No, that doesn't make sense at all.
https://twitter.com/ppentestlabs/status/1202906268991664128 …
-
-
but why do they think they need a plaintext copy of it in their DB "To send it to you if you forget it" when standard practice is to generate a new one and send that to the user?
-
Yep, they absolutely should just regenerate it. That said, not sure that's worth the ridicule they're getting!
- 7 more replies
New conversation -
-
-
Pointless to access other services. Not pointless if someone dumps all the passwords and sells access to the website to 3rd parties, right? I don't know what you can access if you have the password for an account...maybe other personal data that is not stored in plaintext...
-
Maybe, but it's seems pretty contrived situation that an attacker would be able to access password hashes and not any other data already, no?
- 4 more replies
New conversation -
-
-
You have a point there. For me it's more about the fact that there is a common understanding that passwords are generally bad for auth and storing them in plaintext is even worse. Of course different circumstances can make that less or more worse.
-
i guess they're conceding that their accounts are unimportant since they're only protecting *other* accounts (via re-use avoidance) in the case of a compromise, not their own
End of conversation
New conversation -
-
-
You cannot prove that, because if you give users the password (even generated), they'll probably reuse it somewhere else. BUT, then keeping the passwords allows detecting botnet bruteforce attacks with password mutations.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Then they could just blacklost certain passwords.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.