06-13-2018, 11:03 AM
Regarding the second vulnerability, we're going to fix it, but I'd like to point out a tech note. Because of the way our passwords are stored in the database, even figuring out someone's username, does not make brute forcing someone's password trivial or fast (unless they use a really common stupid one). The whole $2y$12 thing at the beginning of our passwords means that the server needs to do a LOT of work to check a password. It's impossible to speed that up. It doesn't make our sites completely brute force proof, but it takes long enough per guess that it's very brute force resistant. Also, if you change the 12 to 13 on your password hashing it makes it take twice as long and 14 is twice as long as 13.