Microsoft Edge Password Monitor feature begins rolling out

Any respectful site or company dealing with users' passwords should have your passwords salted by rehashing them. That makes it very, very hard for any hacker to brute force them. I am pretty sure LastPass is one of those respectful sites.

IronZorg89 said:

Any respectful site or company dealing with users' passwords should have your passwords salted by rehashing them. That makes it very, very hard for any hacker to brute force them. I am pretty sure LastPass is one of those respectful sites.

Indeed, that's best practice.. but one thing most people don't realize is that attackers have dictionaries of salted dictionaries as well. Some sites use the same salt for every password, which is just as bad.

Each password should be salted with a different salt value for real security.. lots of website designers think they know how to do security, and frequently they are wrong. Or, they use a compromised library to do it. Or, they think they can roll their own (nobody should ever do thism unless they can also have it peer reviewed)

Also, FYI, LastPass and other password managers are probably a bad example. They, by nature of their business, can't hash passwords because they have to be recovered to use them to log in to other sites.

The passwords they use to log in to lastpass itself are actually more like PKI encryption, because the password is used (in part) to decrypt the database. But this method doesn't save the password in any form anyways, so it's effectively similar to a hashed and salted password.

Honstly, servers are powerful enough now that they should all be using PKI for authentication rather than saving a salted hash, which can become compromised.

@Mystere,

Good reasoning, but salted passwords + Multifactor authentication, i.e, sending a code to your smartphone or cell phone make it very hard for anyone to use your password in order to get access to your account.

IronZorg89 said:

@Mystere,
Good reasoning, but salted passwords + Multifactor authentication, i.e, sending a code to your smartphone or cell phone make it very hard for anyone to use your password in order to get access to your account.

Yes, MFA is a great tool, not everyone can use it though.. SMS systems cost a lot of money.

It will be less than 10 years probably before Quantum computing makes current hashing pointless.. hopefully they'll have decent anti-quantum hashes by then.

Mystere said:

Yes, MFA is a great tool, not everyone can use it though.. SMS systems cost a lot of money.

It will be less than 10 years probably before Quantum computing makes current hashing pointless.. hopefully they'll have decent anti-quantum hashes by then.

Hopefully, because everything is becoming a technological race. We are living in a world where we have to be constantly on our guards especially in regards to anything that can generate big earnings moneywise.

Hi,

One thing that would help is if there were a big financial penalty for sites that are hacked. So that they would have a financial incentive to properly secure there websites. Truly annoys me when a company is hacked and user information is compromised and the company release a statement that this stuff happens...

Steve C said:

What online databases are Microsoft revealing your sensitive passwords to?

None:

Password Monitor

Microsoft Edge is committed to keeping you safe on the web. To help keep your personal information private and secure, if you are signed into Microsoft Edge, Password Monitor alerts you if your credentials have been exposed in a third-party data breach. If Password Monitor is turned on, your saved credentials are hashed and encrypted locally on your device, sent to Microsoft servers over HTTPS, and compared against an encrypted list of known breached credentials. Your signed-in account identifier is securely sent along with your hashed and encrypted credentials to the Password Monitor service. If a credential is found in the list of known breached credentials, Microsoft sends an encrypted response back to your version of Microsoft Edge to warn you that your credential was detected as part of a hack or breach. No data is stored on Microsoft servers after the check is complete.The feature is only available for users signed into Microsoft Edge. Microsoft Edge asks for your permission to turn on Password Monitor. To turn Password Monitor on or off, go to edge://passwords.

Microsoft Edge Privacy Whitepaper - Password Monitor