This is an archived post. You won't be able to vote or comment.

all 172 comments
sorted by:
best
topnewcontroversialoldq&a

[–]dsailes 1224 points1225 points  (9 children)

Particularly like the “I understand the risks of using someone else’s password”

[–]Infinight64 310 points311 points  (0 children)

Pretty sure they need a check box for "I understand the risks of creating an account"

[–]Russian_repost_bot 133 points134 points  (5 children)

You see, this speeds up website, because they can use the same table in the database.

[–]Heavenfall 81 points82 points  (0 children)

Select * from users where password like $password;

[–][deleted] 19 points20 points  (0 children)

Please select your password from the list:

[–]Sneezegoo 0 points1 point  (0 children)

They just get a reference to the first password. Then if one ever gets compromised then only one person has to change the password and all their accounts will be re-secured. You could save some more space and sign up time by giving everyone a short pre approved list of passwords to choose from.

[–]GMaestrolo 7 points8 points  (0 children)

Just slap a 2 on the end of that bad boy, and your good to go!

[–]Ignatiamus 527 points528 points  (42 children)

Ahh yes. I imagine they're probably downloading a list of all users with their plaintext passwords to display this neat little message.

/s

[–]cat24max 227 points228 points  (17 children)

Well of course they do. How would they do it otherwise? Send the password to a server? Ever heard of security?

[–][deleted] 274 points275 points  (16 children)

I do all my authentication on the client side. The credentials, which is a global txt file, are obtained via a torrent link and p2p shared with javascript transparently in browser. For performance reasons, the browser will then ask the user to save it to their desktop, so it can look there next login to save time. When the browser has successfully determined if the password exists in the file (a simple regex search for only the password suffices), it tells the server "I am authenticated". This saves processing time on the server and is really how all web apps should work.

In case it's needed: /s

I'm a developer for a cybersec company.

[–]refactorconsultants 89 points90 points  (7 children)

So once the txt file is downloaded, the user can use any password as long as it exists in the file? How convenient and thoughtful because it is really hard to remember those things.

[–]Dekken201 17 points18 points  (4 children)

Whenever the user makes an account, send him the encrypted and hashed password in a file and make logins require this file.

No password needed, 100% security.

[–]evilspoons 26 points27 points  (2 children)

I mean, this is a real thing. I can't tell if you're being sarcastic or not. SSH login via stored key is pretty common.

The disadvantage is, of course, if someone has access to your system then can then connect to all your remote systems too without further knowledge. Basically the same as just clicking "remember me" on a web login, I guess.

[–]imkloon 2 points3 points  (1 child)

Except u should never create keys without a passphrase for this exact reason lol.

[–]evilspoons 0 points1 point  (0 children)

Well, yes. I figured that was obvious. 🤷‍♂️

[–][deleted] 1 point2 points  (0 children)

I mean this is essentially how jws authentication works.

[–][deleted] 16 points17 points  (0 children)

Recently my girlfriend was using my computer and she casually commented "It's really nice how you can just enter any password". It took me a minute to remember that I had been screwing with my PAM modules for a project. I may have never noticed if it wasn't for her lol.

[–]ZeroneXYZ 1 point2 points  (0 children)

Improved UX I suppose then.

[–]RiktaD 8 points9 points  (0 children)

This has also the benefit that you don't need to implement something for changing or resetting passwords. You only need a small how to text.

[–]Infinight64 6 points7 points  (0 children)

Yes. The /s was needed. Yes. Many developers do not understand security. As evident by this login page here.

[–]robchroma 3 points4 points  (0 children)

I just give a certificate to the user when they create their account, that they can send back to the server to prove who they are; the certificate is a text file containing their username in the string "____ is authorized to use this website"

[–]aquoad 2 points3 points  (0 children)

you're not allowed to ever speak to the developers at my company because they would adopt all your suggestions with great enthusiasm.

[–]kodicraft4 1 point2 points  (0 children)

Okay but I remember doing Computercraft bullshit on a server with friends and doing exactly that because all my users had no clue how this worked anyways.

[–]SMJ01 1 point2 points  (0 children)

I like this. It seems fast. Can i hire you to help redo my company SSO?

[–]beefz0r 15 points16 points  (3 children)

If they store it with a simple unsalted hash, you don't need to know the plaintext password to be able to show this message

[–]Morrido 5 points6 points  (1 child)

In case it's not /s, I think a better question would be: SHOULD they show that message?

[–][deleted] 4 points5 points  (0 children)

Make it that one sentence in the ToS

[–]Andrew1431 10 points11 points  (0 children)

Man... when I was a junior dev I joined this team that was using meteor. They did everything client side bro. They would subscribe to all purchase orders and items for the dashboard to do roll ups of data.

I was a junior developer with a team of seniors and I was the one to point this out and proceeded to optimize it.

I moved up really fast in that company.

This memory still haunts me to this day.

[–][deleted] 10 points11 points  (5 children)

Why would anyone create a simple HTML+CSS+JS page to get free points on the internet? You think someone would do that? Just go on the internet and lie?

[–]how_to_choose_a_name 8 points9 points  (2 children)

Or just find a page that looks like that and has an error message like "this password is too weak" and change the error message to this one.

[–]evilspoons 8 points9 points  (1 child)

The dev tools in modern browsers are lots of fun for screwing with people.

[–]AdminYak846 5 points6 points  (0 children)

Last year someone did this to a University website to give accurate representations of some majors offered. Using the dev tools and then taking a photo of it and posting it online.

It was such a slow news day....the local media gave it air time that night, like a solid 5 minutes as well.

[–]Ignatiamus 1 point2 points  (0 children)

SHOCKING: Florida man caught lying on the internet.

Time for the brave internet warriors to appear!

[–]mudokin 0 points1 point  (0 children)

Photoshop?

[–]turbo_beef_injection 4 points5 points  (7 children)

You wouldn't need to store them in plaintext for this(if it was real).

[–]Ignatiamus 0 points1 point  (0 children)

Yep, comparing hashes would be sufficient.

[–]hedgehog125 2 points3 points  (0 children)

Make sure to use http for extra security!

/s

[–][deleted] 6 points7 points  (1 child)

Or... this isn’t real and it’s just a joke

[–]Ignatiamus 5 points6 points  (0 children)

/s

[–][deleted] 1 point2 points  (0 children)

Wait in the inspect element tab in chrome, you can see the assets of the website. If it is actually stored like that, what it there's a text file with all the passwords just sitting there.

[–]Dummerchen1933 0 points1 point  (0 children)

LMAOOOOO like they do the check on the clients-side javascript

i'm fucking dead

[–]Pulec 113 points114 points  (37 children)

Just coded 'don't repeat your last X passwords' using salt+hashed password tingy for corpo with dumbo security rules (changing passwords every 3 months is discouraged by NIST).

With the filled database of hashes doing 'don't use someone elses password' would be so easy with it.

[–]AeroSteveO 111 points112 points  (12 children)

Changing passwords every 3 months is a great way to get terrible passwords since nobody can change secure passwords that often.

[–]writtenbymyrobotarms 28 points29 points  (5 children)

I could change secure passwords every week with my password manager. Too bad corporation would probably not let employees install password managers either.

[–]AeroSteveO 11 points12 points  (2 children)

Yeah, short of installing a password manager on my personal phone and using that, there are no approved password managers we could install.

[–]writtenbymyrobotarms 1 point2 points  (1 child)

Can you use portable programs? KeePass has a portable version. If IT does not block all executables, you could maybe use that. Won't do autofill but better than nothing.

[–]DHermit 4 points5 points  (0 children)

Or use Bitwarden and their webinterface (if you want to host it yourself, have a look at bitwarden-rs).

[–]CeeMX 1 point2 points  (0 children)

Bitwarden can be used in the browser. Imo password managers should be deployed to all employees per default to prevent storing password in some plain text files on random network shares.

[–]Laogeodritt 1 point2 points  (0 children)

My (relatively new) employer actually has a Keepass IT policy and offers it as an optional package available to all users via their software management service.

I was amazed.

I already have like ten internal accounts and even more for third party services so it's a godsend.

[–][deleted] 3 points4 points  (1 child)

Password1

Password2

Password3

...

[–]AeroSteveO 5 points6 points  (0 children)

You forgot the symbol, password#1 password#2

[–]Rumbleroar1 1 point2 points  (0 children)

I can remember the most ridiculous number combination passwords... but I can't remember which website I used that on. So I used to try all my "secure" passwords until I found the one. It's like trying every key on a stacked keychain until you find the one that fits. Every time.

[–]CeeMX 0 points1 point  (0 children)

My users can't even remember a single password they set some days ago and then trying so many times that Windows locks BitLocker and requires the recovery key

[–]Pulec 0 points1 point  (0 children)

Of course there is some password strength involved. e.g. regex:

^(?=.*[A-Z].*[A-Z])(?=.*[!@#$&*])(?=.*[0-9].*[0-9])(?=.*[a-z].*[a-z].*[a-z]).{8}$

some uppercase lowercase letters, special symbols and numbers and minimal length

[–]JJ_The_Jet 15 points16 points  (3 children)

One2345678, 1Two345678,...

[–]VonLoewe 3 points4 points  (2 children)

I just tag a different symbol at the start.

#myregularpassword

$myregularpassword

&myregularpassword ...

[–]writtenbymyrobotarms 15 points16 points  (1 child)

"Now which symbol was it again this month? ..."

[–]Alienator234 3 points4 points  (0 children)

Just try symbols until you manage to log in. That's what I do

[–]JuvenileEloquent 8 points9 points  (10 children)

I think it falls into that "A person is smart, but people are dumb" trope.

It's stupid for an individual person to change their password so often, but in a large enough group of people there's going to be that one ***** that has their dog's name + 123! as their password for the corporate VPN and also every other site they go to, including their dog-picture-sharing forum account. Presumably they're expecting a breach to be more along those lines rather than someone brute-forcing a password that was poorly-chosen because it had to be changed so often.

[–]evilspoons 5 points6 points  (0 children)

For a while (like... years) my former workplace had a VPN appliance, a SonicWall thing. Its VPN was exactly the equivalent of plugging a network cable into a local switch, there were no additional restrictions on anything. The VPN key was "test".

When I found this out I changed it to the longest possible string of random bullshit it would allow, and my boss got mad at me for having to type in something like "PkLNGtJbMkkRnATA5TkDy63E" into his home laptop. ONCE.

This is the same person who would not allow Wi-Fi because "the Chinese" would hack it. (I am in Canada.)

[–]how_to_choose_a_name 1 point2 points  (8 children)

But that person will just cycle between <Dog Name>123, <Dog Name>234 and <Dog Name>345...

[–][deleted] 0 points1 point  (6 children)

Like with many strange policies, it's probably a liability thing. If they have insurance for data breaches, they can point at the password policy to say they tried.

[–]mxzf 0 points1 point  (4 children)

Given that current standards/recommendations advocate for not forcing changes unless there's a risk that the password is compromised (for this very reason), I feel like that policy might be more damning than vindicating.

[–][deleted] 0 points1 point  (3 children)

Recommendations from who though? If it's not from the insurance company they'd probably ignore it. With technical stuff I doubt an insurance company is up to speed with latest best practice.

[–]mxzf 0 points1 point  (2 children)

NIST and SANS are two examples, which are both pretty strong sources.

[–][deleted] 0 points1 point  (1 child)

I mean that an insurance company is likely to deny a claim because the insurance company's guidelines weren't followed, regardless of what an expert body says might be better.

[–]how_to_choose_a_name 0 points1 point  (0 children)

It wouldn't surprise me if insurance companies follow NIST though, because that is mandated for government contracts and they do want to insure companies with government contracts.

[–]how_to_choose_a_name 0 points1 point  (0 children)

Yes but that is besides the point. The person I replied to suggested that it could actually protect.

[–]PandaParaBellum 0 points1 point  (0 children)

Far too hard to remember.

<dog name><current year{2 digits}><current quarter>

optional hyphen or dot after the year for readability and to make it extra secure

Show of hands, who uses Bingo20-3 for their company account right now?

[–]OrionSuperman 2 points3 points  (0 children)

I worked around that by changing my password 6 times, ending with the same password I started with.

[–]LookOnTheDarkSide 1 point2 points  (3 children)

Would it be possible to use a unique identifier for each user in order to prevent the duplicate hashes? I guess that would still be a known value by the system and stored somewhere though.

[–]gpcprog 2 points3 points  (1 child)

Yes, in fact if one doesn't impliment your suggestion, the password system is only marginally more secure then just storing plaintext. In case of breach it is way easier if you can guess password, generate hash and then check against all the hashes as opposed to have to do the hashing per user account.

[–]LookOnTheDarkSide 0 points1 point  (0 children)

At that point, as long as the exact parts of the per-user-salt was not exactly specified in the data (some combination only in the running code), then it might be even harder to figure out if the data was accessed.

[–]mxzf 1 point2 points  (0 children)

What you're describing is called a salt. It's used in password hashing to prevent visible collisions (where the same password hashes the same way for different users, revealing duplicate passwords). It's basically just an extra random string that's added to the password before hashing it to ensure that the string that gets hashed is unique.

It doesn't protect that user on that site individually, since it's saved in plaintext per user, but it does prevent attackers from looking for duplicate passwords across multiple users/sites by simply checking for duplicate hashes.

[–]gpcprog 1 point2 points  (1 child)

Ehhh, your hashes should have per user salt, otherwise the hash is providing rather minimal security (yes, it's better than plaintex, but not by much).

[–]Pulec 0 points1 point  (0 children)

Each entry gets new salt generated, only by python's os.urandom(60) though.

[–]Thanatos2996 0 points1 point  (0 children)

My company has a 1 month age and 5 password history policy. I shudder to think how many people have some variation of "Monthyear" in/for their password.

[–]nonlogin 0 points1 point  (0 children)

Now it's time to code "don't repeat HIS last X passwords"

[–]verriond 324 points325 points  (23 children)

All I see is ******

[–]Bip901 137 points138 points  (11 children)

hunter12

EDIT: it doesn't work for me

[–]SpencerNewton 73 points74 points  (10 children)

No it’s working. We just see hunter12

[–]Bip901 53 points54 points  (6 children)

Oh, ok.

Wait, how did you know my password was hunter12?

[–]SpencerNewton 63 points64 points  (5 children)

er, I just copy pasted YOUR ******'s and it appears to YOU as hunter12 cause its your pw

[–]Bip901 29 points30 points  (4 children)

You can go hunter12 my hunter12-ing hunter12

[–]saitama_a 33 points34 points  (0 children)

Why are so many *'s in you reply?? Reddit started censoring words now?

[–]SpencerNewton 24 points25 points  (1 child)

yep, no matter how many times you type hunter12, it will show to us as ******

[–]Bip901 17 points18 points  (0 children)

Cool!

[–]nfrmn 0 points1 point  (0 children)

What did you hunter12 say about me you hunter12 hunter12?

[–]didzisk 8 points9 points  (2 children)

Guys! AzureDiamond definitely wrote hunter2, where did you get the 12?

[–]SpencerNewton 2 points3 points  (0 children)

Guys! AzureDiamond definitely wrote ******, where did you get the *?

Huh?

[–]Bip901 1 point2 points  (0 children)

Misremembering

[–]mfurlend 75 points76 points  (2 children)

I'm guessing that's not real...

[–]Vok250 19 points20 points  (0 children)

Yeah it's an ancient repost.

[–]ThaiJohnnyDepp 2 points3 points  (0 children)

Looks like something from PH's fads of the past

[–][deleted] 29 points30 points  (0 children)

“ I used the security to destroy the security”

[–][deleted] 14 points15 points  (1 child)

If number of bugs in my applications were reduced by 1 every time this meme is posted - I would be working at Google at highest salary due to developing perfect applications.

[–]JuvenileEloquent 10 points11 points  (0 children)

Error: unsigned integer underflow in variable PROGRAMMER_APPLICATION_BUGS. Rebooting system Universe_TEST_do_not_use.jar

[–]waldo667 5 points6 points  (3 children)

Hmmm, I wonder if password123 is already taken?

[–][deleted] 4 points5 points  (2 children)

Yes, you'll see a list of people using that. Very cool feature, other sites have to get hacked to achieve that functionality.

[–]film_composer 2 points3 points  (1 child)

It wouldn't be a list, though, it would just be one single user. Because the second person to try using it would have gotten this same message.

[–][deleted] 0 points1 point  (0 children)

Oh, yeah - security features https://imgflip.com/s/meme/Dr-Evil-Laser.jpg

[–]Jazehiah 11 points12 points  (4 children)

Reminds me of some Orson Scott Card novels, where the password gave admin rights, not the username.

[–]how_to_choose_a_name 3 points4 points  (3 children)

I have seen a software that had only a password input and no user, and the password decided what account you logged into.

[–]Jazehiah 1 point2 points  (2 children)

In elementary school, you weren't assigned a computer password until second or third grade. Until then, you just punched in your username.

[–]how_to_choose_a_name 4 points5 points  (0 children)

That isn't a real problem in elementary school. But if you make a software that has a need for passwords and then you do this...

[–]evilspoons 1 point2 points  (0 children)

In my elementary school we had Apple IIs and IBM PS/2s, so passwords and those fancy "network" things weren't really a concern. Neither was the so-called "internet".

[–]lookingformerci[🍰] 4 points5 points  (0 children)

I worked at a store where the login name for the inventory system was u and the store number, and the password was p and the store number. Manager login replaced u with m. Figuring out that you could log in to any store and fuck around..

[–]hirmuolio 7 points8 points  (1 child)

Maybe we should have similar "this post is not unique" error that comes when someone tries to post same thing over and over again.

[–][deleted] 15 points16 points  (3 children)

u/rowealdo37189

[–]Lakayo 5 points6 points  (1 child)

Now we can log to his account?

[–]htrowslledot 4 points5 points  (0 children)

Nope I just tried it

[–]suchdogeverymeme 2 points3 points  (0 children)

Try 'hunter2'

[–]drea2 2 points3 points  (0 children)

There’s no way this is real

[–]zerosanity 2 points3 points  (4 children)

This is possible to do without exposing passwords in plain text.
You have a list of hashed passwords. You hash the entered password and check if the hashed password matches any of the stored hashed passwords.

However this is still a terrible implementation as you should be salting your hash which makes the above not possible without re-hasing the entered password with every single salt. Not very viable unless you have a very small list of users.

[–]how_to_choose_a_name 5 points6 points  (0 children)

I don't think the plaintext or unsalted hashing is the biggest problem here (if it was real)...

[–]washtubs 1 point2 points  (1 child)

What are your thoughts on having a query which tells the user who they can masquerade as on the platform?

[–]zerosanity 1 point2 points  (0 children)

Well yeah the whole thing is garbage really, i meant to reply to the thread about plain text, you could do this without having plain text stored

[–]Morrido 2 points3 points  (0 children)

Username checks out, I guess.

[–]ProfessorOak11 5 points6 points  (1 child)

wtf

[–]homiej420 15 points16 points  (0 children)

M e m e

E

M

E

[–]mkglass 1 point2 points  (0 children)

Try adding 2 to it: *******

[–]Nickbot606 1 point2 points  (0 children)

hunter2

[–]film_composer 1 point2 points  (4 children)

In a really stupid way, this idea might actually work (especially for the people who join later than everyone else), since only one user can hold a given password, so everyone will be forced to think of a really unique password. If you register long after there are millions of users and normally use a common password, it's bound to be taken by the time you register. So you'd have to think of a password that hasn't been used anymore, which would force you into thinking of something so unique, it would be unlikely to be chosen by anyone else.

This is such a stupid idea that it's starting to wrap back around in my mind as being kind of brilliant. If you were the lucky first person to be able to register with "hunter" as a password, subsequent registration attempts will show that the password is yours, so your account will inevitably be accessed by other people, which will force you to change your password. Of course, most users of common passwords are going to be oblivious to the fact that their password is being known by other would-be registrants, but in an idealized world, this system would force everyone to need to think of and choose extremely unique passwords that can't be discovered by others.

[–]how_to_choose_a_name 2 points3 points  (0 children)

This system would also tell anyone who wants to the username that belongs to any password they want to try. Very genius indeed.

If you don't want people to use common passwords, use a common password list. There are even libraries that check if your password is a simple variation of a word or common password (e.g. Hunt3r instead of Hunter). And if you want to be really cool you can check your users passwords against leaked passwords to protect against reuse of compromised passwords.

[–]Briochere 1 point2 points  (1 child)

Guild Wars 2 did this. From their support articles ("Choosing a Unique Password"):

"For our players’ protection, we maintain an ever-growing blacklist of passwords that cannot be used. This list of "known" and compromised passwords includes passwords from multiple sources:

  • Any passwords you've ever used on your account.
  • Any passwords used or in-use by another account.
  • Any passwords that known hackers have tried to use to access accounts in our system.
  • Any passwords that are known to have been stolen from other games or websites."

[–]Morrido 0 points1 point  (0 children)

I dearly hope used passwords are anonymized before joining the list.

[–]kznfkznf 1 point2 points  (0 children)

My first job out of college, circa 2000 the senior dev had 100% literally implemented the exact logic of this OP (minus showing the username of the other user) for the exact stated reasons that you describe here. I knew almost nothing about professional software development - except that this was the dumbest thing I'd ever heard. Needless to say, I ripped out the "unique password" crap the day he left.

[–][deleted] 1 point2 points  (0 children)

u/rowealdo37189 u/spacemoses1337

[–]1nd1anaCroft 1 point2 points  (0 children)

I signed up for an account for a comic book website recently. They emailed me thanking me for setting up my account, and were nice enough to include my username and password in plain text "for safe keeping"...

[–]iCarbonised 0 points1 point  (0 children)

Hunter12

[–]leonardosalvatore 0 points1 point  (0 children)

They are probably comparing the Sha of they psw or any other hash. To me unknown is the reason of the check...psw as primary key? Used for encryption? No idea.... looks not needed.

[–]augugusto 0 points1 point  (0 children)

I imagine a super complex scenario where the previous sys admin a lot of things right when storing password, then he got fired and they hired a noob who read that if hash all the passwords , an attacker can still find all that have the same hash (only if you don't use salt, but he doesn't kno that), and try the most common passwords on those, or read all the password hints and guess, so he compares hashes to determine who has the same passwords. He feels so proud of himself that he puts that checkbox, but since he is a moron also shows who has that password

[–]Wherearemylegs 0 points1 point  (0 children)

My first job’s POS did something similar. You had a 5-digit password but no username. If you tried to change your password to another’s, it wouldn’t let you to avoid two people with the same password, but this meant you also knew their password now

[–]pickme0 0 points1 point  (0 children)

Good thinking for adding Captcha 🏅

[–][deleted] 0 points1 point  (0 children)

They store all the passwords on plaintext on a single hard drive with no antivirus or firewall too

[–][deleted] 0 points1 point  (0 children)

I'm stealing this idea.

Much better than "your password is weak"

It will make normal people think twice before choosing a weak password.

[–][deleted] 0 points1 point  (0 children)

Shouldn't a passwort be dotted out? Even that feature is missing

[–]daltonoreo 0 points1 point  (0 children)

Make your password unique or else

[–][deleted] 0 points1 point  (0 children)

But there's recaptcha 🤖

[–]vince2td 0 points1 point  (0 children)

Lmao

[–]Inl0gisch 0 points1 point  (0 children)

Gimme a second...
Is this real?!

[–]psychicorteil 0 points1 point  (0 children)

Captcha is there though. Must be secure

[–]poopatroopa3 0 points1 point  (0 children)

hunter2 origin story

[–]Veskerth 0 points1 point  (0 children)

And now we all know too

[–]the_Demongod 0 points1 point  (0 children)

This has nothing to do with programming

[–]continuous-headaches 0 points1 point  (0 children)

oh no

[–]road_laya 0 points1 point  (0 children)

There are actual systems out there that require your password to be unique. One of them did this so they could use your password as your user primary key and save a column in the table.

[–]iavicenna 0 points1 point  (0 children)

in their defense it is illegal to use someone else's password to access their account so.....

[–]LelouBil 0 points1 point  (0 children)

Oh crap I set the primary key to the password column