As a programmer, one of the things that really annoys me about this latest data dump is that almost every single website involved used weak, insecure hashing strategies to store user passwords.
When storing passwords, it's important to assume that you will one day be hacked, and that the hackers will gain access to your password database. So the best practice is to only store passwords in a form that makes them impossible to use.
To do this, you combine the password with a randomly generated value called a salt (like sprinkling some salt on it, get it?) and then you run the password and salt through a one-way hashing algorithm, which is an algorithm that converts data into other data in such a way that it's impossible to convert it back to the original data.
For example, if my password is correct horse battery staple, then a hashed and salted version using the widely recommended bcrypt password hashing algorithm would look like this:
It's mathematically impossible to reverse (or "decrypt") that hash because the hash value doesn't actually contain the original password; it was only derived from the original password. So the result is that even if someone has your password database, they can't see what the actual passwords were before they were hashed, and they can't reverse the hashes, which means they can't use the passwords to log into the hacked website or any other website.
The scary thing is that it seems like almost every website does this wrong or not at all. 😞
Many of the websites involved in this hack used a weak hashing algorithm like MD5, or they failed to include a random salt in the hash, both of which can make it feasible for hackers to brute force the hashed passwords — which means they simply use a fast computer (or fleet of fast computers) to compute every possible hash for every possible password until they find the one that matches the hash, and then they know your password. With a weak hash, this computation is much easier. And without a salt, hackers can precompute large tables of values that they can then use to rapidly arrive at the original passwords.
There's no reason, in 2019, that websites should still be making these same careless mistakes. It's basically programmer malpractice, and it makes me so angry. 😡