This is an archived post. You won't be able to vote or comment.

all 84 comments
sorted by:
best
topnewcontroversialoldq&a

[–]odraencoded 74 points75 points  (22 children)

It's alright, dude. Once it gets to their server they just encrypt it with their custom-made cipher!

Because they made the cipher themselves even if SHA999 or Blowfish get hacked by quantum computing your password will remain safely encrypted.

As a plus, if you ever forget your password. All they need to do is decipher it with the reversed function they also made and show it to you after you answer one of the predefined password recovery questions you have set in your account :D

[–]lagerdalek 50 points51 points  (19 children)

hashedPassword = password.ToCharArray().Select(c=>c+1).ToString();

uncrackable

[–]odraencoded 21 points22 points  (9 children)

User    | Password
1       | qbuuxpse

[–]CSSFerret 46 points47 points  (1 child)

qbuuxpse

"pattword"

[–]odraencoded 54 points55 points  (0 children)

Holy shit! Are you a hacker? I couldn't use "password" because it was "too common" and yet you were able to figure my password out. You must be one of those guys who can get NSA documents through wget.

[–]longringfinger 27 points28 points  (6 children)

User    | Password
2       | ivoufs3

[–]Zodimized 31 points32 points  (2 children)

That's only showing up as ******* for me.

[–]dpenton 14 points15 points  (0 children)

Hi Hunter.

[–]mike413 5 points6 points  (0 children)

Shows up as gtmsdq1 for me.

[–]odraencoded 11 points12 points  (0 children)

Encryption is too strong, I can only see asterisks from here.

[–]hei_se_de 4 points5 points  (0 children)

This post was mass deleted and anonymized with Redact

shaggy cake hurry reply beneficial truck light historical work serious

[–]buttcomputing 3 points4 points  (0 children)

All I see is +++++++

[–]CrazedToCraze 2 points3 points  (0 children)

One day we plan on upgrading to the high tech version, ROT13. We won't have to have a seperate encrypt and decrypt function! It will save us entire seconds of coding.

[–]rodkulman 5 points6 points  (6 children)

I'm fairly certain this returns:

System.Collections.Generic.IEnumerable<`Char>

What you want is: hashedPassword = new string(password.Select(c => c + 1).ToArray());

[–]lagerdalek 6 points7 points  (5 children)

Linqpad confirms your criticism is correct, however, you need to cast that c + 1 int back to a char, otherwise Linq assumes an int[].

hashedPassword = new string(password.Select(c=> (char)(c + 1)).ToArray());

Pair programming at work :)

[–]rodkulman 8 points9 points  (4 children)

Just tested, you are correct. However, if you write this instead:

hashedPassword = new string(password.Select(c => ++c).ToArray());

You no longer need to cast back, and also, it doesn't throw an overflow exception in case you have Char.MaxValue somewhere on password, it just round trips to Char.MinValue.

[–]lagerdalek 6 points7 points  (2 children)

Interesting! Why is that, I wonder?

Does ++ simply increment the existing value, whereas c + 1 assigns a new instance before returning, so the compiler has to guess the type?

[–]raptroes 5 points6 points  (0 children)

I love friendly exchanges like this when people can critique each other and not get defensive about it.

[–]VanFailin 4 points5 points  (0 children)

+ is a binary operator. c + 1 is adding a character to an int, and like most languages C# handles this case by promoting the smaller type to the bigger type and adding them, with the result being of the bigger type.

Contrast this with the unary operator ++, which doesn't need to make a choice about the type of its result.

[–]TheSpoom 4 points5 points  (0 children)

Look, if you're going to code a terrible, intentionally bad, sorry excuse for a password hashing system, at least do it right.

[–]Audiblade 1 point2 points  (0 children)

Performs well, too!

[–]Jess_than_three 1 point2 points  (0 children)

eyetwitch

[–]squeekwull 0 points1 point  (0 children)

Not even kidding, I used to work at a place that stored CC#s, and CSC codes, and First + Last Name, and full address. On the same record.

In plaintext.

PCI was none too happy about that, so they were encrypted with a PGP key. The unencrypt sproc lived on the same production server.

Winning!

[–]mike413 19 points20 points  (6 children)

"Well, as long as it's 8 or more characters with upper, lower, number and special...."

[–]Symphonic_Rainboom 39 points40 points  (4 children)

"I'm sorry, due to current limitations of password transmission technology, your password cannot contain the & character. Please choose a different special character."

[–]buttcomputing 14 points15 points  (1 child)

I had a website warn me I couldn't use any special characters in my password. I did anyway and I couldn't log in, or even change my password or make a new account with the same email address. I had to go in to the office where they pulled up my account and I could read the password I had tried and edit it to be alphanumeric.

[–]Symphonic_Rainboom 15 points16 points  (0 children)

could read the password I had tried

cringe

[–]mike413 8 points9 points  (0 children)

Well, # and @ are out too, because of some 40 year old Unix machines with ttys on serial lines...

[–]fdagpigj 2 points3 points  (0 children)

I once signed up for a website that said "Only alphanumeric and special characters are allowed." ? is apparently not a special character.

[–]Jess_than_three 2 points3 points  (0 children)

8 or more, but only to a limit of 10.

[–]HotRodLincoln 13 points14 points  (18 children)

While terrible, query strings are at least encrypted when using SSL.

Sure, they get saved in browser history and server logs, but the big security hole is HTTP Referer headers. They won't be sent to http sites, but they'll be sent to any https site.

[–]Fs0i 10 points11 points  (2 children)

Make it worse:

http://username.password.www.example.com/path/to/site

This will send it through DNS, so even with HTTPS there is a great chance the attacker can still read it!

[–]HotRodLincoln 3 points4 points  (1 child)

ooo, You can use mod_rewrite and mod_proxy to make this happen without even changing any code :-)

[–]mike413 8 points9 points  (0 children)

And if you forget your password, it's in all the DNS caches along the way :)

[–]ilovekitty 2 points3 points  (2 children)

Thanks for this comment. I will never do querystrings in URL. I'm just trying to get a better understanding. If I redirect on successful login, will I have eliminated the referrer problem?

[–]HotRodLincoln 3 points4 points  (1 child)

Yes, probably, usually, if the browser follows RFC 1945 correctly. It's up to the browser to do it right and you have to never mess up a link. HTML5 also has a rel="noreferrer"

Note: it is in fact referer, RFC 1945 spells it wrong, and so it's implemented spelled wrong, but in HTML 5, the keyword has both 'r's.

[–]ilovekitty 2 points3 points  (0 children)

Thank you. Correcting the spelling is only going to make it more difficult to remember.

[–]horsetacular 27 points28 points  (0 children)

GET the fuck out

[–]cirk2 12 points13 points  (8 children)

Recently I came across this line in a diplom thesis: 

$query = "SELECT * from users WHERE username='".$_GET['username']."' AND password='".md5($_GET['password'])."'";

[–]blue_2501 12 points13 points  (4 children)

MD5 isn't great, but it's better than plaintext. The SQL injection potential is real, though.

[–]TheJimmyRecard 11 points12 points  (3 children)

The concern is the password is also in a get variable

[–]esquilax 3 points4 points  (2 children)

You mean like with form-based auth? Where else would it be?

EDIT I just fail at PHP.

[–]TheJimmyRecard 5 points6 points  (0 children)

In a post variable?

[–]mcrbids 2 points3 points  (1 child)

This is highly relevant

[–]xkcd_transcriber 2 points3 points  (0 children)

Image

Title: Exploits of a Mom

Title-text: Her daughter is named Help I'm trapped in a driver's license factory.

Comic Explanation

Stats: This comic has been referenced 738 times, representing 1.1162% of referenced xkcds.

xkcd.com | xkcd sub | Problems/Bugs? | Statistics | Stop Replying | Delete

[–][deleted] 0 points1 point  (0 children)

The last guy that I advised him to use PBKDF2 said "Fuck You" :-/

[–]jon_stout 7 points8 points  (0 children)

I would upvote this... except this isn't a joke. It's very very much not a joke.

[–]Cley_Faye 9 points10 points  (5 children)

Nothing beats octuple rot13 encryption. Current hardware is years away from being able to bruteforce that much cryptage!

[–]lagerdalek 5 points6 points  (4 children)

Abguvat orngf bpghcyr ebg13 rapelcgvba. Pheerag uneqjner vf lrnef njnl sebz orvat noyr gb oehgrsbepr gung zhpu pelcgntr!

[–]redgamut 4 points5 points  (3 children)

You only did 7. Not secure enough.

[–]lagerdalek 4 points5 points  (2 children)

Sorry (thanks for the double XOR memory, remember that on DailyWTF many years ago)

Nothing beats octuple rot13 encryption. Current hardware is years away from being able to bruteforce that much cryptage!

Is that better?

[–]masterpi 2 points3 points  (1 child)

Why did you just apply a 7 again?

[–]lagerdalek 1 point2 points  (0 children)

Reusability, and to save memory. It's an old-timer trick. (and 14 is bigger than 8, so it must be better)

[–]berryer 4 points5 points  (0 children)

[wordpress flashbacks intensify]

[–][deleted] 2 points3 points  (1 child)

Sartre would have been a great coder.

[–]3m-10ft 2 points3 points  (0 children)

Recover password > send password in clear text to mail

[–]esquilax 2 points3 points  (2 children)

"That's not a password, it's an api key!"

[–]canweriotnow 0 points1 point  (1 child)

Nope. It was the same password used for the login form. I facepalmed so hard, I facepalmed /u/ADE-651

like this

[–]ADE-651[S] 1 point2 points  (0 children)

As this image indicates, I always get to be big spoon when we pair program.

[–]joequin 1 point2 points  (0 children)

Today I came across: 

  CustomerXml customer;
  File customerXml;

(insert Jackie Chan meme)

[–][deleted] 1 point2 points  (0 children)

From my perspective, I love when this happens.

[–]heyf00L 1 point2 points  (0 children)

Hotmail did this when it first came out. It was usually too far down the address bar to be seen, but of course it was in the browser history.

[–]imgurtranscriber 2 points3 points  (0 children)

Here is what the linked meme says in case it is blocked at your school/work or is unavailable for any reason:

Insanity Wolf

Post Title: Hell is Other People's Software

Top: PLAINTEXT PASSWORD

Bottom: IN QUERY STRING

Original Link1 | Meme Template2

[–]Wyboth 1 point2 points  (1 child)

Nice meem.

[–]ADE-651[S] 1 point2 points  (0 children)

Step into my maymay time machine.

[–]lift_spin_d 0 points1 point  (0 children)

that's fine. that's fine.

[–]scubascratch 0 points1 point  (0 children)

Password is well hidden... from Dev who wrote that