It's important to note in this "Facebook plain-text password" story that the passwords are being stored with salted scrypt hashes, that's not the issue. Instead, the issue is inadvertent logging of web requests -- which happen to contain clear-text passwords.
-
-
Yeah I know the action mode of the OPRF: the server gets to mix its static secret into the client's PRF-derived value without either side learning the other's secrets. I just don't see it being super likely that the database of client PKs is stolen but the static secret is not.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.