It's important to note in this "Facebook plain-text password" story that the passwords are being stored with salted scrypt hashes, that's not the issue. Instead, the issue is inadvertent logging of web requests -- which happen to contain clear-text passwords.
-
-
I'm marginally fuzzy about WHAT it solves. I can see that the static serverside secret means that performing dictionary/brute force attacks with a stolen pk requires either server interaction or also stealing the static secret... but is that all we are gaining?
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.