I noticed that there were some accounts that were hijacked by the instance owners. All the posts from that user were then edited to say what happened.

This kind of surprised me, I figured instances could delete posts, but not edit them. So how much control do they have?

I assume they can’t see my password (hopefully). Can they post in my name? Do they have all the access to my posts to foreign instances that they do over local posts?

Edit: thanks for all the responses everyone! I’ve wanted my own instance for a while, but maybe I’ll get on it now

  • sylver_dragon@lemmy.world
    link
    fedilink
    English
    arrow-up
    6
    arrow-down
    1
    ·
    1 year ago

    Just want to add some detail to what everyone is saying about passwords. From what I understand, by default, Lemmy uses the bcrypt hashing function to store passwords. This is a fantastic choice. The great thing about hashing a password is that there is no way to go from the hash back to the password. It’s mathematically impossible, since the process loses information. This is different from encryption where there is a mathematical way to recover the original data from the ciphertext.

    So great, no recovering passwords! Well…Not exactly. While there is no way to calculate the password from the hash, the neat thing about hashing algorithms is that the same input, run through the same function, will always produce the same output. And since we know Lemmy uses bcrypt, and a sufficiently motivated attacker could look at the code and figure out all the variables that goes into the bcrypt function in Lemmy, an attacker can know exactly how your password was hashed. They can make a guess at your password, run it through the function and see if that matches the hash stored in the database (this is actually how you are authenticated when logging in). If they do that a lot of times, they might be able to guess your password this way. This is basic brute forcing of a password. and there are pre-built tools to do this.

    Extending that brute force attack further. People are bad at picking passwords. Most peoples’ passwords follow similar patterns and have similar words in them. If you get such a list of words and use it to make up the guesses using common patterns, this can greatly speed up the guessing of passwords. And, wouldn’t you know it, this also has pre-built lists and tools to do. It’s dead simple. Take a class on hacking and you’ll likely be doing this on day 1. Day 2 if the instructor eats up a lot of time going over the syllabus.

    So, what’s the defense against this? Well, two things:

    1. Unique passwords - and not just a common password with an easy to guess change. Having “Password1” here and “Password2” over there isn’t smart, no matter how smart your version of “Password” is. I mean real, complex, unique passwords. Give up memorizing them, or even knowing what they are. Get a good password vault (e.g. KeePass or BitWarden), and use that to both generate and store passwords. Protect that with a long passphrase (a sentence, with capitalization and punctuation) which you can remember.
    2. Multi-factor authentication (MFA) - This can be limited to stuff which you really care about. If someone hacks your PornHub account, you probably don’t care. If someone hacks your bank account, you probably do care. There’s a whole discussion on MFA and what types are better; but, if you can enable it on a site you don’t want compromised, use what’s offered.
    • James@lemmy.ca
      link
      fedilink
      arrow-up
      6
      ·
      edit-2
      1 year ago

      That is a lot of words to say ‘they can’t see your password, but they can try to guess it. Make a secure password and you won’t have any problems’

      • sylver_dragon@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        That’s a fair critique. However, I find the advice “Make a secure [unique] password and you won’t have any problem” is often given, without any explanation as to “why” that advice is given. As someone who likes to know the “why” behind things like this, I like to give that detail as well.