• barsquid@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    2
    ·
    6 months ago

    You’re incorrect. If they salt the hash and use bcrypt it is computationally infeasible for Microsoft to match it against a customer. Or at least expensive enough that Microsoft would insist on warrants and subpoenas.

    • sudneo@lemm.ee
      link
      fedilink
      English
      arrow-up
      1
      ·
      6 months ago

      Computationally infeasible? It’s as expensive if every user made a single login (if they use bcrypt for passwords).

      They don’t need to do it for every user, they need to do it for one only. Salting is fairly irrelevant in this context. And we are talking about resources for Microsoft, or Google, or Apple. And this is also assuming they can’t further segment the customers by other metadata, such as location (in this case for example, Spanish users), which will drastically reduce the number of users to try. If every Spanish person had a user, you need 47kk hashes. Years ago single rigs pumped more than 10k bcrypt/s. That would be 1h of computation give or take? Assuming a fraction of that and not the immense computing power of big tech, it’s still something completely achievable for an investigation.