Dragelet
55091
696
14
Dec 6, 2023 4:10 PM
Dragelet
55091
696
14
unclesporky
Imagine you are a super hacker and you get a dump of data. It breaks partway through. You figure out that one specific person did this, possibly on purpose to mess with you. Doesn't that create incentive for you to be targeted in particular?
liveOffOfDownVotes
better not be storing my password not hashed
cntrfldr
That's juvenile. My password is "Incorrect" so if I mistype it I get a reminder
Izlingar
Whar is a CSV and is this post actual advice or troll?
eiger3970
Passphrase > password https://www.useapassphrase.com/
RowanUnderwood
Pft, amateur hour, insert a buffer overflow attack into your password instead that nukes the whole machine from inside the CSV file.
DuffyMx
and how would you do that? asking for some friends
RowanUnderwood
Keep an eye on Excel vulnerabilities :D https://www.keysight.com/us/en/strikes/generic/ixia/microsoft_excel_cell_length_buffer_overflow_attack.xml
paulio101
False. Good software double quotes strings when generating CSV data, thus protecting against commas. Try using a double quote instead. But that won't work either, if they escape double quotes in strings properly. Not all software does, but many do.
cousteau
Good software doesn't use CSV files for storing passwords.
Sorrontis
do passwords allow for it?
Dragelet
Good passwords allow that and more. https://owasp.org/www-community/password-special-characters
dreikommavierzehn
not all. I've frequently encountered systems that didn't allow for non-alphanumeric letters and some even enforced specifics like "Has to start with a capitalized letter". one such system was a Visa or Mastercard provider for a while
Sorrontis
yeah
tooomanystevesgotbanned
Yeah, but they only allow 3 wrong tries before they freeze the account.
ZathrasSquared
Password must contain at least 43 characters. Password must contain at least one capital letter. Password must contain at least one number. Password must contain at least one special character. Password must contain at least one Aztec pictograph. MY GOD JUST TELL ME WHAT YOU WANT UP-FRONT!!!
JoeMangoJello
Certified Shrimp Vagina?
m4uboy
yes.
prefabcandyfloss
use | " ' \ % _ as well
myotheralt
Why is CVS losing my data?
TheViolinCon
CSV is a delimited text file. It's not the pharmacy chain.
Snipsuper
yeah if they are not cleaning that input, i do not feel sorry
maas2908
My password is ,%", take that u h4x0r scum! Of course no one's going to be able to brute force your hash, so maybe you should make that your username instead?
Plagen
It's pretty easy to write code to find commas in passwords and ignore them.
sadurdaynight
(system) new password must contain a symbol (me) *adds a symbol* (system) not that one (me) *tries different symbol* (system) and not that one.. in fact here's the only 3 symbols we allow (me) Then why the F didn't you tell me that from the start, you whack-a-mole piece of shit? (system) because fuck you, that's why
Bam906
I use a non-English keyboard and use accent marks. If you want my password it's going to take just a little bit of extra work lol
aThingWithAKeyboard
Stupid
MysteryRobot
No you gotta put a quote and then a comma
manhands
It will have quotation marks around it. Parsers will be fine. But good thinking.
Smidge204
Unless those crafty fuckers use encapsulating quotes. That's why all MY passwords use '","' in them!
cousteau
What if they also escape the quotes? Yet use a csv to store passwords unhashed.
Corrodias
Unfortunately for this joke, but fortunately for all those involved in data processing, the CSV format can escape commas, so this won't work.
[deleted]
[deleted]
Corrodias
This comment is a test. Please ignore.
cousteau
The CSV format can escape commas. A programmer whose idea of security is dumping passwords in a CSV can't.
Corrodias
Oh, I think the implied context for CSV dumps are when a security breach happens at a company, some hacker gets ahold of a customer password list, and they publish or sell it. I think those are often in the CSV format.
cousteau
Ah, I was assuming this was used as a safe password storage, which wouldn't surprise me a lot tbh... Yeah, one would expect that a script kiddie smart enough to hack away a password list will have considered this corner case, but maybe not. I've seen a lot of careless programming.
crateo
Use the ascii password bear /"\;;,;;/"\
loismustdie
"Good Point.","Unfortunately, some people","won't understand."
pgdave
"can" escape commas isn't the same as "every implementation of CSV format escapes commas correctly" *grumbles in bank files that keep breaking*
Corrodias
Yeah, I hear that.
SumOneElse
... or read them correctly. Years ago I had so much misery from CSV escaping not working correctly in one of Open Office, Excel, or Google Sheets that I gave up on exporting user data in anything but native xlsx files instead.
somethingsomethingwittyhere
...flashbacks of COBOL nightmares.
manyslayer
Preach brother (cursing in software for county tax files).
cabbykins
Also a lot of data processing moved to pipe breaks for this exact reason, and I have yet to encounter a password field that lets me use those
SoftwareMathematicianLady
Anyone who makes a password field that *doesn't* let you use those needs a solid slap in the face, and perhaps a kick in the 'nads. Same with anyone who puts a maximum length limit on a password. Your security-critical code is trash and you belong in the trash.
BoogaYooga
Gotta love those "can't have more than x numbers or letters aligned, maximum 12 characters" passwords... Just let me input a whole sentence ffs!
Corrodias
It's always financial accounts, too. Some random web site set up by a single moron will let you enter a long, complex password, and your bank will insist on no more than 12 characters.
shammael
See sections 2.5, 2.6 and 2.7 of RFC 4180. The CSV standard already defines how to deal with commas and line breaks
cabbykins
Oh definitely, but laziness is a lot easier than dealing with character escapes
shammael
Sorry... Touched a nerve there. Had an argument with a co-worker last week because of this. He's written his own "parser" (string.split(','), but he calls it a parser) and caused a prod incident but "it's impossible to have commas in the value of a CSV" and "line breaks in values are an edge cases".
cabbykins
Yup, which is why some switched to the pipe instead of the comma. Much less likely to cause an incident, but still just as lazy.
r0b074p0c4lyp53
That's infuriating. There's a million csv parser libraries readily available, this is a solved problem
trinxter
Plain text credentials that should not be accessible?
Mithi
"should" is the operative word here
deidyomega
I've seen a few sites secure the password in the database using good enough security (salt+modern hash), but their logger logs all incoming data, including the passwords, in plain text. Security is hard.
pgdave
You'd be amazed how many sites store your password in plain text. Or hash it, but don't salt it.
Trastion
Just like when cooking. Hash without Salt is a war crime.
harthram
Needs pepper too.
mlcarter815
Or just encrypt it and don't hash it.
IncorrectCommentMeme
I used to use an xss attack that redirects to lemonparty (by way of a proxy url I could track hits to) as my password. Every time it was hit I’d know what service it was so I could change the random noise at the end of that password, and I’d know whomever viewed it got what they deserved.
ThatBobbyG
Meatspin would be epic, and you can publish the high score winners.
AnyUsernameWillDoForMe
How many times?
xarmy9
You don’t still do this?
JohnBigboote74
IncorrectCommentMeme
Doesn’t work much anymore. That’s because many rinkydink sites use 3rd party sign on today (facebook, google, whatever); or if they don’t, they use updated frameworks with decently secured logins and databases; and the password harvesting meta has moved away from single finely crafted sql injections to other methods to access databases. It just isn’t worth the effort anymore.
Vermonstrous
You should post ways folks can beef up personal internet security in the present… it’s totally bewildering to lots of us and is growing more and more critical…
IncorrectCommentMeme
Use a unique password for every website. Can’t handle that? Use a password manager. Can’t handle that? Use a different password for each bank/credit/email/social and then the same password for junk sites with no power. Can’t handle that? Use the same unique password for bank/credit/email and a different one for everything else. Can’t handle that? Expect to get hacked eventually and lose all your money.
Snooj
I'd argue that if you can make one unsuspecting person see lemonparty it's worth the effort. I did it with Goatse for someone at work who shut their computer off and needed me to turn it on so he could RDP in. He RDPed in to a surprise.
IncorrectCommentMeme
One thing to send hackers or shitty site owners to lemonparty; it is entirely another thing to assault a coworker that did nothing wrong. Grow up.
Snooj
Or gosh, maybe we were friends and I knew him really well and he thought it was hilarious. I didn't do it to Jane in accounting. It was an office of five people and we did dial-up Internet tech support. You're gonna hurt your knee if you keep jerking it like that.
MightyIink
This is only true for plain text, most passwords are stored in a 256 sha.
mike13815
And when they're dumped in a CSV, they're de-sanitized and made into plain text.
ScarySpider
Theyre probably referring to the dumps where passwords were either stored wrong or less than 12 characters and got cracked.
cousteau
I'm not sure I'd say most systems do. Every now and then there are reports of sites whose "passwords got stolen", which shouldn't happen if they're properly salted and hashed.
florismrfart
Make sure to include 'bedbugs' in your password, so nobody wants to touch it.
skipweasel
Thanks, Bobby Drop-Table
sausausausausaus
I lol'd irl
peruvianfightingmidgets
Chronomechanist
Still one of the funniest XKCDs ever
Imheretostorenottopost
Also, why the hell aren't they getting backed up?
holgerdk
The same reason that they didnt sanitize their database inputs.
corgimas
LariCheltsy
Douglas Null
Rathan5
My manager at work’s last name actually is Null. They have some amazing stories of the issues it has caused them over the years
kleinkaasje
nobletrex
Top shelf xkcd.
quietwalker
Like I tell everyone; use a proper csv library. You cannot just split by comma and expect it to work - there are more rules than that. And for passwords, there's surely folks with backslashes which escape characters so it's unlikely that this attempt would work because you'd quickly find failures if you didn't sanitize your data or process it via the rules.
OMGamIImguringCorrectly
Except if it's dumped, it's in quotes and the commas count as part of the string.
cousteau
Look, if someone is careless enough to program a system that stores passwords in a CSV file in the clear, I doubt they'll be careful enough to escape them.
manyslayer
That's how it should be, but in many cases...
jermprobably
So you're saying put one quote in your password to act as the closing quotation in order to break it?
RevengeIsIceCream
Ask little bobby tables' mom for more tips: https://xkcd.com/327/