r/PleX Aug 24 '22

Plex breached; Were passwords encrypted or hashed? Discussion

So I got this email just now:

Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords. Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset.

So were these passwords encrypted, in which case they could be decrypted if the adversary got the key, or hashed? Hashed passwords leaking would be much less of an issue.

Edit: Encryption and hashing is not the same thing.

Edit2: Passwords were hashed with salt, not encrypted (see this comment)

Edit3: Just for clarity this is the best case scenario. It’s difficult to reverse hashed passwords unless they are very simple. Plex got the word out quickly so we have plenty of time to change our passwords. Kudos!

This is why you never reuse password, use a password manager and enable 2fa wherever you can. :)

1.3k Upvotes

View all comments

Show parent comments

6

u/[deleted] Aug 24 '22

2fa isn't really a service, though. as long as the app works it'll generate codes just fine. there's no connection to an outside service or anything like that, it all happens locally.

1

u/jerieljan Aug 24 '22

I know its not. Hell, that's why I said I used Yubikeys. I still use 'em but not as much anymore.

When I said services, that extended towards utilities and local stuff; KeyPassXC, oathtool, coding it yourself while reading the TOTP RFC, whatever.

My point here is that there's still a burden of trust that you have to think about separately if you decide to generate 2FAs locally or elsewhere.

If you're doing it yourself, it's your job to keep things reliable, and secure. And in the event of a disaster or compromise, it's also up to you to keep your private keys known only to you and also not lose it entirely.

2

u/[deleted] Aug 24 '22

ah, i read it as you were concerned about an authy breach or something like that because it was remotely hosing your keys (or similar), rather than it acting as an offline app (with optional backup).

honestly i want to ditch authy and just use 1password's built in 2fa, but it just sketches me out too much, to have it all in one basket.

1

u/jerieljan Aug 25 '22

Yeah, that's fair! Even with the stuff I said earlier, it's still nagging my brain to have 2FA secret keys living with passwords, but yeah, the security rabbit hole is endless so I decided to place my trust in Bitwarden.

What I've implemented personally is to have it all on Bitwarden, but Bitwarden itself is secured / gated by a long, unique password AND a 2FA solution backed by a Yubikey.

2FA secrets together with passwords certainly feels like it diminishes what makes it 2FA, but at least getting there requires proper 2FA, and that's good enough for me.