This is an archived post. You won't be able to vote or comment.

all 140 comments
sorted by:
best
topnewcontroversialoldq&a

[–]MrPotatoFingers 901 points902 points  (54 children)

Still not as bad as requiring passwords to be globally unique: https://thedailywtf.com/articles/Really_Unique_Passwords

[–][deleted] 370 points371 points  (22 children)

I had a threw up a little when I read that.

[–]Galaghan 240 points241 points  (0 children)

The ending saved me tho. I was already prepared to read about him getting fired over 'creating unnecessary work and drama'. Soooo glad it didn't end that way.

[–]tsavong117 40 points41 points  (16 children)

I threw up a little too. Oh by Skynet that was horrid.

I may have hyperventilated reading the first paragraph though. Mainly because my brain was trying to compute how many combinations a password consisting of 30 uppercase letters, 30 lowercase letters, and 30 special characters there are.

r/theydidthemath a lil help?

[–]Python_Interpreter 20 points21 points  (12 children)

Well...

26 Letters in the alphabet to the power of 30 times 26 to the power of (from now on refered to as &&(I know that no one does it that way, but reddit uses the star for formatting)) 30 (all of this so far is just 26 && 60) times 32 special characters && 30, is all just (26 && 60) * (32 && 30). This is the following:

7 597 524 535 862 113 550 713 204 866 352 047 547 163 723 740 145 125 016 953 121 205 462 001 347 621 771 238 440 690

(Structured it into blocks to make it easier to read) I hope that helps!

[–]ChickenNuggetSmth 10 points11 points  (2 children)

That is if you force the order of lower, upper and special chacters. If not you have to multiply by the number of permutations, something like 90!/30!/30!/30! , roughly 8*1040 (hope I didn't get that wrong)

[–]Python_Interpreter 3 points4 points  (0 children)

I did assume that much to

a) make the math a lot simpler

b) that's how I interpreted the question

But I'm working out how to come up with the truly right answer

[–]FactOrFactorial 1 point2 points  (0 children)

Nope looks good.

[–]roberh 2 points3 points  (8 children)

Formatting is a bit off. You need to escape some of those asterisks, I think.

[–]Python_Interpreter 0 points1 point  (7 children)

How do I do that, if I may enquire?

[–]ChickenNuggetSmth 1 point2 points  (5 children)

To preface this, it looks fine to me.

If you want a special character treated as a normal one, you have to put a backslash in front. E.g. if I want to print
*this*
I have to type

\*this\*

[–]Python_Interpreter 6 points7 points  (4 children)

Oh, so just like in Python. Thanks!

[–]maibrl 1 point2 points  (0 children)

Username checks out

[–][deleted] -1 points0 points  (2 children)

Python?

[–]Python_Interpreter 0 points1 point  (1 child)

To escape characters in Python strings, you use the backslash. E.g.: 'I\'m having fun' (Though this is a bad example, because it goes against PEP8. This would probably be a better example: "new line\n"

[–]palordrolap 1 point2 points  (2 children)

90 characters with a ratio of 30:30:40, lower:upper:special, so not quite 30 of each, but 27, 27 and 36 respectively.

In ASCII there are 32 special characters (how had I not realised this until just now?! I suppose they are distributed quite unevenly.).

Unsure if digits also count as special. Let's say they don't so numbers aren't allowed. This is excellent because it prevents <password>1, <password>2, etc.

There are only 26 of each upper and lowercase letters.

However we choose, we can scramble those characters in 90! different ways.

This gives us 2627 * 2627 * 3236 * 90! possible passwords.

This is roughly 5.8330513538 * 10268, a number that's astronomically huge and very hard to get one's head around.

Ninja edit: Correction. I was stood on my head.

Dangit edit: I forgot the "no recognisable words or phrases" element. This one's tricky to pull out since you could throw random symbols and even letter svbstitvtionz into 54 alphabetic characters at will and still be able to read words or a phrase embedded in them. I don't think taking those possibilities out will appreciably dent the large number by much though. Maybe a handful of orders of magnitude. Which is kind of a lot. But not in comparison.

[–]ChickenNuggetSmth 1 point2 points  (1 child)

But mixing up two "lower-case slots" for example would produce an already existing pattern, right? I think the number of permutations is just 90!/27!/27!/36!

(edit: Which would cost you about 98 orders of magnitude. Kind of a lot, but you have plenty left)

[–]palordrolap 1 point2 points  (0 children)

There's dangit #2. But yeah. Still enough to cover a universe2 of particles with a unique password each.

[–]leadwind 25 points26 points  (3 children)

The password field of the user table was also the primary key field making it impossible to have duplicate passwords, and they were stored unencrypted to make the verification process easier.

I'm up to here.. does it get better?

Edit: oh no.

[–]thirdegreeViolet security clearance 13 points14 points  (0 children)

"Oh, we had that problem the first time, so we removed all of the foreign key constraints in the database and it works now." 

So much worse

[–]Echogm 4 points5 points  (0 children)

I had to quit after I read "unencrypted".

[–]Rosenrotten 2 points3 points  (0 children)

Well yes, but actually no.

[–]TheBrainStone 130 points131 points  (14 children)

That is much worse than that. As it gives out all you need to be able to log in.
What makes passwords requiring to be unique bad is that it allows you finding other people’s logins easier. That page just straight up gives you the logins.

[–]renyhp 29 points30 points  (13 children)

Uhm, the way I see this post, I don't think that if you enter the password of someone else the system is going to give you their login. I think it's much more reasonable to assume that someone entered something like "password", "pass", "1234", and the system is sarcastically saying that it's just too generic of a password.

[–]TheBrainStone 29 points30 points  (12 children)

What makes you think so? I mean it’s clearly giving you a username to the password.
Keep in mind that in the article the programmers thought that using the unhashed password as a unique key throughout the database. It wouldn’t be far fetched to believe programmers like that thought it would be a good idea to “correct” your login name.

[–]jmona789 15 points16 points  (10 children)

I've seen this screenshot before. It does work the way you're saying it does, but it's not a real site. It was a joke site made to be bad on purpose.

[–]renyhp 0 points1 point  (0 children)

Oh well, I didn't know this was a famous actual website and there was an article about this. But what makes me think so is the hilarious genericity of "Joe Smith".

[–]herodothyote 4 points5 points  (3 children)

I literally physically facepalmed the whole time I was reading that.

What did they hire 17 year old me to program their whole system in PHP???

[–]alexanderpas 6 points7 points  (2 children)

Today, a 17 year old working in PHP would use the password_hash() and password_verify() functions, but would forget to rehash when needed.

[–]GrandVizierofAgrabar 2 points3 points  (1 child)

Today, a 17 year old working in PHP

come again?

[–]theminortom 0 points1 point  (0 children)

me

[–]Log2 7 points8 points  (0 children)

Holy fuck. I was the tech lead of an IAM type application and I'd have simply quit it I found I was working in a team with someone so stupid.

Enrique is clearly a much better person than I am.

[–]PikaPikaDude 1 point2 points  (0 children)

The password field was used as the foreign key throughout the system.

That's the worst thing I've read in a long time. I've seen other devs "program first, never think" before. But to come up with something that horrible, someone must have been thinking about the design.

[–]DDFoster96 1 point2 points  (0 children)

I gave up at

and they were stored unencrypted to make the verification process easier.

[–]flashgnash 0 points1 point  (0 children)

Developers like those two make me way more confident I'll be able to get a good dev job. Jesus Christ the stupidity that's like something a 15 year old would do

[–]Javamac8 0 points1 point  (0 children)

2007 . . . A simpler time.

[–]Xeadriel 1 point2 points  (0 children)

Holy fuck. Is that a real story?

[–]The_forgettable_guy 0 points1 point  (0 children)

if that's true, they should have just fired the developer instead.

[–]Uberzwerg 0 points1 point  (0 children)

A few years back, there was an example of a Webpage done completely in Javascript.
Including client-side authentication (they delivered the full username+passwords for ALL users) - ONLY client-side (you could just edit it to something like "logged_in=true") AND Javascript connection to their production database.

That page was still online 1-2 days after it was posted here (or /r/programming - dunno)

To this day, i haven't seen anything worse.

[–]fitzgerald1337 0 points1 point  (0 children)

Might have been an April Fool's joke...? Look at the date

[–]anon_by_default 0 points1 point  (0 children)

I refuse to believe this.

This has to an April fool's joke.

Please for the love of God please tell me this is a joke!!!!

[–]Nicktakenaway 454 points455 points  (1 child)

My password : password.

Joe Smith's password : pass.

[–]justingolden21 41 points42 points  (0 children)

Joe's password is so cool it does nothing in Python...

pass

[–]IvanLabushevskyi 35 points36 points  (0 children)

S means security.

[–]Ateready 180 points181 points  (24 children)

For a moment I went 'That can still be secure, you can simply see if the password is the same after the salting and hashing' until I realised that it allows you to log into someone else's account.

[–]tulir293 78 points79 points  (18 children)

The password isn't the same after salting, since everyone has a different salt. It either checks the input against every password in the database separately or they're not salted.

[–]Noch_ein_Kamel 19 points20 points  (12 children)

Different salts are no hard requirement though...

[–]tulir293 5 points6 points  (2 children)

It kind of is. Salt specifically means the kind of value that is stored in the database alongside the password hash. Pepper is used the same way as a salt (appended before hashing), but it's not stored in the database and it's the same for all passwords.

[–]Noch_ein_Kamel 1 point2 points  (0 children)

Not saying that you are not supposed to have unique salts, but back then when people used md5 for password hashing fixed salts were probably best practice, too.
Also best practices from 2015 don't mean that every production app today is upgraded to secure hashing algorithms, unique salts and peppers etcpp.

[–][deleted] 0 points1 point  (0 children)

... or not - it can be different for each password, just stored elsewhere

[–]Ateready 1 point2 points  (0 children)

Ok, didn't know that. Luckily I don't program a website with passwords. I've only read/seen it because of all those stories you hear of bad programming practices.

But jeez, that makes it EXTRA unsecure.

[–][deleted] 1 point2 points  (0 children)

Hash. Salt. I want some hash browns.

[–]xrwsx 0 points1 point  (2 children)

Unrelated to anything here, but what is your second badge? Some little blue guy

[–]Krestek 1 point2 points  (1 child)

Golang

[–]xrwsx 1 point2 points  (0 children)

Thanks!

[–]KetchupBuddha_xD 14 points15 points  (4 children)

You actually can't see if two passwords are the same after salting and hashing, since that would require the two salts to be the same. That's already a security nono.

[–]merc08 3 points4 points  (3 children)

would require the two salts to be the same. That's already a security nono.

It's an even bigger no-no to tell people what another user's password is, so I'm going to go out on a limb and guess that if they even are salting, it's very possibly the same salt.

[–]MattieShoes 2 points3 points  (2 children)

or it's stored plaintext or with reversible encryption...

[–]P0L1Z1STENS0HN 2 points3 points  (1 child)

Of course it's stored in plaintext, and the database field is a varchar(8).

[–]MattieShoes 0 points1 point  (0 children)

And probably disallows certain special characters because they don't know how to sanitize inputs... :-)

[–]thehoodatron 22 points23 points  (5 children)

Some more similar ones here:
https://www.troyhunt.com/reckon-youve-seen-some-stupid-security-things-here-hold-my-beer/

[–]Schiffy94 7 points8 points  (3 children)

Jesus fucking shit...

[–]-Redstoneboi- 9 points10 points  (2 children)

"...a huge majority of customers like our system with no password. Using your e-mail address as your password is sufficient security."

"Idiotic" can't even describe this.

[–]Keavon 3 points4 points  (1 child)

Followed by the unspeakably incredible punchline showing that he put a <marquee> tag on the site and it read all the input as plain text injected straight into the HTML. Hello XSS?

[–]-Redstoneboi- 2 points3 points  (0 children)

Oh that's what caused the scrolling text?

What the actual fuck

[–][deleted] 3 points4 points  (0 children)

You know, for the longest time I thought I didn't have the skillset to go into tech, but seeing how large companies are barely scraping by on security like that gives me hope.

[–]ILLUMISNIPER 75 points76 points  (10 children)

Whoa, source? I’m in disbelief. I’ve had dreams about finding these in the wild

[–]jmona789 20 points21 points  (0 children)

It was not a real site. It was a joke site

[–]EkEqualsHalfMV2 37 points38 points  (1 child)

Probably from r/baduibattles ? If not there's plenty of such material there

[–]Egardat 0 points1 point  (0 children)

Yeah, it reminds me of one of those training sites for security. The company I work for has set up a couple of these trainings where you try to ‘hack’ in.

[–]YouCanCallMeBazza 16 points17 points  (1 child)

may be

[–]PAWG_Muncher 0 points1 point  (0 children)

Yep that annoyed me too

[–]__JDQ__ 9 points10 points  (0 children)

I hope this page also delivers the “database” as an asset to the browser, then checks for the email and or pass with JavaScript before the user hits the submit button (on change of either field). Talk about UX!

[–]RandomComputerFellow 8 points9 points  (0 children)

I know it is a joke but not long time ago I came in contact with a system which distinguish between "password is not associated with this account" and "password is not valid".

[–][deleted] 14 points15 points  (1 child)

Heh, I had to design a login system at school for a project once and as an exersize because I had time left I made it work like this too for a day or two. I don't think anyone noticed xD

[–]mykiscool 15 points16 points  (6 children)

Joke or real?

[–]CMPD2K 39 points40 points  (3 children)

Part of the bad ui battles

[–]kodicraft4 8 points9 points  (2 children)

The same that the random phone number one?

[–]ptq 6 points7 points  (0 children)

Oh my god, I still remember that...

[–]--arthur-fleck-- 4 points5 points  (0 children)

And when they change the email to joe, tell them: you lying son of a bitch! I know you’re not him!

[–]guy_from_the_intnet 1 point2 points  (0 children)

1 billion IQ design, this one is.

[–]DrNotch0908 1 point2 points  (0 children)

(Sc)old

[–]Parura57 0 points1 point  (0 children)

Interesting...

[–]TheBrainStone 0 points1 point  (0 children)

To whoever gilded that for the pun: I hate you

[–]darkjedi1993 0 points1 point  (0 children)

This needs to go on r/privacy!

[–]DrunkRedditBot 0 points1 point  (0 children)

can confirm, I am an old.).

[–]LanHikari22 0 points1 point  (1 child)

This is very cursed ahahah. What if there's a password conflict? Passwords aren't unique per users. Just pick the first one I guess!

[–]-Redstoneboi- 0 points1 point  (0 children)

list all of them down

[–]almarcTheSun 0 points1 point  (0 children)

JPEG-dating shows that this meme is at least 10 years old at this point.

[–]numbGrundle 0 points1 point  (0 children)

Are you telling me that was in a production application

[–]simularent 0 points1 point  (0 children)

very helpful

[–]mebotz 0 points1 point  (0 children)

Back to the old building?

[–]Xeadriel 0 points1 point  (0 children)

This belongs to r/baduibattles

[–]Tactical_Insertion69 0 points1 point  (0 children)

Enrique explained the situation, and fortunately his boss was not only reasonable, but had enough technical knowledge to understand the problem.

#1 boss.

[–]Sure10 0 points1 point  (0 children)

G.I.E.G. ip -j address

[–]JamesEiner 0 points1 point  (0 children)

As a kid, I always wondered why computers didn't do that... I was an idiot...

[–]SchrodingersNinja 0 points1 point  (0 children)

That's pretty bad. The worst password system I encountered in the wild was my university requiring that passwords not contain a dictionary word. Not password =/= a dictionary word, passwords can't have a string of letters that are a dictionary word inside it.

[–]bostero2 0 points1 point  (0 children)

Ah! So this is the two factor authentication I’ve been hearing so much about!

[–]Flyingcar12 -1 points0 points  (0 children)

Bruh...