So, Cloudflare analyzed passwords people are using to log in to sites they protect and discovered lots of re-use.
Let me put the important words in uppercase.
So, CLOUDFLARE ANALYZED PASSWORDS PEOPLE ARE USING to LOG IN to sites THEY PROTECT and DISCOVERED lots of re-use.
https://blog.cloudflare.com/password-reuse-rampant-half-user-logins-compromised/
#cloudflare #password #cybersecurity
They have access to hashed passwords. Like every server you log in does.
You misunderstand the article
Wait, how? Array of password hashes on pwnd lists are compared to an array of password hashes in current use. 41% are the same hash. Meaning even after exposure people use the same passwords. What did they misunderstand? That's what I gleaned from it.
They have access to the plaintext password. They are MITMing all websites using their services.
"When we perform these checks, Cloudflare does not access or store plaintext end user passwords."
I mean they could be lying but the article says the opposite.
WHEN THEY PERFORM THE CHECK. But by design cloudflare routes "proxied" your traffic through their servers before. Their certificates. They have 5 levels:
- Off (no SSL)
- flexible (MITM and the server gets no SSL request)
- full (MITM, your server gets SSL requests)
- full strict (MITM and they enforce the MITM)
- strict (MITM)
It's all good. Not like they haven't been collecting IP addresses, browsing habits and passwords since a decade now. At some point they'll argue that only bad people want to have privacy.
