Funny thing at work, I was handling some legacy users - we need to make sure that on the next login, if they have a weak password, they have to change it.
So the whole day I’m typing “123” as a password, 123 123 123 123 all good. So finally I’m done and now I’m testing it, and accidentally I type 1234 instead of just 123. Doesn’t really matter, either is “weak”, so I just click “Login”.
Then goes Chrome, “1234 is known as a weak password, found in breaches, you should change it”.
So TIL 123 is still good.
When setting it, sure. But if we’re talking about next login, that would imply we’re talking about passwords established in the database/server.
Then again, you do have that plaintext password available when it’s entered. Rather than checking what’s in the database, you could see what’s in the form that just triggered a successful login. That’s not as scary
Enterprise applications are often developed by the most “quick, ship this feature” form of developers on the world. Unless the client is paying for the development a quick look at the sql table shows often unsalted passwords in a table.
I’ve seen this in construction, medical, recruitment and other industries.
Until cyber security requires code auditing for handling and maintaining PII as law, mostly its a “you’re fine until you get breached” approach. Even things like ACSC Australia cyber security centre, has limited guidelines. Practically worthless. At most they suggest having MFA for Web facing services. Most cyber security insurers have something but it’s also practically self reported. No proof. So if someone gets breached because someone left everyone’s passwords in a table, largely unguarded, the world becomes a worse place and the list of user names and passwords on haveibeenpwned grows.
Edit: if a client pays and therefore has control to determine things like code auditing and security auditing etc as well as saml etc etc, then it’s something else. But say in the construction industry I’ve seen the same garbage tier software used at 12 different companies, warts and all. The developer is semi local to Australia ignoring the offshore developers…
You can have a list of hashes for known weak passwords, and compare it to hashes of the actual passwords stored.
Or at least that’s how I think it’d work
If the passwords were properly salted, it wouldn’t. But if they’re not salted, helloooooo rainbow tables. Or the world’s greatest crossword puzzle, like that one Adobe accidentally made. Maybe even both!
deleted by creator