this post was submitted on 26 May 2025
562 points (96.2% liked)

Cybersecurity - Memes

2827 readers
1 users here now

Only the hottest memes in Cybersecurity

founded 2 years ago
MODERATORS
 
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 13 points 1 week ago (2 children)

This thread is just a series of people who think they understand.

Thinking you understand when you do not is the real cyber security threat.

This is a password reset form. This requires the user having successfully authenticated or gone through a password recovery form. The best practices in this instance are not the same as the best practices for a login form.

[–] [email protected] 2 points 1 week ago
  1. Aquire password database (it's properly hashed and salted)
  2. Create an account and access the password reset form
  3. Dig into the front-end code to find whatever is doing the hash calculations
  4. Brute-force a list of common passwords and look for matches

It would still take significant time, but it's still a vulnerability, especially as technology evolves. You're right that best practices are different for a reset form, but there are some things that are common (like don't do hashes in the front end).

[–] [email protected] 10 points 1 week ago (1 children)

This form can be used to brute force or dictionary guess passwords and infer what they are without a limitation on login attempts. Even if the password has already been invalidated on that service, finding a collision on this service gives you a password that might work on other services for the same email address/username

[–] [email protected] 1 points 1 week ago

And waiting for a form submit changes that in what way that cannot also be done on a debounce?