<div><span style="color: rgb(160, 160, 168); ">On Monday, February 11, 2013 at 8:15 AM, M.-A. Lemburg wrote:</span></div>
<blockquote type="cite" style="border-left-style:solid;border-width:1px;margin-left:0px;padding-left:10px;">
<span><div><div><div>Giovanni Bajo wrote:</div><blockquote type="cite"><div><div>Il giorno 11/feb/2013, alle ore 13:25, Jesse Noller <<a href="mailto:jnoller@gmail.com">jnoller@gmail.com</a>> ha scritto:</div><div><br></div><blockquote type="cite"><div>Actually I was thinking about this in the shower: the likelihood that pypi users used the same passwords as they did on the wiki is probably much higher than any of us assume.</div></blockquote><div><br></div><div>Given that the passwords were unsalted in both instances, a set intersection is enough to verify.</div></div></blockquote><div><br></div><div>The moin wiki passwords were salted.</div><div><br></div><div>The reason we reset the passwords, was that the attackers had</div><div>access to both the salt and the hashes.</div><div><br></div></div></div></span></blockquote><div>What were they hashed with? Even with a salt a fast hash is trivial to</div><div>bruteforce for a large number of passwords in practically no time</div><div>with trivial hardware. </div><div><br>
</div>