Anyone seeing disclosure of what password hashing algorithm Plex uses on their back ...

Why Nostr? What is Njump? Join Nostr

npub1d9…v7m3z

2025-09-09 02:03:27 UTC

Anyone seeing disclosure of what password hashing algorithm Plex uses on their back end?

[Edit: Aaron Toponce ⚛️:debian: (npub1t9c…8529) discovered a thread showing bcrypt:

https://fosstodon.org/@atoponce/115172271450263878 ]

There are three kinds of org postures relative to disclosure of password-hashing algorithm:<li><p>Orgs confident enough in their selection of algorithm that they <em>know</em> that there is no harm in disclosing it</p></li><li><p>Orgs who know they're doing it badly and want to keep it a secret</p></li><li><p>Orgs who won't disclose their algorithm because the PR team has no idea how the passwords are hashed, and internal comms are spotty enough that the information can't reach the public</p></li>

Note that a mix of 1 and 3, or 2 and 3, are also possible.

1 alone is a sign of security maturity. If 2 and 3 are in play, there's room for improvement ... for different reasons, but both indicators of security immaturity.

Practitioners: Which type is your org?

Reporters: Are you probing orgs to find out which type they are?

Normalize hash-type disclosure.

Author Public Key

npub1d9j86kugzarj4skw6juglk2de6mful9svqu8yac6vum5wz5xtcwsyv7m3z

Seen on

wss://relay.momostr.pink

Show more details

Published at

2025-09-09 02:03:27 UTC

Kind type

1 Short Text Note

Event JSON

{ "id": "c87d38503fea7c4b20261dfc968c9dd0f1710eb9fd868f88a260220a25c5c98f", "pubkey": "69647d5b8817472ac2ced4b88fd94dceb69e7cb0603872771a6737470a865e1d", "created_at": 1757383407, "kind": 1, "tags": [ [ "proxy", "https://infosec.exchange/@tychotithonus/115171878974410680", "web" ], [ "p", "597022b3c20de92675ad38e490aa9b80cda1beed34e044ecc73d8e00c42c63eb" ], [ "proxy", "https://infosec.exchange/users/tychotithonus/statuses/115171878974410680", "activitypub" ], [ "L", "pink.momostr" ], [ "l", "pink.momostr.activitypub:https://infosec.exchange/users/tychotithonus/statuses/115171878974410680", "pink.momostr" ], [ "-" ] ], "content": "Anyone seeing disclosure of what password hashing algorithm Plex uses on their back end?\n\n[Edit: nostr:npub1t9cz9v7zph5jvadd8rjfp25msrx6r0hdxnsyfmx88k8qp3pvv04szt8529 discovered a thread showing bcrypt:\n\nhttps://fosstodon.org/@atoponce/115172271450263878 ]\n\nThere are three kinds of org postures relative to disclosure of password-hashing algorithm:\u003cli\u003e\u003cp\u003eOrgs confident enough in their selection of algorithm that they \u003cem\u003eknow\u003c/em\u003e that there is no harm in disclosing it\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eOrgs who know they're doing it badly and want to keep it a secret\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eOrgs who won't disclose their algorithm because the PR team has no idea how the passwords are hashed, and internal comms are spotty enough that the information can't reach the public\u003c/p\u003e\u003c/li\u003e\n\nNote that a mix of 1 and 3, or 2 and 3, are also possible.\n\n1 alone is a sign of security maturity. If 2 and 3 are in play, there's room for improvement ... for different reasons, but both indicators of security immaturity.\n\nPractitioners: Which type is your org?\n\nReporters: Are you probing orgs to find out which type they are?\n\nNormalize hash-type disclosure.", "sig": "0d8b44a231e18c3bafef42f8b43d45a1e3fc9638a2e97d975f4898e0dc8635f96b95940a5febadedc644d6db0e7bdf2894cfff3a4522bebd30eb5a6c2309b93f" }