It's important to note in this "Facebook plain-text password" story that the passwords are being stored with salted scrypt hashes, that's not the issue. Instead, the issue is inadvertent logging of web requests -- which happen to contain clear-text passwords.
-
-
s/seed/salt/ obviously.
-
Yeah I know the action mode of the OPRF: the server gets to mix its static secret into the client's PRF-derived value without either side learning the other's secrets. I just don't see it being super likely that the database of client PKs is stolen but the static secret is not.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.