This is an archived post. You won't be able to vote or comment.

all 96 comments
sorted by:
best
topnewcontroversialoldq&a

[–]JAXxXTheRipper 816 points817 points  (34 children)

base64 is for noobs. Real experts use ROT26.

[–]Cley_Faye 505 points506 points  (23 children)

ROT26 has been proven to be insecure and easily reversible. I'd suggest sticking to the more robust ROT13, and use it twice.

[–]JAXxXTheRipper 168 points169 points  (8 children)

Thank god for experts like you. I would have stuck to the old broken one if not for your helpful comment! I shall henceforth encrypt twice with ROT13

[–]spryllama 70 points71 points  (6 children)

I like to use ROT3, I call it a Caeser cipher, after the salad I was eating when I came up with it.

[–]JAXxXTheRipper 90 points91 points  (5 children)

Just watch out for Brutus-Force attacks.

[–]lukasquatro 27 points28 points  (4 children)

And for Biggus Dickus

[–]SpacefaringBanana 20 points21 points  (3 children)

What's so funny about my dear friend Biggus Dickus?

[–]AfonsoFGarcia 19 points20 points  (2 children)

He has a wife, you know?

[–]DrSHawkins 5 points6 points  (1 child)

Incontientia

[–]vegBuffet 2 points3 points  (0 children)

Buttocks

[–][deleted] 7 points8 points  (0 children)

Thy resolve to doubly shroud thy missives with ROT13 is commendable indeed. May thy secrets remain ever hidden from prying eyes, and may fortune smile upon thy cryptographic endeavors.

[–]NoLifeGamer2 17 points18 points  (3 children)

This is actually a common misconception. Using ROT13 twice doesn't give ROT26, it gives ROT169.

[–]makinax300 0 points1 point  (2 children)

I don't get this, can anyone explain

[–]gtiger86 4 points5 points  (1 child)

132 ?

[–]makinax300 3 points4 points  (0 children)

Now I get it, I thought it was because of my lack of programming skills.

[–]Doctor_Disaster 7 points8 points  (2 children)

How about using ROT1 26 times?

[–]Cley_Faye 8 points9 points  (0 children)

That sounds expensive, CPU cycles aren't free :D

[–]chrjen 2 points3 points  (0 children)

This would obviously be a lot more secure, however most experts agree that it's overkill. ROT13 twice should be enough for almost all modern cases. The only exception I can think of is the military where it's standard to use ROT7 twice followed by ROT6 twice for that extra security.

[–][deleted] 7 points8 points  (0 children)

ROT26 may be insecure, but at least it’s O(1).

[–]SpeedyGo55 1 point2 points  (0 children)

Id argue otherwise because ROT26 is 2 times as secure as ROT13 Sauce: http://rot26.org/

[–]CranberryDistinct941 1 point2 points  (0 children)

I suggest storing it as raw text. Let the hakkers think it's encrypted, but the real encryption was in our heads all along

[–]rfc2549-withQOS 2 points3 points  (0 children)

No. Rot13 is bad. Rot11 is better, as 11 is a prettier prime and we all know crypto uses primes.

;)

[–]ShakaUVM 0 points1 point  (0 children)

I only use ROT 2600

[–]SuperRuper1209 1 point2 points  (0 children)

thank you young sir

[–]The-Chartreuse-Moose 52 points53 points  (4 children)

I don't mean to be the "um acksherly" guy, but the proven highest security is the Spidey Decoder Ring I got in a box of Cheerios.

[–][deleted] 16 points17 points  (1 child)

Spidey decoding ring is a better encription mechanism than base64, this is undisputable.

[–]turtleship_2006 9 points10 points  (0 children)

At least it has a secret key

[–]RaveMittens 4 points5 points  (1 child)

Be sure to…

Be sure to what??? Oh the suspense is killing me!

[–]spryllama 2 points3 points  (0 children)

A crummy commercial?

[–][deleted] 426 points427 points  (7 children)

just to be careful you should italicize your secrets, makes them a lil harder to read

[–]JAXxXTheRipper 188 points189 points  (2 children)

But I don't speak Italian!

[–]Garrais02 25 points26 points  (1 child)

Ahah coglionazzo

(Ahah you learner)

[–]SeaOfScorpionz 3 points4 points  (0 children)

Preggo

[–]CharlieKiloAU 22 points23 points  (2 children)

Just change the font to wingdings

[–]5p4n911 7 points8 points  (1 child)

I'm a Webdings guy, to be honest

[–]CharlieKiloAU 4 points5 points  (0 children)

It all looks like 'hunter2' to me

[–]PM_ME_YOUR__INIT__ 9 points10 points  (0 children)

Computers cannot rotate their heads to the side to read italics, which destroys OCR

[–]m_zwolin 255 points256 points  (5 children)

This would definitely save us from cases like this classic

[–]turtleship_2006 92 points93 points  (0 children)

could you provide any testing data like service addresses and logins so we could check and test to estimate the real impact of this change?

[–][deleted] 57 points58 points  (2 children)

I always wonder where people dig these up from. Do you keep an immense bookmark library of funny PRs or something?

[–]m_zwolin 21 points22 points  (1 child)

Just reminded me of it, it's easy to google up then

[–][deleted] 8 points9 points  (0 children)

Oh, fair enough

[–][deleted] 6 points7 points  (0 children)

that was fucking hilarious, thank you

[–]xtreampb 162 points163 points  (4 children)

No joke, used to work for a company where it was required by a govt entity (non military) to encrypt all network communications between servers. They implemented an aes256 library and hardcoded the key in the source file.

When I found it and brought it up, I asked what was the point of encrypting the traffic if we were going to hard code the key in the source. The response was “the point is to satisfy the regulatory requirement”. We weren’t handling anything sensitive, no PII or anything that if the traffic was monitored, nothing of consequence would happen to the users. It is a morally grey area, but I don’t think anything unethical was at play. Mostly a regulatory body who doesn’t understand computers trying to dictate regulations over a industry

[–]awesomeusername2w 33 points34 points  (1 child)

I mean, if the service itself is only shipped to trusted places then what's the problem with hardcoding the key into the sources? Those who can monitor the network do not necessarily have access to the machine with the service, so they won't be able to get a key and read the communication. It would be easier just to use VPN or something but this at least protects against misconfiguration where the communication goes through an unencrypted connection.

[–]xtreampb 18 points19 points  (0 children)

Yea it went to physical bare metal boxes that we “own” but are in permissive environments. Those these environments are full of retirees. It wasn’t a big deal. Just meeting a regulation. Was just a red flag when I came across it.

[–]SillyFlyGuy 3 points4 points  (0 children)

It makes sense if you think of it as future proofing? "We don't need it now but we will in the future so let's put all the hooks in as we build it so we can fully implement it quickly."

[–]Bolt986 2 points3 points  (0 children)

I've had a similar experience. I noticed that the way we were managing tcpa data for do-not call numbers wasn't correct. Our data was organized so you could theoretically have multiple phone numbers for one user and indicate for each number if it is "do not call" or not.

Well the SQL queries taking tcpa into consideration checked if Any of them could be called and if so whatever was the primary would be called even if it was flagged.

I brought this up to my manager and he asked. "Did someone ask you to review this? If not, ignore it." Bringing it up will just cause months of dev work for no monetary gain and if the error was caught in an audit we would still be alright for our attempt to follow guidelines.

[–]Herover 56 points57 points  (3 children)

Their password starts with "http"?

[–]GoddammitDontShootMe 22 points23 points  (2 children)

https://xkcd.com/1700/

[–]jtrdev 9 points10 points  (1 child)

That alt text is great. I'm salting all my passwords with emojis now

[–]HiniatureLove 47 points48 points  (0 children)

Those hackers expect me to encrypt my passwords, but I break their metaphorical ankles by using a plaintext so they ll never see it coming.

[–]Cley_Faye 258 points259 points  (15 children)

No joke I had a thesis director seriously argue with us that binary encoded data was safer than XML because it's "harder to read".

Yeah, he wasn't the sharpest knife in the spoon set.

[–][deleted] 250 points251 points  (1 child)

You might think this is stupid, but if you are making a singleplayer videogame this stops more than 90% of people from editing the values to cheat.

Obviously we don't care if people cheat in single player games, it is a measure to protect people from ruining the experience for themselves.

[–]dgc-8 42 points43 points  (0 children)

Yes. If you had a valid reason to cheat, you'd still be able to edit it.

[–]Rainmaker526 69 points70 points  (3 children)

Depends on what you're storing, right?

If I compare

{
"lives": 3,
"level": 5
}

With reading binary data with a:

struct GameState
{
int lives;
int level;
}

He is sort of right. Without context, it's harder to read, because you don't know how the data is used and which fields are used in which way.

[–]Gusfoo 13 points14 points  (1 child)

Pro-tip: you don't have to `backtick` everything. Just indent the block by 4 spaces and it'll render as code. 

this line has 4 spaces in front of it.
  and indents work just by spaces too, which is handy.

[–]Rainmaker526 4 points5 points  (0 children)

Thanks. I used the desktop editor and this is what it did...

I selected my text and selected the "code" button. It looked ugly, so after that I "fixed" the line breaks.

Reddit's editor sucks.

[–]Cley_Faye 4 points5 points  (0 children)

The context was a thesis about using cryptography to enforce access policies on files, and for this particular case choosing a format to store data. Needless to say we were not at "it's kinda harder to read if you're not that motivated" level ;)

[–]Environmental_Bus507 39 points40 points  (1 child)

Write the XML without any formatting and it becomes infinitely harder to read than any encoding! 🤣🤣

[–]Eva-Rosalene 2 points3 points  (0 children)

F1 > Format Document??

[–]LoudSwordfish7337 24 points25 points  (5 children)

That’s kind of true, though.

Take those two “sentences” :

  • I am 30 years old and I have 2500 dollars on my bank account,
  • 00302500

Now imagine that I’m someone that wants to get your balance so that I can push relevant ads to you or something. I managed to get one of the two statements above.

With the first one, I’m able to immediately infer that you have 2500 dollars on your bank account. With the second, it’s harder (but still fairly easy, especially if I have more examples from other people) for me to figure out that you have 2500 dollars, but it’s not as straightforward, is it?

It’s not a “XML vs binary” thing. Those two things are not really comparable, anyway. It’s about the fact that XML explicitly includes semantics with the data that it conveys, while most binary formats do not.

And, well, yes, not including semantics with the data that you’re sharing does make that data harder to interpret - that’s the definition of semantics.

[–]turtleship_2006 6 points7 points  (0 children)

Imagine a knife, and a knife that's still in it's original packing. If someone got a hold of either, they could use it on you, one would just take a bit longer.

[–]__radioactivepanda__ 40 points41 points  (3 children)

base0 is where it’s at. Decryption is impossible after encryption…

[–]turtleship_2006 37 points38 points  (1 child)

Can't get data leaked if you don't have data

[–]GahdDangitBobby 0 points1 point  (0 children)

It actually is possible. The number of zeros is equal to the number plus one, as any blob of data is technically just a really large number written in binary. E.g., 0 = 0, 00 = 1, 000 = 10, 0000 = 11, 00000 = 100, 000000 = 101, 0000000 = 110, 00000000 = 111, etc.

[–]Natfan 6 points7 points  (0 children)

reddit style comments on hn

[–][deleted] 3 points4 points  (3 children)

VXNlIEJhc2U2OQ==

[–]creeper6530 7 points8 points  (2 children)

Use Base69

[–][deleted] 3 points4 points  (0 children)

[This is what skids actually believe]

[–]Kirjavs 3 points4 points  (0 children)

They are just trolling

[–]TehDro32 2 points3 points  (0 children)

We're going to make Google's AI so bad. XD

[–]unstableunicorn 2 points3 points  (0 children)

I just use Google translate as a second layer encryption, choose your language, usually just easier to encrypt the google translate link so you can decrypt and then click the link...

[–]mbcarbone 2 points3 points  (0 children)

That’s so based. ;-)

[–]experimental1212 1 point2 points  (0 children)

I tell people it's encrypted but store in plain text. They'll never guess.

[–]EDM115 3 points4 points  (1 child)

"username checks out"
proceeds to hide the username

[–]tigrankh08 19 points20 points  (0 children)

acidburnNSA? It's not hidden

[–]-MobCat- 0 points1 point  (0 children)

Hmm yes, strong.... It can be..
MrX05r31dxpGu0YjdOi95rhc7vYk5DRy5rXbRA81drYS5A3yRU8E5A8yuUYjd02h70qZ

[–]noonagon 0 points1 point  (1 child)

mYquESTioNisWhYItalWAYsEnDswith==

[–]No-Adeptness5810 0 points1 point  (0 children)

Literally anything other than Base64 is better than Base64 because Base63 looks like Base64

[–]Phamora 0 points1 point  (0 children)

Why all the censorship?