My password is shorter than 8 characters. When I attempt to log in, I get a validation error telling me so.

Luckily, I'm signed in already on this browser. However, when I go to the change password page and attempt to make my password longer, I get a validation error telling me my old password is shorter than 8 characters, and it prevents submitting the form.

I was reading over tildes' privacy policy and saw that passwords are stored hashed, but are they salted as well?

https://defaultnamehere.tumblr.com/post/163734466355/operation-luigi-how-i-hacked-my-friend-without#fnref:salted

not that tildes is big enough atm to have big public database breaches, but in the future it's a good idea to store passwords with a secure salting system, especially to help users that might have common passwords like "Diane" in the Tumblr post.

I just joined the site less than an hour ago and when I registered I tried to use my normal password that I use on a lot of sites (I know, I know) and it wouldn't let me register because the password has shown up in a data breach. I double checked on https://haveibeenpwned.com/ and sure enough, my password was compromised at some point. So now I know I need to go back and change my password on a hell of a lot of sites.

Anyway, thank you. I've never seen that feature on a site before and it saved my ass before an account of mine was really compromised.

I don't need to reset my password, and I really appreciate the way that it is done to maximize anonymity. However, I think there is a bit of a problem with how it is done in terms of users getting locked out.

If you're locked out, as far as I can tell, there is no way to view the email hint associated with your account. It seems a bit counter intuitive to me that in order to see the hint for how to regain access to your account, you have to already have that access! I also think that it won't work in the case that someone has been away for a few months and has forgotten their password. I'm not sure what a good way of displaying the hint would be, however, since if it is done by username anyone who has seen your posts can look at your password hint.

Hopefully with a bit of discussion we can cook something up that can solve this catch 22!