For a non-native speaker, could you please confirm or invalidate my understanding of this interesting text:
1. They attacked some login/api-token unrelated to bcrypt.
2. If I use bcrypt-validate for logins and only temporarily associate rotating, random login/api-tokens with an account, I should not be prone to such attacks.
AM took the unencrypted password, lowercased it, and hashed it into an MD5 token that they then stored - conjecture is that it was used as a login token. That is what the article indicates was cracked, since MD5 is very weak, to get a lowercased password, then tried every permutation of capital letters on the bcrypted passwords, to get the actual passwords out.
To avoid similar issues, if you generate a token, don't use the unencrypted password as part of it. Random tokens are fine.
1. They attacked some login/api-token unrelated to bcrypt.
2. If I use bcrypt-validate for logins and only temporarily associate rotating, random login/api-tokens with an account, I should not be prone to such attacks.
Thank you very much for your help.