Why reset passwords for salted hash leaks?

Assuming salts are not reused they negate rainbow tables but you can still crack the passwords it just takes much longer as you have to crack each one individually [1]. This can be done faster by renting hashcat farms or spending a lot of money on hashcat rigs yourself. Not all hashes may be salted correctly. [2]

[1] - https://stackoverflow.com/questions/6776050/how-long-to-brut...

[2] - https://hashcat.net/forum/thread-4429.html

Because no hash is eternal and it is only a matter of time between it being leaked and it being cracked. How long depends on a lot of stuff (technology, implementation, password quality and, overall, the value of the account).

Salting, specifically only has one function: making rainbow tables useless and difficulting hash analisys, it is the deffinition of buying you time and making the attacker think twice by requiring more resources (ideally enough that it;s not worth trying)

So, if you know that your users creds are compromised, the only logical answer is to reset them. What you did when hashing is buying time. The difference is that if you bought enough there is little change of incidents from the leak. If you didn't it may get messy. And will.

People are being cautious, that's all. It's easier to brute-force a password with a hash and a salt than it is to do without them.

People were saying "reset your password" as soon as they saw they saw the headline "Twitch Leak." Which is perfectly fair and probably good advice.

That being said, I haven't even seen it confirmed that the leak contained passwords or user data.

Edit: Twitch says "At this time, we have no indication that login credentials have been exposed." https://blog.twitch.tv/en/2021/10/06/updates-on-the-twitch-s...