For password hashing, only short-output or broken hash functions have practical collision concerns. The odds of any random collision with a 256-bit hash, and not with a specific hash, is 50% at 2^128 inputs. Salting is a defense against precomputation attacks like rainbow tables and masking password reuse. Attackers crack password dumps by trying known password combinations, previously compromised passwords, brute force up to a certain length, etc. and using the hashing algorithm to compare the output.
You can check against the API with just the first characters of your hashed password (SHA-1 or NTLM), for example: https://api.pwnedpasswords.com/range/21BD1 or you can download the entire dataset.
It's not a database, it's just files. And they are hosted by Cloudflare so they can cope with a lot of downloads.
I think he should make the files smaller my removing the second half of the hashes, i.e. reduce it from 40 hex digits to 20. This increases the change of a false positive (i.e. I enter my password, it says it was compromised but it wasn't, it just has the same hash as one that did) from 1 in 10^48 to 1 in 10^24 (per password), but that's still a huge number. (There's less than 10^10 people in the world, they only have a few passwords each). This will approximately halve the download, maybe more because the first half of each hash is more compressible (when sorted) the second half is totally random.
> You are being purposefully obtuse here. HIBP is a very, very well established site with a long history of operating in good faith.
Allowing people to query and someone downloading the entire dataset is normally considered abuse, so being blocked is the expectation here. You're so dense you're bending light around you.
I remember when I was searching the file for some passwords my friends and family use, it took me a while to work out that number too. There are some passwords that many people seem to independently come up with and think must be reasonably secure. I suppose they are to the most basic of attacks.
Specifically, it leaks a kernel address inside a security-sensitive structure, which is supposed to be unpredictable / unknowable because the layout of kernel memory is randomized.
If you have another exploit that will write bytes under the attacker’s control to an attacker-supplied kernel address, you will be able to do the Windows equivalent of escalate to root.
I can't speak about the other password managers, but 1Password's architecture ensures even 1Password can't see any of your credentials. It's E2E Encrypted.
I've been a 1Password user for over a decade. It's user friendly, and I'd rather not have the responsibility to self-host my company and extended family's credentials.
My dad was obsessed with this game while I was growing up and I was so proud to learn how to use DOSBox so that he could play it again. A very formative game for me and I get a nostalgic itch to revisit it every few years. Just seeing the title, I can hear the music playing.
The author posted a link to an article[1] showing that Mississippi's retention policies were not responsible for the increase in scores.
> But I've gotten some plausible pushback from researchers who say that Mississippi has always held back lots of kids. In practice, the 2013 law didn't change anything.
> ...
> In 2017, the average age of a fourth grade class is a minuscule 0.01 higher than the 1998-2013 average. That's no difference at all. This proxy is strong evidence that Mississippi's retention policies never changed in practice, which means it's entirely kosher to just compare their scores normally before and after reform.
