At a bare minimum they have everything they need to brute force your password.
Companies don't do this because of liability, but your random volunteer Mastodon admin is guaranteed to run passwords through a GPU crack program, which will find 99% of them in hours.
Even if it's set up like Proton mail where you have a local encryption key that takes a long time to construct, that just means they can't crack as good a password.
Any site admin can do this. The way phishing works is it tricks you to type your username and password into a website. Because it's a fake website, they have no interest in storing the data.
A mastodon instance could be a phishing site if it wanted to and see if you're dumb enough to use the same password on the email you used to sign up to the mastodon server with.
Salting and hashing passwords is good practice if you want to protect your users, but one downside of decentralized services is if anyone can run them, then there's a lot more chance for bad actors to run them.
I've read several times that Mastodon admins can allegedly see your password, from people who used to be a part of it.
Whether that's true or not, I don't know. That there was enough to not bother with the platform.
At a bare minimum they have everything they need to brute force your password.
Companies don't do this because of liability, but your random volunteer Mastodon admin is guaranteed to run passwords through a GPU crack program, which will find 99% of them in hours.
Even if it's set up like Proton mail where you have a local encryption key that takes a long time to construct, that just means they can't crack as good a password.
Any site admin can do this. The way phishing works is it tricks you to type your username and password into a website. Because it's a fake website, they have no interest in storing the data.
A mastodon instance could be a phishing site if it wanted to and see if you're dumb enough to use the same password on the email you used to sign up to the mastodon server with.
Salting and hashing passwords is good practice if you want to protect your users, but one downside of decentralized services is if anyone can run them, then there's a lot more chance for bad actors to run them.