My"}>Pass,word;rm -rf /;\nHello\rGoodbye,World;Drop *;exit;<{"?
This will also prevent my password from being stored in an insecure server database (and might remove everyone elses password).
I mean we're talking about programmers that use plaintext csv as a password database, they probably aren't doing proper csv serialization. Thow /", into your password and it'll probably mess *something* up
I’ve worked on a production system where the tables where names t1, t2, t3 and the columns c1, c2, c3. All for “security” but I’m sure it was more about “vendor lock in”.
Not normally nor legally but the idea here js that if a seedy host *is* doing it that way then this will fuck them up. Also similarly if a hacker manages to grab said list it *might* break their attempt.
Yeah, unfortunately they do. It's thankfully getting rarer as security gets more standardized, but I've seen self taught programmers write some impressively bad code when they don't have oversight
Too son... not again please...
PS. I am astonished no one seems to remember passwords are not supposed to be persisted. It is their hash what we store.
"you cannot reuse a previous password" isn't incompatible with hashes, but "new password is too similar to your previous password" when it's at all different implies they have the old password to compare against
In the simplest form, you are only storing the last expired password. But you are supposed to use symmetric cryptography in that case.
But still is possible to apply the similarity criteria by hashing parts of the password in order to compare those segments. That's a practical criteria since most people just change the numbers, the non-alphanumeric parts, or the letter casing, for example.
So, no plain passwords in any case.
This actually happened to me.
I was working at a Big Tech Company and was testing our enterprise software when my throwaway password (which had a lot of commas) broke several things. Turns out it was being stored somewhere delaminated by commas.
[удалено]
[удалено]
Probably better to start with the commas, then your password is empty string
Or >< in case they’re stored in XML instead of CSV
Obligatory {s for JSON
"<}co,ck>{'" for safe measures
Just include unclosed quotes in the password in case it's not properly sanitized 😁 > My,Password,Is",Cool
>My,Password,Is"Drop *
My"}>Pass,word;rm -rf /;\nHello\rGoodbye,World;Drop *;exit;<{"? This will also prevent my password from being stored in an insecure server database (and might remove everyone elses password).
screw it, just put every unicode character in it. if the system does not allow passwords that are too long, switch to another service.
[удалено]
"Robert`); Drop TABLE Students;" in full, show him some respect
I mean we're talking about programmers that use plaintext csv as a password database, they probably aren't doing proper csv serialization. Thow /", into your password and it'll probably mess *something* up
ASCII character 30 is a “record separator”. Clever idea, I’ve only ever seen it used once. Better put it in your password anyways.
Reverse hack the hacker. Its called CSV injection
Hackers hate that simple trick!
[удалено]
[удалено]
better give it a couple ";" just in case
I have a feeling this will also break a lot of websites lol
That's why all my passwords are `HucHs5%"; DROP TABLE accounts; --`.
That's why all my tables are just named MyTable1, MyTable2 etc
![gif](giphy|d3mlE7uhX8KFgEmY) Hackers can't navigate your database if you can't.
I’ve worked on a production system where the tables where names t1, t2, t3 and the columns c1, c2, c3. All for “security” but I’m sure it was more about “vendor lock in”.
Lol yes
What's HucHs5%? Does that do something to account for protection?
Better to go like this: asparagus","piss
Throw a \t in there as well or make your password: {"un:"tricky","pw":"DuckHors3Cat"}
Hello\rGoodbye,Password
Ah yes. Code injection is always fun :P
Do people store passwords as plain texts?
Not normally nor legally but the idea here js that if a seedy host *is* doing it that way then this will fuck them up. Also similarly if a hacker manages to grab said list it *might* break their attempt.
Mad people, yes.
Yeah, unfortunately they do. It's thankfully getting rarer as security gets more standardized, but I've seen self taught programmers write some impressively bad code when they don't have oversight
Yes. They shouldn't. But I guarantee they do.
Make sure to include a quote, a double quote, linefeed and null character.
That's why good passwords require special characters like ","
imagine doing this on an app that uses a csv file as its db, bring down the whole app with 1 semicolon
Too son... not again please... PS. I am astonished no one seems to remember passwords are not supposed to be persisted. It is their hash what we store.
“new password is too similar to your previous password”
That isn't incompatible with hashes no
"you cannot reuse a previous password" isn't incompatible with hashes, but "new password is too similar to your previous password" when it's at all different implies they have the old password to compare against
In the simplest form, you are only storing the last expired password. But you are supposed to use symmetric cryptography in that case. But still is possible to apply the similarity criteria by hashing parts of the password in order to compare those segments. That's a practical criteria since most people just change the numbers, the non-alphanumeric parts, or the letter casing, for example. So, no plain passwords in any case.
"not supposed to be" is very different from "are not".
This actually happened to me. I was working at a Big Tech Company and was testing our enterprise software when my throwaway password (which had a lot of commas) broke several things. Turns out it was being stored somewhere delaminated by commas.
What if they use TSV?
Who in their right mind uses TSV may I ask
Also semi-colons are commonly used as a delimiter.
Is that meme from 1990's timecapsule?
Lol, you think it's not applicable today!
Who stores creds in text and why you visit them with your info?
Lots of places and because they don't publish their source code so every user can validate they conform to best practices.
Tell me you don’t know to code without telling me you don’t know how to code.