Follow

Mastodon does not store passwords in plain text. This is trivial to confirm as Mastodon is an open-source project. We use the bcrypt algorithm for one-way hashing of passwords. I can't believe someone is spreading misinformation about something so trivial to debunk.

The tweet with the misinformation got shared 1395 times, my response 85 times...

Show thread

@Gargron I'm quite confused since the owner post on blue bird app said that this app storing password in plaintext ... I mean, it almost impossible since it's easy to get attack yet you give us the Security details in the documentation.

Logically.

@Gargron
As a suggestion, would it be helpful to put something about this in the notification section?

@Gargron
lol, anyone that has ever programmed anything with a password knows if you try to view it in the script, its just a black box, from my experience anyways...

Arisu 🏳️‍🌈, it's a KDF, not a hash function. It serves a different purpose. Password-based key derivation functions usually are deliberately computationally expensive as their output is then used as an encryption key so it's extremely important to protect against brute forcing. Some take literally seconds. Why would you put this much load on a server though?

@grishka because of improved security. i don't know enough about security to say anything, but searching got me to think the security benefits are worth it.

@Gargron I am quite surprised at first, but eventhough this announcement can make us be relieved could you please ensure us to be able to enjoy this platform? Thanks for the explanation!

@Gargron I'm still trusting this platform though, Thanks Eugen.

@Gargron eugen. just please i don't know anything about code blabla i just want to roleplay happily because twitter sucks. :cate: :angery: :cwy: :cwy: :cwy: :cwy: :cwy: :cwy:

@Gargron was the bug with special chars in password fixed?

@vigdis This is not an issue with special characters, nor is it an issue in a true sense of the word. The bcrypt algorithm works on 72 bytes, anything beyond that makes no difference. This is a comparatively arcane topic that is disingenous to bring up in the context of this thread. If you'd like, you should bring this topic up with the developers of the bcrypt gem or Devise.

@Gargron then maybe it should make sense to close the gh issue?

@Gargron Eugen, please don’t betray us, take care of this platform! If it grows this will become a big platform and will be used by many people, I hope you can protect your user data. Have a nice day!

@Gargron please make this simple because im dizzy looking someone with same username but different domain

@Tenlee_1001

This is normal - many people here register one or more "alt" accounts on another Mastodon instance in case their main one has to be temporarily closed for maintenance (or for posting in different languages or different things they do).

Usually they are the same person (check the profiles carefully though).

If you look at mine, you can see I am also on chaos.social where I am @vfrmedia

social.tchncs.de/@vfrmedia

@gargron

@Tenlee_1001 It works kinda like email, multiple servers exist and including the domain distinguishes them.

@Gargron I JUST WANNA THANK TO YOU BECAUSE YOU MADE THIS PLATFROM SERIOUSLY I HATE JACK BECAUSE HE EAT MY ACCOUNTS ON TWITTER WITH NO REASON. WE NEED HAPPY PLACE JUST TO ROLEPLAY.

AARRRRGGHHHH THERE ARE SO MANY THOUGHTS I WANT TO SAY.

sorry :angery: :angery: :cate: :cate: :cate: :cate: :cwy: :cwy: :cwy: :cwy:

@Gargron eugen. i wanna say that please just be like this. be fast respond and listen to mastodon user since you are the owner because we need master-nim (?) like that. it is just like you are the king of this platform (?)

what did i just say :cate: :cate: :cate: :cate: okay sorry.

@wooseok dilihat lihat bang wooseok struggle mulu dah dari tadi 😂

@wooseok JEKI EMANG DAH BRENGSKI NYEBELIN BANGET MAKIN KESINI

@Gargron Whoever spreads the news that isn't necessarily true, is really bad.

@Gargron I was very surprised when I read the fake news. thankyou for confirming that this is not true. lets do the best development for the app . Cheer up !!

@Gargron

coming back to this this thread 30min later.. >.< ...lol, if people ever knew exactly how much information internet giants collected from them they'd be deleting thier accounts faster than this rumor was spreading. haha

@Gargron

It's difficult to make sense of that #Twitter post, but I think the part where he says “minutes after I signed up…” may be relevant.

To me, that would indicate the possibility of an #MITM, 3rd party script or similar #compromise in the Mastodon.social instance.

Have you looked into that?

@0 I have looked into it and haven't found anything

@Gargron I dont think this about technical things, this is about envy capitalist because they cannot put ads on this platforms

@papamogul @Gargron

somethin along those lines id imagine. Brightside, its generated publicity, maybe when it comes full cycle people will realize this is safer than the social network they were already using :/

Hello @Gargron thank you for your work 🙂
I trust Open Source Software and I trust you 👍
Thank you for the information (even if the initial fake news didn't come to me)

@Gargron Bcrypt is a pleasure to use, it's as easy as plan text. Why no use it?

@Gargron And now you see how misinformation works. People like to be offended more than they like to know the truth.

SCIENCE: Empirical Accxperiment By @Gargron Suggests That A Juicy Untruth May Travel As Quickly As Six Times The Speed Of Truth!

@Gargron you are in the right here. That complaint showed no evidence of compromise being traced back to mastodon.social, and did indicate account and password reuse... which means any of the sites tha email was used at could be at fault.

Although it was more likely a drive-by password spray and a weak password that caused his breach... statistically speaking.

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!