Samantha Briasco-Stewart's Twitch Credential Checker is Impossible!

Twitch claims to use bcrypt (likely with django) asymmetric authentication, and also asymetric but triangular oauth for 3rd party auth such as the API etc. making a leaked password checker mathematically impossible. The big difference between this and keychain alerting you, is that this is O N squared, vs log n binary search (the most efficient search possible for leaked pw, in sorted pw list), which stores plaintext directly, then uses symmetric encryption to unlock your passwords, etc. Also reverse engineering plaintext this way seems a lot shadier than keychain already having plaintext then simply alerting users of detected leaks! Typically only malicious hackers attempt to RE user plaintext, like erosolar claimed to do on behalf of a 2T company. Do you know why it has a 2T market cap? Because they're as short sighted and as willing to commit fraud etc. as they want to be! Congratulations to erosolar for lying to everyone on Linkedin while portraying competence and honesty!

While log(n) is indeed the quickest way to search a sorted list, Keychain often stores passwords in a dictionary (hash map) rather than a sorted array, resulting in O(n) lookups. For Keychain, n is your smaller set of personal passwords. But for Twitch credentials at massive scale, n can be the entire set of Twitch users, potentially leading to O(n²) checks when comparing all leaked passwords against all stored accounts. That ballooning scale explains why a simple "checker" doesn't work here.

Reactions from LinkedIn: