The headline is misleading. Roku didn’t get hacked and leak accounts. There were ~15000 customers that had accounts accessed due to credential stuffing. Aka, they reused passwords on other sites that had leaks and hackers tried those credentials on their Roku accounts and got into them.
Yeah, but then both OP and The Verge wouldn’t have such a juicy headline for sick internet points and clicks.
It’s more accurate to say “~15,000 Roku users were hacked due to reused passwords”, and reusing passwords is one of the worst things you can do security-wise because if your password got leaked on one website (doesn’t even need to be the full password, just the hash would work), you are now entirely compromised everywhere you reuse that password.
The salt is stored in the same table as the hash. All the salt does is prevent super easy rainbow table attacks. You can still attack the passwords with brute force. Most people still use simple passwords that barely satisfy password requirements like password1!. There are freely available cracking algorithms that target the same “clever” password patterns that everyone uses. It greatly reduces the time it takes to crack passwords, and if you have a table with a million passwords in it, it’ll only take a couple days on a few GPUs to crack 15,000 of the simpler ones.
The headline is misleading. Roku didn’t get hacked and leak accounts. There were ~15000 customers that had accounts accessed due to credential stuffing. Aka, they reused passwords on other sites that had leaks and hackers tried those credentials on their Roku accounts and got into them.
Yeah, but then both OP and The Verge wouldn’t have such a juicy headline for sick internet points and clicks.
It’s more accurate to say “~15,000 Roku users were hacked due to reused passwords”, and reusing passwords is one of the worst things you can do security-wise because if your password got leaked on one website (doesn’t even need to be the full password, just the hash would work), you are now entirely compromised everywhere you reuse that password.
Assuming the hashes aren’t salted. Salting has been standard for years if not decades at this point.
But of course that won’t stop people from rejecting mature libraries and rolling their own insecure implementations.
My doctor says I should reduce my cholesterol and sodium intake. No salted hash for me, thanks.
The salt is stored in the same table as the hash. All the salt does is prevent super easy rainbow table attacks. You can still attack the passwords with brute force. Most people still use simple passwords that barely satisfy password requirements like
password1!. There are freely available cracking algorithms that target the same “clever” password patterns that everyone uses. It greatly reduces the time it takes to crack passwords, and if you have a table with a million passwords in it, it’ll only take a couple days on a few GPUs to crack 15,000 of the simpler ones.That’s… very very different.