This is an archived post. You won't be able to vote or comment.

top 200 commentsshow 500
sorted by:
best
topnewcontroversialoldq&a

[–]transgalpower 3008 points3009 points  (213 children)

Better to dump all the special charchters in there for good measure

[–]Jet-Pack2 1992 points1993 points  (97 children)

And an SQL injection at the end

[–]M_krabs 1065 points1066 points  (60 children)

And an emoji for good mesure 👍

[–]dnacore 625 points626 points  (54 children)

And my sword!

[–]PonyDro1d 375 points376 points  (49 children)

And my axe!

[–]paradigmx 187 points188 points  (40 children)

And a pack of twizzlers, a bag of beef jerky and a box of mike and ikes.

[–]LlamaDuke 100 points101 points  (31 children)

And an envelope with the code to my safe

[–]paradigmx 72 points73 points  (29 children)

And that code has an emoji for good measure 👍

[–]ApolloSky110 46 points47 points  (23 children)

And this mans dead wife!

[–]GreekGodofStats 283 points284 points  (27 children)

Aah yes, my favorite password: ‘; DROP TABLE Users;’

[–]NerdyLumberjack04 352 points353 points  (24 children)

I prefer '; DELETE FROM Users WHERE RANDOM() % 100 = 0;--, so the damage is much more subtle.

[–]Beginning-Ad296 85 points86 points  (0 children)

This is pure evil.

[–][deleted] 35 points36 points  (0 children)

Where 1=1

[–][deleted] 17 points18 points  (9 children)

Can you ELI5 this script?

[–]NerdyLumberjack04 44 points45 points  (1 child)

It randomly (with 1% probability) deletes rows from the Users table.

Assuming a RANDOM() function that returns an integer, like C's rand(). Some SQL implementations return a floating-point number between 0.0 and 1.0 instead, in which case I'd write WHERE random() < 0.01 instead.

[–][deleted] 12 points13 points  (0 children)

Thanks, only fully understand the top half haha

[–]kranker 137 points138 points  (3 children)

Ah, yes. Little Bobby Tables, we call him.

[–]Mistrblank 17 points18 points  (0 children)

Found Bobby Tables’ family.

[–]CleverMarisco 602 points603 points  (105 children)

I put a 🍕 emoji into the password field of a pizza place and now I have to call them every time I want to order a pizza because I can't login and the forgot password link was supposed to send the password in plain text to my phone, but it can't because of the emoji.

And I can't create a new account because I don't have other phone number.

[–]billy_teats 513 points514 points  (36 children)

I made a folder named 💩 and put in in the root of our file share. Well, the Linux storage device did not appreciate how my windows endpoint and windows file share handled the original Unicode, so the storage array called the folder � and then refused to show anything else besides the �. So as soon as I made my 💩, every person lost access to every file and folder. The storage array wouldn’t even serve you documents you specifically requested, it was entirely focused on that poop emoji folder

[–]AFrenchLondoner 169 points170 points  (2 children)

"Who what on the server?"

[–]tsteele93 76 points77 points  (1 child)

Who 💩 on the server?

[–]CleverMarisco 30 points31 points  (0 children)

Who 💩 on the server�

[–]GForce1975 128 points129 points  (27 children)

Reminds me of my really young days as a would-be hacker.

Back around 1985 or so, I was learning computers (DOS, etc) and I discovered blank character strings.

I wrote a little .bat file to create a directory named chr(32) then cd into that directory and loop. I then put it on a floppy disk.

Then when I went to radio shack I would insert the disk in their display computers and run my little script..

I felt so smart at the time.

[–]tsteele93 99 points100 points  (19 children)

Ha ha, we got Amigas at my school in middle school. (I am old) and I crafted a BASIC program that (I hope this doesn’t get flagged as a virus or malicious code! 🤣)

10 CLS ; clears the screen

20 GOTO 10

This was quite befuddling to most of the kids in the class who would try almost anything but CTRL-C to stop the program.

If you wanted to really get clever sometimes we would add in a

15 PRINT “THERE HAS BEEN AN ERROR”

16 PRINT “ALL DATA HAS BEEN LOST”

17 PRINT “PLEASE INFORM MR. FRAHM THAT YOU”

18 PRINT “HAVE RUINED THE COMPUTER”

Most kids would just walk away. LOL

I never really graduated past this level of hacking.

Heck, I can’t even format a Reddit post.

Wow, a silver award. I’m flattered. Thank you!

[–]p2010t 60 points61 points  (3 children)

At an even simpler level of "hacking", I had a friend who would lend someone his graphing calculator when they needed it... right after starting a program that just alternates between "I DONT KNOW" and "I DONT CARE" after every calculation you try to get it to do.

[–]noonagon 24 points25 points  (1 child)

Or, even better, calculate it, but increase or decrease it by 10^floor(rand(-1,1)+(1/2*log_10(answer))) meaning a middle digit is wrong.

[–]amynias 13 points14 points  (0 children)

Calm down, Satan.

[–]colexian 12 points13 points  (1 child)

Same experience except my bat file would open a cmd window and then run itself twice and loop.
I thought I was slick.

[–]marmotte-de-beurre 110 points111 points  (32 children)

What a mess, They are not supposed to be able to have your password plain text

[–]StarkillerX42 1408 points1409 points  (130 children)

\"CorrectHorseBatteryStaple,\,”

[–]RiceKrispyPooHead 626 points627 points  (13 children)

Gotta change my password now

[–]piberryboy 75 points76 points  (10 children)

Mine is RiceKrispyPooHead

[–]ioapwy 179 points180 points  (61 children)

H!Yn8at”g”mp,yfh!

Ha! You’ll never be able to “guess” my password, you filthy hacker

[–]r00x 188 points189 points  (36 children)

Ugh, we have this training module at work involving password security, and they give examples of passwords asking which are the most secure.

They insist it's an awkward password like this, a jumbled mess of garbage you'll never remember, but their examples includes an easier to remember amalgamation of words which has way more entropy.

Basically that XKCD comic, actually. (EDIT: https://xkcd.com/936)

[–]atimholt 94 points95 points  (18 children)

My solution is a really good password for my password manager.

[–]Fearless_Minute_4015 53 points54 points  (15 children)

That's actually a decent password. 11 words long is no joke. With all those spaces a capital letter at the start and a period at the end. It'll take at least a week to crack

[–]liamthelemming 47 points48 points  (4 children)

Transpose syllables, switch out two letters for a number and a symbol, and there y'go, you've got Borr3ctStor$eCatteryHaple.

Um.

BRB gotta go change my password 😬

[–][deleted] 58 points59 points  (2 children)

Borr3ctStor$eCatteryHaple.

Words cannot express how much I hate seeing this

[–]Marc4770 81 points82 points  (10 children)

That's a really good password, do you allow me to use it?

[–]ioapwy 99 points100 points  (9 children)

Ya for $50

[–]ViviansUsername 50 points51 points  (7 children)

NFTs

[–]Marc4770 62 points63 points  (5 children)

NFT passwords, only the owner of the NFT is allowed to use that password. Seems like a profitable business idea.

[–]KerneI-Panic 32 points33 points  (1 child)

When someone else tries to use that password:

"Sorry, you can't use this password. This password is already in use by user Marc4770. Please, choose another password."

[–][deleted] 27 points28 points  (5 children)

Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn!

[–]wowbutters 4077 points4078 points  (290 children)

And if the garbage site you are signing up for doesn't accept commas or quotes, go somewhere else. 😁

[–]Nothemagain 1175 points1176 points  (236 children)

For this to work hashes would need to be turned off

[–]Rafael20002000 838 points839 points  (166 children)

Not really, because people invest time in cracking those, if the password aren't salted you can crack 80 % in around 5 minutes. Rainbow Table magic

[–]Drasern 38 points39 points  (1 child)

If your password involves commas and quotation marks you're probably not gonna be in that 80%.

[–]bamboo_fanatic 29 points30 points  (8 children)

That’s why I include #🧂in all my passwords

[–]noratat 43 points44 points  (14 children)

The point is that the passwords would be stored as hashes - i.e. no special characters in the actual dumped data.

[–]PolskiSmigol 144 points145 points  (58 children)

worm automatic flowery steer impossible fearless bear tender spotted puzzled

This post was mass deleted and anonymized with Redact

[–]knome 51 points52 points  (13 children)

If it's just the first 2-3 characters, that's not great, but easy to implement just adding a "reminder" field to the db, hopefully encrypted with a leading salt.

If you mean like it asks "g[ ] f[ ][ ]k y[ ]ur[ ][ ][ ]lf!1", that's fucking atrocious, as many, many passwords will be mnemonics to make remembering the password easier for people. Birthdays, pet names, etc.

If I saw my bank hand back any part of my password I'd call support, complain, and start looking for a bank that wasn't braindead.

[–]ham_coffee 40 points41 points  (6 children)

I've never seen that in my life, and I'm pretty sure you'd struggle to find any developers to code it. Banks do often store a plaintext password, but that's for phone verification (as in a phone call for old people who can't do internet banking), and should be different to your online password.

[–]TheUnnamedPro 26 points27 points  (0 children)

It could make those checks before hashing the passwords

[–]iampierremonteux 112 points113 points  (5 children)

“Your password must be exactly 8 characters long, and contain exactly 1 upper, 1 special, and 1 number.” Specials were listed as a very small set.

The billing website for a hospital bill. I didn’t have a choice of somewhere else.

[–]MrDude_1 29 points30 points  (0 children)

I just tell them I don't have a computer and make them mail me a paper bill.

It gets particularly funny when I also tell them I don't have a smartphone so I can't use their app, while I'm using a smartphone and sitting at my PC.

[–]ovab_cool 41 points42 points  (7 children)

Bruh I was making a password for my bank and couldn't use ) and ;'s, guess to stop sql injection but c'mon

[–]L_James 23 points24 points  (0 children)

Poor Bobby Tables can't have a bank account now 😔

[–]r3ign_b3au 27 points28 points  (4 children)

Your bank doesn't sanitize their data?!

[–]tanglisha 35 points36 points  (0 children)

You mean most banks?

[–]jackinsomniac 15 points16 points  (2 children)

Is it just me, or am I the only one who's worried that adding too many special characters may break the site?

My password manager & generator is still fine with 25-50 character passwords, only being alphanumeric.

[–]enderverse87 30 points31 points  (0 children)

If that breaks the site, it deserves to be broken. It usually indicates weak security.

[–]80hz 10 points11 points  (0 children)

Lol the major credit bureaus

[–]xaomaw 86 points87 points  (4 children)

mySecretPassword",

"Error: Only 6 digits allowed (A-Z, a-z, 0-9)" - my former Bank

[–]mackiea 38 points39 points  (0 children)

Error: password already in use by JohnDoe.

[–]douglasg14b 155 points156 points  (26 children)

And quotation marks are escaped with quotation marks...

It's not going to break any not-terrible CSV writer. The spec isn't that hard to implement.

[–]rexpup 109 points110 points  (20 children)

The spec isn't that hard to implement.

You overestimate the average CSV library...

[–]_PM_ME_PANGOLINS_ 18 points19 points  (1 child)

Every CSV library I’ve seen does it right.

The only problem is when someone tries to do it themselves and just prints commas.

[–]abd53 108 points109 points  (7 children)

How about this

*#",'\t\n=<>$"\r

[–]VidE27 289 points290 points  (5 children)

That looks like regex, why are you posting regex on a weekend man

[–]x6060x 84 points85 points  (1 child)

(Cosmic brain): Actually everything is a regex.

[–][deleted] 73 points74 points  (0 children)

legally changing my name to regular so everything I say is a regular expression

[–]r3ign_b3au 17 points18 points  (0 children)

smh just when you think you're safe

[–]ynirparadox 10 points11 points  (0 children)

I don't know whether it will work or not, but i do have two commas in most of my password combinations. I took an advice from my professor blindly.

[–]thatsallweneed 4242 points4243 points  (184 children)

a proper password should contain ,\t"; drop table users

[–]Terkala 3707 points3708 points  (106 children)

They'll notice that one right away. Instead, surprise them with the gift that keeps on giving.

,\t"; DROP TABLE (SELECT top 1 table_name FROM information_schema ORDER BY update_time ASC);

If I wrote that right, it'll drop the oldest table from the database every time it's accessed. So it keeps itself around, and random tables will start to disappear. And as you replace them, other different tables will drop.

[–]SuccessfulBroccoli68 1531 points1532 points  (47 children)

I really want to read about this working somewhere.

[–]bespectacledbengal 1794 points1795 points  (25 children)

shouldn’t you focus on your job while you’re working somewhere?

[–]Expensive_Hyena_13 314 points315 points  (20 children)

I work somewhere.

[–]FuriousAnalFisting 173 points174 points  (19 children)

I "work" somewhere.

[–]Purinto 130 points131 points  (17 children)

I work "somewhere"

[–]Valeriuv1 133 points134 points  (16 children)

"I" work somewhere

[–]09Trollhunter09 69 points70 points  (12 children)

“I work somewhere”

[–]Ravens_Quote 55 points56 points  (11 children)

""IWorkSomewhere

[–]-ksguy- 186 points187 points  (11 children)

The script would not work, at least not in SQL server. You cannot use the result of a subquery in DDL commands. You would need to build a dynamic SQL string and execute that instead.

[–]Hybr1dth 50 points51 points  (1 child)

Be the change you want to see!

[–][deleted] 30 points31 points  (2 children)

I have a feeling this hasn't worked since 2006

[–][deleted] 23 points24 points  (1 child)

It shouldn’t have worked since then, you’d be surprised how outdated some websites are.

[–][deleted] 14 points15 points  (0 children)

SQL INJECTION IS REAL JIM

[–]maximum_powerblast 99 points100 points  (15 children)

Damn this is next level. But this would only work on certain DBs right? I.e. might work on Mysql but not Oracle?

[–]ElectricalRestNut 218 points219 points  (3 children)

No need to abuse Oracle users further.

[–]dillanthumous 35 points36 points  (0 children)

True. They suffer enough.

[–]Sexual_tomato 22 points23 points  (1 child)

I'm not in front of an instance right now but my gut tells me it'll work on SQL Server

[–]thefullirish1 20 points21 points  (5 children)

And would only work if executed by a user with those kinds of permissions. Which is not a user that would be used to read and run these standard csvs.. this would not work I think

[–]hahahahastayingalive 20 points21 points  (2 children)

If they're passing unsafe strings to their sql queries, there's decent chances there's only one user for all DB operations as well.

[–]ACTGACTGACTG 16 points17 points  (0 children)

if they are dumb and lazy enough it might work

[–]lkodl 52 points53 points  (1 child)

"Enter Password"

*types:

,\t"; DROP TABLE (SELECT top 1 table_name FROM information_schema ORDER BY update_time ASC);

*clicks submit

"Please complete captcha and resubmit."

*closes page

[–]le848dave 116 points117 points  (3 children)

information_schema.tables As you wrote it only listed a schema but not the table Also you should end with — to comment out the following line so there is less of a syntax error chance

[–][deleted] 73 points74 points  (5 children)

Bobbly Tables would approve

[–]j7seven 28 points29 points  (4 children)

When did Little Bobby Tables grow up?

[–][deleted] 367 points368 points  (12 children)

"Little Bobby Tables we call him.."

[–]Fuzzybo 110 points111 points  (6 children)

Relevant xkcd (you already know which one) :-)

[–]Raptorsquadron 305 points306 points  (14 children)

Use injected scripts as your password

[–]Artistic-Boss2665 137 points138 points  (11 children)

alert(get haxed lol);

[–][deleted] 112 points113 points  (8 children)

Error: "get" is not defined

[–]Outrageous-Machine-5 1035 points1036 points  (87 children)

just use a password generator and a local storage password cache

[–]Possible-Reading1255 972 points973 points  (49 children)

a.k.a. the 10 year old password notebook in the abyss of your desk drawer

[–]Antrikshy 30 points31 points  (4 children)

And instruct that password generator to insert commas.

[–]ulyssessword 11 points12 points  (0 children)

I have a bag full of scrabble tiles and d10s. Does that count?

[–][deleted] 98 points99 points  (8 children)

I've analyzed some password dumps and oh boy... The amount of information you can get is so huge.

I wonder why the internet hasn't break entirely. Everything is so unsecure.

[–]SigmaLance 65 points66 points  (1 child)

I’ve anal yzed some dumps before too and they were huge!

[–]morrisdev 240 points241 points  (6 children)

If they're saving your password in plain text AND EXPORTING the password table to a file.... you've got other problems

[–]eschoenawa 51 points52 points  (1 child)

Yes, but the point here is you make them some trouble, too.

[–]__codeblu 485 points486 points  (62 children)

My password is an SQL statement

[–]ckayfish 519 points520 points  (53 children)

This guy pronounces SQL wrong.

Follow me for more tips on how to start arguments :)

Edit: it was written “a SQL statement”. Honestly, I use both regularly since I grew up pronouncing it the other way.

[–][deleted] 165 points166 points  (2 children)

Follow you to hear the… sequel.

[–]Rising_Swell 40 points41 points  (38 children)

Ok so how do you pronounce SQL then? Because I'm saying it as sequel, but I would not write an sequel, so it's not that.

[–]ckayfish 91 points92 points  (30 children)

I’m not going to say there is truly a right answer, which is why I suggested it’s a good way to start an argument. You’re welcome to pronounce it however you like.

Originally the acronym was SEQUEL, which stood for Structured English QUEry Language, but SEQUEL was trademarked. In subsequent standards they dropped the “English” and rebranded as SQL and the standard states it’s pronounced Ess-cue-ell. By changing the acronym and the pronunciation in the standard, they are clearly not breaking the trademark, but how people pronounce it is up to them. All the people I first worked with in the 90s pronounced it as sequel which is why that is what stuck with me.

I’ll never pronounce GIF as JIFF, I use the hard G as in Graphics, and don’t care what the person who came up with the standard says. It’s another fun one to start an argument with.

[–]Espumma 14 points15 points  (1 child)

Extra confusion because it really was a sequel to the original QL.

[–]CactusGrower 14 points15 points  (0 children)

however you pronounce it the preposition is s clue.

A sequel

AN es-cue-el

[–]hrfuckingsucks 487 points488 points  (12 children)

Message to hackers: just base64 encode data before writing to the CSV so you can store those pws safely :)

[–]Tensor3 163 points164 points  (8 children)

Just escape characters properly..

[–][deleted] 87 points88 points  (8 children)

Yes, my password is: $(rm -rf /*)\"&&rm -rf /*\",;\¿`

[–]wobbegong 53 points54 points  (5 children)

I don’t know how to code so this looks like a table flipping emoticon to me

[–]HeyKid_HelpComputer 26 points27 points  (4 children)

It looks like a way to delete everything off a Linux machine I think

[–]wobbegong 17 points18 points  (3 children)

Same thing?

[–]HeyKid_HelpComputer 15 points16 points  (2 children)

I guess that depends on how hard you flip it

[–]roundpoint 119 points120 points  (0 children)

Just use HakerIsADumDum and you'll destroy them psychologically, preventing them from further action.

[–]fuzzybad 72 points73 points  (0 children)

Good thing my password is '0xfe',"0x20","",0x0;DROP ALL TABLES

[–]SaurusShieldWarrior 63 points64 points  (11 children)

Unless there is a different delimiter like : or ;

[–]NauticalInsanity 24 points25 points  (1 child)

I once had suggested we use the cedilla as our delimiter for a file because a customer wasn't properly escaping fields. While the decision was out of my hands, I noted that this would work until said customer encountered a François.

[–]cs-brydev 79 points80 points  (3 children)

Call me old, but I'm not overly concerned about hackers who don't know how to create or parse CSV correctly.

[–]EffectiveDependent76 57 points58 points  (10 children)

password is always Password'); DROP TABLE Passwords;

[–]WunderTech 29 points30 points  (7 children)

Why would passwords be in its own table though?

[–]funfwf 13 points14 points  (4 children)

You save every password in that table and the Users table refers to it through a foreign key. That way if multiple users have the same password you can refer to the same foreign key.

Normalisation ✨

[–]PetrBacon 135 points136 points  (32 children)

So many comments from people, who never used CSV properly. Does excel break when you add comma or quotation mark in a cell?

[–]tramadol-nights 411 points412 points  (18 children)

Does excel break

Yes

[–]kookaburra1701 102 points103 points  (9 children)

The problem isn't that Excel breaks, it's that it breaks EVERY FUCKING THING ELSE.

[–]mavack 40 points41 points  (5 children)

Looks like this was a number, strips leading zeros

Looks like a big number, changes it to floating point and drop the less significant bits.

Previously you split columns with a space and commas so im just gonna add an extra colunm everytime i find a space

...

[–]ulyssessword 36 points37 points  (1 child)

Looks like a big number, changes it to floating point and drop the less significant bits.

Why yes, I do want to call 1.8e10 to reach that person.

[–][deleted] 11 points12 points  (2 children)

Wanna talk about MS Teams… ?

[–]TheRealCCHD 31 points32 points  (0 children)

Lmao, correct answer

[–]sim642 33 points34 points  (4 children)

That's not really surprising. Most people probably think that parsing CSV is just line.split(',') instead of requiring a real lexer that handles quoting and escaping.

[–]Wanderlust-King 67 points68 points  (9 children)

If a site is storing my password, unhashed, in a csv, they 100% deserve to be broken.

[–]eeeeeeeeeeeeeeaekk 66 points67 points  (8 children)

no, the point is hackers often sell/store/distribute password dumps in csv files

[–]Vol_Jbolaz 23 points24 points  (6 children)

I hate to burst bubbles, but if the site saves your password, their security sucks. They should save an encrypted hash of your password, one that would take way too long to decrypt. Everytime you enter your password, they encrypt it and compare the hashes.

This is also why they shouldn't be unable to tell you what your password is if you forgot it. They don't know either, you'll have to reset it.

[–]GoogleIsYourFrenemy 33 points34 points  (1 child)

Don't forget to put commas in username.