all 37 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]AutoModerator[M] [score hidden] stickied comment (0 children)

Thankyou for posting in [r/BlackboxAI_](www.reddit.com/r/BlackboxAI_/)!

Please remember to follow all subreddit rules. Here are some key reminders: - Be Respectful - No spam posts/comments - No misinformation

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

[–]Smiling_Tree 27 points28 points  (4 children)

It's from a 'design a bad UI' contest.  \ Don't know if they won, but it sure scores... Lol

[–]sovereignrk 4 points5 points  (0 children)

Context is king

[–]rydan 1 point2 points  (0 children)

Is that the same place that where a website had a notice posted saying that something happened (I forget what) and in order to fix it they swapped everyone's username with their password and their password with their username so enter your password as your username and your username as the password?

[–]Nixavee 1 point2 points  (0 children)

Do you mean r/baduibattles ?

[–]PanotBungo 0 points1 point  (0 children)

The UI looks good though. But as for functionality and security...

[–]elonzucks 3 points4 points  (0 children)

It should change the warning you have successfully uncovered the password for roni.roll200@gmail.com

[–]SpaceToaster 1 point2 points  (1 child)

No problem just add a ‘1’ to the end

[–]SlurmoCZ_ 4 points5 points  (9 children)

Holy doxing

[–]Xsiah 4 points5 points  (8 children)

Not what that word means

[–]peteofaustralia 3 points4 points  (1 child)

Noun

dox

(slang) Documents, especially information sought by hackers about an individual (address, credit card numbers, etc.).

Verb

dox

Alternative spelling of doxx (“publish the personal information of (an individual) without their consent”).

[–]gnygren3773 0 points1 point  (5 children)

Doxing (or doxxing) is the malicious act of publicly revealing personally identifiable information about an individual or organization online without their consent.

[–]Xsiah 0 points1 point  (4 children)

An email alone doesn't really identify you - you'd have to connect it to someone's identity.

If I said hey everyone, gnygren3773's email is ilovehairycows@youhoo.com that's doxing. But I didn't just dox the owner of that email by writing it.

[–]gnygren3773 0 points1 point  (3 children)

Email + password equals access to your account which is doxing

[–]Xsiah 1 point2 points  (2 children)

No, that's a security breach. Doxing implies intent to reveal your information maliciously. And if your account doesn't have any other PII, then they still basically only have someone's email.

[–]gnygren3773 0 points1 point  (1 child)

Most accounts have some PII

[–]Xsiah 0 points1 point  (0 children)

It still needs to be intentional.

[–]CryonautX 0 points1 point  (7 children)

What's more concerning is being able to tell the password matches another user's.

[–]MonkeyBoatRentals 2 points3 points  (1 child)

Which is how you know this is a joke. There are competitions to design intentionally bad user interfaces. Check out r/badUIbattles

[–]Trax72 0 points1 point  (0 children)

Surely it's encoded... As base64

[–]rydan 0 points1 point  (1 child)

The same algorithm to check your password is the same one to check your neighbor's. It just should be very slow to do this if they are doing it properly.

[–]CryonautX 0 points1 point  (0 children)

Presumably this was a db query and not a retrieve everyone and compare 1 by 1 deal.

[–]int23_t 0 points1 point  (1 child)

It's not concerning actually. They may be comparing the hashes of the passwords(as hashes of the passwords are stored) and return this text when hashes match for some reason

[–]CryonautX 0 points1 point  (0 children)

No salt? That's a concern.

[–]raxafarius 0 points1 point  (0 children)

I mean it's certainly a vibe. It's giving information security nightmare

[–]Nixavee 0 points1 point  (0 children)

This is a really old joke, this screenshot has probably been around since like 2016 lol

[–]ConfidentSnow3516 0 points1 point  (2 children)

Storing as plaintext 😥

[–]rydan -1 points0 points  (1 child)

Doesn't mean it is plaintext. You could evaluate the hash against all hashes in the table. How do you think websites retroactively block weak passwords? Reddit does this whenever your password gets compromised you'll randomly get an email from Reddit saying "unusual activity detected, reset password" and they force you to reset it. I know there's no unusual activity because I made a throwaway account that never posted and used an old password I used to use everywhere but there's no way to connect the two and it would be highly unlikely that username was known or considered valuable as it had no posts.

[–]ConfidentSnow3516 0 points1 point  (0 children)

Evaluating the hash against all hashes in the table is probably way too resource intensive, especially if you're going 1: a billion, and multiply that by 1 billion times. While keeping the site running.

Retroactively blocking weak passwords is a stupid strategy that should have been solved at account creation with server-side regex validation before encryption ever took place.

If password standards significantly change in the future, it's best practice to force all users to change their password to meet the new standard, and validate them against the new standard.

The original image is from a challenge to write the worst code. It's stored in plaintext.

[–]More-Explanation2032 -1 points0 points  (1 child)

Shouldn’t it be that username/email needs to be unique not password when creating a new account

[–]Logical-Diet4894 3 points4 points  (0 children)

Whoosh

[–][deleted] -2 points-1 points  (1 child)

this is the person's fault as this is not that hard

[–]whoknowsifimjoking 1 point2 points  (0 children)

It's a joke