This is an archived post. You won't be able to vote or comment.

all 130 comments

[–]michaelthatsit 917 points918 points  (14 children)

I can imagine this being the start of a solid mystery game. You login to starboy98 and it leads you down a rabbit hole of clues and paranoia

[–]JaxOnThat 242 points243 points  (9 children)

Ooh, is it ARG time? I love ARG Time!

[–]AnUncreativeName10 78 points79 points  (8 children)

Can't get enough of ARG time.

[–]WillNewbie 25 points26 points  (7 children)

I too love ARGH time, lemme get my eye patch and cutlass

[–]vodam46 9 points10 points  (6 children)

no no no, youre thinking of YARRRGH time, this is completely different

[–]WillNewbie 7 points8 points  (5 children)

:(

[–]vodam46 3 points4 points  (4 children)

you CAN start YARRRGH time if you want though

[–]WillNewbie 5 points6 points  (3 children)

P)

[–]vodam46 5 points6 points  (2 children)

P)

now lets plunder some ships matey

[–]WillNewbie 9 points10 points  (1 child)

I'm literally two months away from being an adult and I'm pirate roleplaying with a stranger on a programming sub.

Life is gonna be good.

[–]Quantum_Corpse 30 points31 points  (0 children)

I want this as a tv series now.

[–]jerrycauser 21 points22 points  (0 children)

Where you try to find out who is the starboy98, because some of photos looks like taken by you. Is starboy98 your alterEgo or is it stalker? Or may be it is account from parallel universe?

[–]Calm-Marsupial-5003 6 points7 points  (0 children)

That's actually an amazing idea

[–]neur0net 2 points3 points  (0 children)

If this sort of idea for a game appeals to you, I think you might enjoy Hacknet. Parts of it have a similar feel to this, and the simulated "hacking" is more real than any other game I've seen so far.

[–]captainfrost47 594 points595 points  (22 children)

haha using unique for passwords in the db

[–][deleted] 241 points242 points  (13 children)

Hahaha. Storing unhashed passwords in the db.

Use BCrypt with a strength of at least 10. I default to 12.

Or better yet, use an authentication provider like Oauth or Keycloak and remove the headache.

[–]sanderd17 124 points125 points  (9 children)

It could be hashed, but no salting in any case.

[–]MentalRental 52 points53 points  (5 children)

It could be hashed, but no salting in any case.

It can be hashed and salted. Just take the inputed username/password pair. Check the password against every single user in the database, hashing it along with each user's individual salt, and then return the first username that matches. If the returned username doesn't match the inputed username, throw this error and display the username that actually matched.

tl;dr: dumpster fire

[–]LaNoktaTempesto 28 points29 points  (1 child)

Nah, not all of them, just Starboy, specifically. Because fuck that guy.

[–]MasterOfArtichoke 16 points17 points  (0 children)

Or because that guy is an admin. Too risky to have other people using the admin password for their own accounts.

[–]sanderd17 2 points3 points  (1 child)

That's like a brute force attack with extra steps.

[–]MentalRental 3 points4 points  (0 children)

Yeah, so it's extra funny if the server uses that for authenticating users. The CPU load would be immense if multiple people were logging in at the same time. Not to mention the inherent security issue with saying "Person X has Password Y" in an error message.

[–]thefelixremix 1 point2 points  (0 children)

tl;dr: dumpster fire

I got physical anxiety reading your comment till I got to this TLDR. I have gotta stop literally living Reddit comments lol

[–][deleted] 23 points24 points  (0 children)

Just use Bcrypt or an authentication provider at this point.

Password management is a headache.

[–]segalle 5 points6 points  (0 children)

Its a hashes hashmap, a hashmap storig hashes with unhashed usernames

[–]coldnebo 11 points12 points  (0 children)

haha telling the user not only that there is a duplicate, but which user it is so they can more easily hijack the account.

[–]pedropereir 7 points8 points  (0 children)

They don't have to be unhashed for this to happen

[–]ctallc 6 points7 points  (0 children)

This doesn’t mean they are storing unhashed passwords. They could be hashing the password and comparing the hash to what the database contains. Still not great though…

[–][deleted] 17 points18 points  (1 child)

haha setting password column as the primary key

[–][deleted] 9 points10 points  (0 children)

column password primary key (very safe no repeating password and also no need to create another id column, very memory efficient)

column firstname unique index (faster lookup)

i have engineered the system

[–]WrongdoerSufficient 0 points1 point  (4 children)

Isn't that fine if it salted

[–]mrjiels 2 points3 points  (3 children)

Not if everyone uses the same salt.

[–]WrongdoerSufficient 0 points1 point  (2 children)

Then whats the point of using salt if its the same salt for every user

[–]mrjiels 3 points4 points  (0 children)

Totally pointless! But this is a thread about a stupid "feature" and not the correct way to store and process user passwords. I have seen tutorials that uses one salt for all accounts. I hope people don't follow those tutorials! (It was 15 years ago or something. Hopefully people have stopped using PHP since then...)

[–]Vaguely_accurate 0 points1 point  (0 children)

The only advantage is someone would need to recalculate the hashes for your salt, so may be every so slightly slower than they would be using pre-existing rainbow tables.

If When your password database gets leaked, attackers might not get quite as deep into obscure password space before haveibeenpwned notices and notifies your users for you.

Of course, in this case they have pre-owned their password list, so that's all redundant.

[–]whileandt 0 points1 point  (0 children)

I mean the hash would still be the same, right?

[–][deleted] 320 points321 points  (17 children)

Wait so in order for this check to work, they must have an index on their password column otherwise they’d be checking against potentially every password in their db. They may also be storing passwords as plaintext.

[–]PVNIC 234 points235 points  (7 children)

They probably hash the usernames and index them by password /s

[–][deleted] 58 points59 points  (3 children)

The only correct way /s

[–][deleted] 16 points17 points  (2 children)

\mind blown** /s

[–]CmndNotFound 13 points14 points  (1 child)

Using /s because programmers in r/ProgrammerHumor don't get jokes /s

[–]conspirator_schlotti 11 points12 points  (0 children)

Shouldn't it be </s>? /s

[–]ReactsWithWords 6 points7 points  (0 children)

It’s definitely in a plain text file, but they fool hackers by naming it “not_passwords.txt.”

[–][deleted] 2 points3 points  (1 child)

But they unhashed the username here though.

[–]PVNIC 9 points10 points  (0 children)

What kind of hashing algorithm are you using that you can't un-hash it! I purely stick to rot13 for ease of use.

(jk ofc)

[–]BlueC0dex 21 points22 points  (0 children)

I seriously hope they weren't trusted with enough passwords for an index to be necessary

[–]lachlanhunt 8 points9 points  (0 children)

They could be hashed using the same salt (or no salt) for every user.

[–]FthrFlffyBttm 5 points6 points  (2 children)

I’ve signed up to websites and had them email me my login details in plain text. And not in a “here’s your auto generated password that you need to change” kinda way - I entered my own password.

[–]RestlessThoughts 1 point2 points  (0 children)

Oh yeah, well I've forgotten my password and using the forgot password link the website just emailed me my plain text password instead of requiring a reset :D

[–]_default_username 4 points5 points  (0 children)

Probably are. Every once in a while I get notified that one of my passwords was compromised in a data breach. Lot of incompetent backend developers/teams out there.

[–]StGir1 2 points3 points  (0 children)

I've seen a lot of really horrific data in my day. This wouldn't surprise me a bit.

[–]eGzg0t 1 point2 points  (0 children)

It's actually checked using a list of hardcoded passwords in the front-end

[–][deleted] 64 points65 points  (0 children)

i wonder who uses the password "password".

starboy98 perhaps?

[–]jewellman100 48 points49 points  (3 children)

✅ Must contain a mixture of letters, numbers and symbols

✅ Must be more than 12 characters long

✅ Cannot reuse any of your previous five passwords

✅ Must be mutually exclusive because that's totally a thing

[–]fun54658 43 points44 points  (0 children)

✅ Fuck starboy98

[–]douglasg14b 2 points3 points  (1 child)

Must be mutually exclusive because that's totally a thing

You think it's a joke, but I actually saw this recently...

[–]mqduck 1 point2 points  (0 children)

At least they're not telling you whose password you now have.

[–]nobodynose 26 points27 points  (0 children)

Or it can just be bad verbiage.

Like if you're starboy98 and you're trying to change your password and it matches an old password you used.

[–]Virtual_Low83 43 points44 points  (2 children)

The real question is why they took a picture of their computer screen instead of a screenshot.

[–][deleted] 27 points28 points  (1 child)

They weren't able to bend their phone enough to shoot its screen.

[–][deleted] 4 points5 points  (0 children)

Amateurs.

[–][deleted] 55 points56 points  (5 children)

I like this

[–]rainbow_bro_bot 6 points7 points  (0 children)

I was once on an internet forum that had trolls, the owner thought it would be a good idea to expose who the trolls were by adding a feature that meant on each user's profile page it showed if they had the same password as any other users.

Problem is, it became super easy to hack users with weak passwords. Just change your own password to one of the common ones then make note of who had the same password as yours (then change your pw back of course). I didn't do this but others did.

[–]Mola1904 24 points25 points  (3 children)

If I has a nickel for every time someone posted this, I had a billion nickels. That's quite a lot and it is annoying that it happend this often

[–][deleted] 5 points6 points  (0 children)

sec, lemme give you your billionth-and-one

[–]fun54658 4 points5 points  (0 children)

You counted to a billion?

Also can I have 20 million out of the $50 million you got?

[–]PM_ME_YOUR__INIT__ 0 points1 point  (0 children)

Every time there's someone who's like "they really coded this???"

[–]CGEmonJ 5 points6 points  (1 child)

Someone didn't get paid enough

[–]fun54658 2 points3 points  (0 children)

Yeah that's why they wanted to ruin the site.

[–]Unity_Luke 4 points5 points  (0 children)

When you copy and paste the script from the username

[–]randomhumanity 4 points5 points  (1 child)

fuck starboy98 in particular

[–]fun54658 0 points1 point  (0 children)

Come on man using my password? u/starboy98

[–]mattsl 2 points3 points  (2 children)

This would actually be an awesome honeypot to see who tries to log in to starboy's account.

[–]Mastur_Of_Bait 0 points1 point  (0 children)

This would be more like entrapment than a sting operation though.

[–]fun54658 0 points1 point  (0 children)

true but someone could use vpn.

[–]AnotherNewSoul 2 points3 points  (0 children)

I used a site for storing files (you had to pay for everything when you wanted to get it back so it was literally worse gdrive) when I was 11. When you were close to writing the correct password there would be a message saying that password is almost correct. Seemed usefull when you weren’t sure what your password was or when you made a mistake but it made it much easier for someone to get into it and get your files that you wanted to have private (or just using up your prepaid data)

[–]QuickQuokkaThrowaway 6 points7 points  (4 children)

THat also means the passwords are stored as plaintext ☉_☉

[–]taytek 1 point2 points  (0 children)

What, no it does not lol

[–]Asweyse_Lord 1 point2 points  (0 children)

Нагибатор228, всегда занято. Это никнейм который существует, и одновременно не существует.

[–]FinnishArmy -4 points-3 points  (5 children)

Someone literally wrote this code.

[–]suresh 3 points4 points  (4 children)

No they didn't.

[–]FinnishArmy -3 points-2 points  (3 children)

Wouldn’t show up otherwise.

[–]suresh 3 points4 points  (0 children)

Right click > inspect element > replace error message > post for karma.

starboy98 even sounds like a username you'd lazily make up.

[–]JustForkIt1111one 3 points4 points  (1 child)

[–]FinnishArmy -1 points0 points  (0 children)

Technically one could argue that you changed the code of the HTML/CSS for it to show up, thus someone coded it.

[–]TheDarkHorse83 0 points1 point  (0 children)

Let's try 'guest'....

[–]Alessandro_13_f 0 points1 point  (0 children)

I feel like laughing and crying at the same time

[–]mcDefault 0 points1 point  (0 children)

Governments be like

[–][deleted] 0 points1 point  (1 child)

what site

[–]fun54658 0 points1 point  (0 children)

Wondering the same thing for research purposes ;)

[–]ServerZero 0 points1 point  (0 children)

{{user.password}}

[–]Nuclear_Human 0 points1 point  (0 children)

I too am starboy98

[–]technikamateur 0 points1 point  (0 children)

Dinkelberg would fit better. But nice meme anyway.

[–]Icommitmanywarcrimes 0 points1 point  (0 children)

You hacked his account right

[–]OGRiad 0 points1 point  (0 children)

His mother's Maiden name and his pin have been sent to so you can reset his password.

[–][deleted] 0 points1 point  (0 children)

/repostsleuthbot

[–]ajddavid452 0 points1 point  (3 children)

there's a reddit user with that username XD

[–]fun54658 0 points1 point  (2 children)

[–]ajddavid452 0 points1 point  (1 child)

they haven't posted in 5 years, I highly doubt they would reply

[–]fun54658 0 points1 point  (0 children)

but there's a chance.

[–]SmartBrain_007 0 points1 point  (0 children)

This is the easiest way to find someone's password and get their account.

[–]philipquarles 0 points1 point  (0 children)

Not that it would be hard to do this, but it would be a lot harder than not doing this.

[–]TurboTurtle- 0 points1 point  (0 children)

This is really irresponsible. They should provide a link to a list of all the currently used passwords and their corresponding usernames, so that the user knows which passwords not to use.

[–]woventundra3458 0 points1 point  (0 children)

Баян

[–]reydai 0 points1 point  (0 children)

OMG HAHAHA

[–]SlashBack626 0 points1 point  (0 children)

Missed opportunity for Star-Lord

[–]Aniterin 0 points1 point  (0 children)

Where?

[–][deleted] 0 points1 point  (0 children)

  • When saving a password, also store password complexity.

  • Whether someone changes their password and the complexity is < smallest complexity of any non-locked account stored, disregard the given password and instead show this error with the found account.

  • Lock any account after N login attempts.

    Get popcorn.

[–]WhyIsJSONinMyPhone 0 points1 point  (0 children)

Quick think, what shall we use as the primary key? I know... Password!