On Mon, 19 Jun 2017 04:48:16 -0000 "Andre Robatino" <robatino@xxxxxxxxxxxxxxxxx> wrote: > That works as long as the website isn't hacked. If it is, even if the > passwords are hashed (which they often aren't), the hash can be > cracked if the password is weak. How? Don't the attackers have to know the password hashing algorithm to do that? If they have enough penetration into the system to know that, couldn't they just capture the passwords when they were unhashed? i.e. could it have been that they let paypal know they had been compromised, so that a program they left on paypal's systems could report the unhashed passwords when paypal told their users to reset their passwords? _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx