In the real world, finding an input that produces the right hash output isn’t easy. And because a lot of users reuse passwords (don’t do it, but people do), a list of emails and passwords gives you an incredibly lazy and easy to do way to compromise accounts on other sites.
Reminds me of a funny moment in my IT internship, ahead of an audit one of the sysadmins came over and was saying “yeah so I pulled all of the department password hashes to check for weak/compromised accounts and noticed one person has the same sysadmin and user password hash” and my boss went “wait everyone doesn’t do that?” And after realizing they outed themselves turned bright red and changed their admin password
In the example yes.
In the real world, finding an input that produces the right hash output isn’t easy. And because a lot of users reuse passwords (don’t do it, but people do), a list of emails and passwords gives you an incredibly lazy and easy to do way to compromise accounts on other sites.
Reminds me of a funny moment in my IT internship, ahead of an audit one of the sysadmins came over and was saying “yeah so I pulled all of the department password hashes to check for weak/compromised accounts and noticed one person has the same sysadmin and user password hash” and my boss went “wait everyone doesn’t do that?” And after realizing they outed themselves turned bright red and changed their admin password