Asklemmy

Just want to add some detail to what everyone is saying about passwords. From what I understand, by default, Lemmy uses the bcrypt hashing function to store passwords. This is a fantastic choice. The great thing about hashing a password is that there is no way to go from the hash back to the password. It's mathematically impossible, since the process loses information. This is different from encryption where there is a mathematical way to recover the original data from the ciphertext.

So great, no recovering passwords! Well...Not exactly. While there is no way to calculate the password from the hash, the neat thing about hashing algorithms is that the same input, run through the same function, will always produce the same output. And since we know Lemmy uses bcrypt, and a sufficiently motivated attacker could look at the code and figure out all the variables that goes into the bcrypt function in Lemmy, an attacker can know exactly how your password was hashed. They can make a guess at your password, run it through the function and see if that matches the hash stored in the database (this is actually how you are authenticated when logging in). If they do that a lot of times, they might be able to guess your password this way. This is basic brute forcing of a password. and there are pre-built tools to do this.

Extending that brute force attack further. People are bad at picking passwords. Most peoples' passwords follow similar patterns and have similar words in them. If you get such a list of words and use it to make up the guesses using common patterns, this can greatly speed up the guessing of passwords. And, wouldn't you know it, this also has pre-built lists and tools to do. It's dead simple. Take a class on hacking and you'll likely be doing this on day 1. Day 2 if the instructor eats up a lot of time going over the syllabus.

So, what's the defense against this? Well, two things:

1. Unique passwords - and not just a common password with an easy to guess change. Having "Password1" here and "Password2" over there isn't smart, no matter how smart your version of "Password" is. I mean real, complex, unique passwords. Give up memorizing them, or even knowing what they are. Get a good password vault (e.g. KeePass or BitWarden), and use that to both generate and store passwords. Protect that with a long passphrase (a sentence, with capitalization and punctuation) which you can remember.
2. Multi-factor authentication (MFA) - This can be limited to stuff which you really care about. If someone hacks your PornHub account, you probably don't care. If someone hacks your bank account, you probably do care. There's a whole discussion on MFA and what types are better; but, if you can enable it on a site you don't want compromised, use what's offered.