarten Bodewes

49.8k569182

answered 6 hours ago

Maarten Bodewes

49.8k569182

49.8k569182

add a comment | 

add a comment | 

Neil Edelman is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

Neil Edelman is a new contributor. Be nice, and check out our Code of Conduct.

Neil Edelman is a new contributor. Be nice, and check out our Code of Conduct.

Neil Edelman is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f63268%2fpassword-re-use-by-another-person-or-on-another-service%23new-answer', 'question_page');

);

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Name Email

Name

Email

Name Email

Name

Email