This is a fascinating premise. I wonder what "02rcV@gwBiE14N2e" says about me...
It should go without saying, but don't use your regular password for this site. There's no way they're using a unique salt for every password in their database, because otherwise it'd be impossible to match people based on the password. Without a unique salt, they're much more vulnerable to a rainbow table attack.
Yes, I am not using salt to decrease the time complexity of matching people. And I do agree that using your regular password here is a terrible idea :-)
They could definitely use a unique salt if they just check for matches on registration, login, or password change (when they have it in plain text). Still insecure because then you have the info that two different salted passwords have the same plaintext.
It seems to be looking for exact matches only, so a linear search against the entire user list should be fine, and should quite comfortable be adequate even for thousands of users, depending on hashing algorithm.
But you know the password that has just been entered. Iterate over every hashed password. Hash the plaintext password you know, using the salt from the hashed password. If it's a match, record that the 2 users matched. Loop to next hashed password.
If they were plaintext it wouldn't need a linear search because the column could be indexed.
What is a "regular password" in this context? For anything I'm concerned for the security of, I use a unique password, and for other things (accounts for job applications, my accounts on sites like Duolingo, Coursera, and others that I don't spend money on), I use the same password. I can't think of why I'd reuse a password for an account I actually care about.
It is an interesting premise but the more I think about it, the less I am impressed in the password aspect. I feel as if this reduces to the N = 1 case of: Ask N questions to all participants, match those that answer similarly for the most questions.
Why would you only ask a single question to determine best matches? And why would that question be of your password? Taking into account more information can only be better for matching people, right?
It says that you use a password manager and did not try to invent a slick password to be someone else.
So if you also were a woman in her 30-40, fair hair, sporty, liked art and science, did not like to travel, liked spending time with friends or code - you would be a great match.
Soooooo... if people use their standard password on this you'll be able to login as them as soon as you get any personally identifiable info - like email or FB account, right?
You'd have to be a moron to use a password that already you use anywhere else. Then again, people are generally morons. (Or, more charitably, they know very little about technology and opsec. Granted, that doesn't seem to be the Hacker News target audience.)
You'd have to be a moron to use your password AND give some other information that can be traced back to you or your accounts by the creator, passwords by themselves are practically useless.
I think you'd have to be a moron to give your password even if you don't knowingly give some information that can be traced back to you.
Even if nothing at all traces it back to you, it would be easy to add every received password to a dictionary for later consultation.
But besides that, the data can be linked to you if you ever knowingly give any identifying data to another website that the attacker here has control over (or, at least, can observe). If he sets a cookie, or remembers your ip address, or your browser fingerprint, there's every chance that he might later be able to find out your real email address.
which seems to be a cheap (albeit honest) trick to get money out of people, so it's quite plausible that this project is simply a cheap trick to get passwords out of people.
Hopefully it comes with a followup blog post with some interesting analysis, although I'm not sure what the overlap is between "interesting" and "ethical" with a data set like this.
Hopefully it does not come with a followup blog post from somebody else who finds all the data up for sale on a darknet market...
You could use something akin to the principle behind the Socialist millionaires problem, to compare two values without revealing them to another party.
This would be a great addition to my other sites. One finds matches based on your mothers maiden name, and the other finds matches based on your social security number.
I don't care if it's a honeypot, it's the best laugh I had today. Also, I'd be so interested in a large-scale study if this single data point correlates with anything.
47 comments
[ 3.4 ms ] story [ 107 ms ] threadIt should go without saying, but don't use your regular password for this site. There's no way they're using a unique salt for every password in their database, because otherwise it'd be impossible to match people based on the password. Without a unique salt, they're much more vulnerable to a rainbow table attack.
If they were plaintext it wouldn't need a linear search because the column could be indexed.
Why would you only ask a single question to determine best matches? And why would that question be of your password? Taking into account more information can only be better for matching people, right?
So if you also were a woman in her 30-40, fair hair, sporty, liked art and science, did not like to travel, liked spending time with friends or code - you would be a great match.
Otherwise nice password!
Even if nothing at all traces it back to you, it would be easy to add every received password to a dictionary for later consultation.
But besides that, the data can be linked to you if you ever knowingly give any identifying data to another website that the attacker here has control over (or, at least, can observe). If he sets a cookie, or remembers your ip address, or your browser fingerprint, there's every chance that he might later be able to find out your real email address.
Do not give your real passwords to this site.
which seems to be a cheap (albeit honest) trick to get money out of people, so it's quite plausible that this project is simply a cheap trick to get passwords out of people.
Hopefully it comes with a followup blog post with some interesting analysis, although I'm not sure what the overlap is between "interesting" and "ethical" with a data set like this.
Hopefully it does not come with a followup blog post from somebody else who finds all the data up for sale on a darknet market...
You could use something akin to the principle behind the Socialist millionaires problem, to compare two values without revealing them to another party.