(skeletor is leading by example by adding that unnecessary apostrophe…)
’ – DROP TABLE `passwords`;
My bank doesn’t allow the characters you would need for a SQL injection in passwords. Checked client side, I don’t want to try and find out if it’s also checked server side, but I hope it is.
No serious software would fall for such an easy attack anymore. With prepared statements it’s impossible to break queries like that. Beside that one principle is to avoid using user inputs directly in your database.
Good way to punish websites that have zero security i suppose
If you include ;",// you can mess with a wide variety of formatting.
Security advice: Just use URLs/links as password. Until next time!
Can someone help me understand this? It seems interesting.
Long string of effectively random (in terms of their connection to you) words + special characters that make it hard to either guess or brute force.
Thanks, I now use This as my password for all my important information.
“comma’s”?
“COMMA’S”?!
I hate when when people misuse apostrophe’s
There was a (really short-lived) shady car dealership that used to have an A-Frame sign that they must’ve paid to get printed.
It said “Your approved”.
My approved?
I imagine someone must’ve mentioned it to them, because they replaced it not much later.
The new sign said “Everyones Approved”.
My approvedOUR approved.
While on the topic, this isn’t how passwords work in systems.
Passwords are stored as one way hashes. So it’s cryptoed only in one direction, it’s lossy, and can’t be recovered back to the original password.
When you log on, your cleartext PW is hashed in ephemeral memory/storage and then the cleartext password is thrown away.
That hash is compared to the hash in the DB. If the hash matches, then you have access. If it doesn’t, then your PW is incorrect.
While on the topic, this isn’t how passwords work in systems.
Passwords are stored as one way hashes. So it’s cryptoed only in one direction, it’s lossy, and can’t be recovered back to the original password.
When you log on, your cleartext PW is hashed in ephemeral memory/storage and then the cleartext password is thrown away.
That hash is compared to the hash in the DB. If the hash matches, then you have access. If it doesn’t, then your PW is incorrect.
Oh my sweet Summer Child. This is definitely how it’s supposed to work, but there are plenty of services that just don’t know what the fuck they’re doing.
Have you ever been on a site that has a stupid-low character limit for a password? There’s literally no reason to do that, all the hashes are going to end up the same size in the DB anyway regardless of the original string length. Even
bcrypt’s max secret character limit is 70-something characters.Ever change a password and have it not work on the next login because they’re silently truncating it after a certain character limit? Ever get an email with an actual password in it?
The only reason you would do things like this is if you’re storing/processing passwords in plaintext and not hashing it client-side first.
I can think of 3 offenders of this off the top of my head. It’s a lot more common than you’d think.
cryptoed
Unless you were looking for a sick rhyme for tiptoed, try encrypted.
No, I mean Crypto libraries.
The field of science and engineering that has the algorithms and libraries we would need to use to perform a proper one way encrypted hash, is going to be found in a cryoptographic library.
I suspect you’re thinking of Crypto in how it’s applied colloquially in the world today with a cryptographically signed linked-list ledger. There’s a whole world of cryptography that’s in use. Encryption is just one sub-function in that world.
Encryption is inherently reversible though. Hashing is the most accurate term to describe it
It’s now how passwords work in good systems
And there are plenty of bad systems, especially in this fail fast BS paradigm clueless idiots like to use. We know because they keep getting hacked (looking at you, lastpass!)
Yes, I’m a waterfall guy - get off my lawn!
Even if it’s hashed, some systems still use unsalted MD5 which is effectively just as bad as plain text.
I don’t understand it. Argon2id has been around for nearly 10 years at this point, scrypt for 15, PBKDF2 for 20 and bcrypt for 25. It’s not hard.
Sure, but the comic isn’t talking about legit password usage systems. It’s talking about how a comma could break the csv formatting of a csv file that came from a data breach and dump.
That’s still not how it would work.
Ok, assuming that we’re talking about, like you say, a system that gets a breach which is storing PWs in clear text/plain text, instead of hashing it, which is a big if as those kinds of systems are either amateur/homebrew, or extinct at this point, but I digress. Let’s say it’s there.
The attacker would run a sanitization script out of the SQL table that would shift those problem characters into proxy characters, or correct them if it’s going to cause a problem. One or two passwords lost to correct for thousands isn’t a big deal. The result of trying to put some sort of SQL Injection or CSV formatting bug into your password, hoping it was stored as plaintext, and the attacker wouldn’t be sanitizing the common formatting issues, is just silly.
Plus, it’s not like they’re only exporting it once. They’ve usually copied the DB down locally, so they’ll see the formatting is skewed when parsing the CSV, and correct it on the next export out.
I’m all for the humor here, I was just calling out that nothing about the ideas the OP suggested would work in real life SecOps scenarios.
Souce: Am engineer at large corporation. Deal with scenarios and systems like this all the time.
The CSV cells are escaped with quotes. So just maybe throw some quotes in too. Unbalanced for style points. It won’t defeat a CSV library, but might break a script kiddie
Unbalanced for style points.
I like the cut of your jib. End it with a single backslash, for good measure.
The CSV specification (RFC-4180) is pretty clear. If a value contains commas, you wrap it in double quotes. If the value contains double quotes, you double each double quote to indicate its part of the value and not the end of the value.
A properly formatted CSV should have no problems from Skeletor!
There’s no formal spec for CSV. The RFC you mentioned describes the most common behaviour observed in many implementations, but it’s not a spec itself, as mentioned on the second page:
While there are various specifications and implementations for the CSV format (for ex. [4], [5], [6] and [7]), there is no formal specification in existence, which allows for a wide variety of interpretations of CSV files. This section documents the format that seems to be followed by most implementations:
So
;,'"\tpassword\t,.;Hi kind reminder password hashes.
For all no-tech-people: what? Please explain
If you’re a company, you should save your users’ passwords as “hashes” which is like a scrambled up version, so if your data gets stolen the hackers will have to unscramble all the passwords which takes a long time. Some naughty companies don’t do this and save their passwords as plain text. The person above is presumably talking to developers to remind them not to be naughty
For the benefit of the person above you, thats not to say that hashed passwords are unbreakable, because hackers can build a thing called a rainbow rmtable where they hash a bunch of known passwords, words, and phrases, and then can compare their rainbow table agains a stolen hash to learn what the starting value might have been. Thats why a complex password is very useful
Not much of an Issue thanks to salting
Only if you dont make the salting or hashing wrong which happens far to often
This terminology is making me hungry
Tl;dr: parseley, hash browns and salt is good.
Funny, but csv values are quote encapsulated and special character escaped.
Common CSV parsers don’t require it and I’ve seen plenty of examples of unquoted CSV cells (which, given there’s no actual standard for the format, isn’t too surprising). Hell I’ve created my fair share while throwing together ad hoc datasets. The idea that some of these dumps might be made by folks who are too careless to properly quote and escape their CSV data isn’t hard to believe at all.
A classic example of naive CSV encoding is joining a bunch of floats with commas while using a locale that has a comma for a decimal point.
I had a dota2 bug where all of the maps particle effects would spawn in the middle. Yep, a locale dot/comma thing.
Oh, so it’s like USB cords. Or basically any other technology standard.
When you’re lucky your data provider has high standards.
Remove apostrophes from your plural words, they show possession, not plurality. Until next time.
It’s there intentionally as part of an injection attack
Woosh?
No, I don’t think so.
I do think so
LOL
If webpages are storing plain password and not the hash, we should be worried
Don’t worry. I make sure to Sha1 encrypt them first.
Yo, why no love for md5?
We contract for a regional bank and we use a Vigenère cipher to store passwords
I wrote my own password manager about a year ago, in java. It uses Vigenère encryption using a key the computer doesn’t remember (that you have to write down somewhere). I still don’t actually use it in my daily life, firefoxes password manager is pretty convenient and I’m pretty lazy…
By the way (you’re quicker than duckduckgoing) Are you able to view and export password in plain text if you want to discontinue using the firefox password manager?
I’ve resisted using password managers up to this point, but it’s getting to be a pain
Sha1 hash do you mean? Sha1 is just a hash algorithm.
If webpages are storing plain password and not the hash, we should be worriedYes.
What about semicolon?
From many years of experience on the interwebs, I can recommend this password:
NUL,\t.;TAB\n\x07^C
It’s very secure and works most of the time. I use it for everything.
You clearly don’t use this one, don’t you know lemmy instances automatically censor your ********?
Oh cool - how does it know?
Hunter2
Yeah, mine is removed.
Censor your what? Your ********?
What’s all the commotion? I’m pretty sure you can say ********, no?
What’s it say? All I see is *******************.
No you don’t. I checked ;)
Just changed my password to this, thanks!
hunter2
hunter2
Wow, what a coincidence, my password is ******* too!
hunter2 isn’t a very strong password — personally I use ************.
IRC is leaking again…
Just added this to my brute force dictionary thank you 👌
Can you take it out again? I still want to use this. Thanks.
I dunno. If I was the asshole running the script that broke at whatever line your user was in. I’d take special care to fuck with you right back. ;)
Most CSVs these days are separated by semicolons, so make sure to add one of those as well!
To protect against shitty databases, add one of every quote ("'`) to your password so inserting the password fails.
To fuck with computers that don’t know how to do UTF8, add a few emoji.
To limit the risk of Chinese hackers, add a Taiwanese flag 🇹🇼. Their iPhones can’t render that glyph!
To make sure millenials can’t read your password, 𝔀𝓻𝓲𝓽𝓮 𝓹𝓪𝓻𝓽 𝓸𝓯 𝓲𝓽 𝓲𝓷 𝓬𝓾𝓻𝓼𝓲𝓿𝓮.
Then to top it all off, add a right-to-left override character to invert the direction of the password halfway through.
Sir, this is a Wendy’s account.
Dave2
All I see is *****
Since it’s noon, that’ll be $92. TYVM and fuck you.
To make sure millenials can’t read your password, 𝔀𝓻𝓲𝓽𝓮 𝓹𝓪𝓻𝓽 𝓸𝓯 𝓲𝓽 𝓲𝓷 𝓬𝓾𝓻𝓼𝓲𝓿𝓮.
How would this mess with millennials? I think you mean gen z.
𝔒𝔯 𝔶𝔢𝔬𝔩𝔡 𝔢𝔫𝔤𝔩𝔦𝔰𝔥 𝔱𝔬 𝔰𝔠𝔯𝔢𝔴 𝔴𝔦𝔱𝔥 𝔢𝔳𝔢𝔯𝔶𝔬𝔫𝔢.
Common mistake: When you’re ascribing a bad quality to them, “millenials” means everyone born after 1960. If you’re ascribing a good quality to them, it only means people born between December 12, 1989, and December 14, 1989.
Incidentally, @[email protected]’s birthday is 13th December.
They’re one of the good ones
Even my gen alpha kid was learning cursive in third grade last year. I don’t expect him to write using it much but at least he knows how to read it.
Apparently that’s not very common anymore.
The only thing I write in cursive these days is my signature.
Most of the time I don’t even write, I type or use swipe-to-text.
I journal in cursive since it’s faster and more natural, otherwise I use print.
We learned cursive.
Yeah! Most of us can read analog clocks too!
Were told our assignments in high school would get an automatic zero if we didn’t turn them in in cursive, even…
I knew someone who did physics in cursive. It was impossible to read (not bc it was sloppy, because seeing Greek letters as cursive threw me for a loop)
To fuck with computers that don’t know how to do UTF8, add a few emoji.
I once set a WiFi ssid to 🌻 and I was amazed at how much problems that likely caused. I had people showing me their network manager was dumping random characters. Some other routers web interfaces became corrupted when trying to show the neighborhood. Some clients refused to connect. Even a bsod on a windows XP box.
Great success!
Fun fact: SSIDs are just bytes. They don’t need to he any kind of UTF compliant. You can use a set of unprintable characters
Is there a character limit? Can it be the binary for DOOM?
64 characters long is wifi spec IIRC but some routers don’t follow spec, wouldnt go higher than 60. Idk if this helps answer your question.
32 bytes. 31 if you want to end the name in a \0 byte to not completely break IoT devices and the like.
You can have as many SSIDs as you want, of course. So you could spam a million SSIDs and have a piece of software decode them.
I believe it’s 32 bytes, but it depends on the AP, some use a null terminator as the final byte.
I had a ton of trouble with an apostrophe in my SSID until I realized that was the cause.
They called it “The Sunflower Incident.”
One of my projects was validation for form submission and emojis melted me. I gave up trying to do it from scratch and trusted a library.
You just need to ensure you validate character by character (NOT byte by byte) and allow characters in the Emoji Unicode ranges. It’s well-defined in the Unicode standard. Using a library is a great idea though.
Why not simply discard them?
I’m currently in a project where the client has a custom, but not entirely consistent or known subset of utf-8.
They want us to keep the form content as it is, but remove the “bad” characters. Our current approach is to just forward everything as it is and wait for someone to complain. How TF am I supposed to remove a character without changing the message?
Yeah I had a backend with poor support for anything that wasn’t ASCII. So my solution was turning everything into hex before storing it. I wonder if people are still using it.
Yeah I had a backend with poor support for anything that wasn’t ASCII
PHP is like this. Poor Unicode support, but it treats strings as raw bytes so it usually works well enough. It turns out a programming language can take data from a form, save it to a database, then later load and render it, without having to know what those bytes actually mean, as long as the app or browser knows it’s UTF-8, for example through a Content-Type header or meta tag.
The tricky thing is the all the standard string manipulation functions (
strlen,substr, etc) don’t handle Unicode properly at all and they deal with number of bytes rather than number of characters. You need to use the “multibyte” (Unicode-ready) equivalents likemb_substr, but a lot of PHP developers forget to do this and end up with string truncation code that cuts UTF-8 characters in half (e.g.if it’s truncating a long title with Emoji in it, it might cut off the title in the middle of the three bytes that represent the Emoji and only leave 1 or 2 of them)
I had an emoji in my phone hotspot a while ago. Unfortunately I had to remove it after a while because some devices refused to connect.
My bank basically only allowing [a-zA-Z0-9]: I think not
Why do banks have the shittiest cyber security?
Because they can retroactively undo their fuckups.
This isn’t really true. If it were the financial world would be incredibly unstable and untrustworthy, and nobody would keep their money in banks.
Banks do tend to be behind the leading edge because their systems are thoroughly tested and have to be stable. They have to be regularly audited and there’s a lot of oversight. Change control processes are inherently slow. Given a choice between rapid and flexible or deliberate and reliable, banks will take the cautious route.
I emailed my bank about this a few years ago. Never heard back but to my surprise they actually updated the password restrictions! I should send another email asking for MFA and virtual cards…
Jeez mate you gotta get on that! You have the magic powers and you’re holding back civilization’s progress with your procrastination!
virtual cards
Do you mean tap-to-pay, or do you mean card numbers you can use for online purchases?
I think a more apt description would be proxy cards. It’s relatively new, but it lets you create cards that are linked to your primary without ever issuing a plastic card. This way if fraud happens you only need to replace it for the services it was used on. Or if you happen to lose your physical card, you can have it replaced without affecting the others.
Why is our money based on debt? Why do banks keep getting away with nearly collapsing the global economy? Why do private institutions have the right to coin currency?
Because banks put themselves in extremely risky situations, and civilization is based on the idea that money has value and the law is enforced. So laws get passed whenever they’re in danger (usually self inflicted)
Banks have security through legislation. It’s extra illegal to hack them. And since that’s the case, what’s a little more risk for a little higher profit? -_-
Truly ancient Cobol running in the back is my only guess. Why they wouldn’t have their authentication systems completely separate with better security features and some sort of token based access to the backend is beyond my understanding of their back end.
Because you, the taxpayer, will bail them out anyway
To make sure millenials can’t read your password, 𝔀𝓻𝓲𝓽𝓮 𝓹𝓪𝓻𝓽 𝓸𝓯 𝓲𝓽 𝓲𝓷 𝓬𝓾𝓻𝓼𝓲𝓿𝓮.
Hey, millennials know cursive!
Forced to learn it in elementary school because “highschool and college require it!” by Boomers that didn’t recognize the tech revolution only to get to college and be told by those same boomers to never turn in a handwritten paper unless you wanted an auto fail.
told by those same boomers
Your elementary school teachers were also your college professors?
There is only one Boomer. It’s like an Agent Smith situation.
I was just memeing the “millenials killed cursive” articles thst cropped up a few years ago.
We all know $currentGenerationOfChildren actually killed cursive!
Spot the windows user….
To fuck with computers that don’t know how to do UTF8, add a few emoji.
Even better, add some byte sequences that are invalid UTF-8.
CSVs are supposed be comma-separated files. Microsoft deviated from the specification and decided some languages would use semicolons for CSVs.
Source: StackOverflow
Using comma would probably caused more problems as it is a decimal separator for those languages. My excel also uses semicolon in formulas instead of comma when separating parameters. Some VBA scripts break when using different language settings and some forumilas don’t translate automatically to different locale so they just give an error. Overall using excel in different locale setups is annoying.
Best separator I have used is | as i have never seen it in the data as an input. Comma and semicolon both have caused issues in the past for me as they might pop up at wrong places.
Microsoft deviated from the specification
There is no specification for CSV, which is why it’s such a mess and different parsers and renderers have wildly different features. The closest thing to a spec is RFC4180 but that RFC simply describes the most common features across several CSV implementations, and is not actually a spec.
I agree that it should be comma separated though. My understanding is that it caused issues in countries that use a comma as a decimal point.
Also, Excel sometimes uses tabs rather than commas or semicolons.
cemicolon separated values
Z̵̫̖͚̳̖̖̰̩̀̆͐͒͝ä̸̛̻́̈́̌͂̽̈́l̷̤̥̖̝͙̅g̵̱̤͙͕̥̮͌̽o̸̡̦̙̬̘͎̪̥̔ ̴͔̙̞̱̗͒͊͊̽̀̑͌ẏ̵̛̻̾o̸̡͍̤͔͌ų̶̠͔̯̲̖͇̯̅̒̓̃̏̓͊r̷͎̪̗̤̄̊̃̚͝ ̵̢̰͔̀t̵̡̘̤̙͕͎̅͂͛̀̚ȩ̷͙̙̖̲̟͍̉̎͝x̷͇̦̝̼͗͋̊t̶̫̹̳̩͇̼̠͚̿͆̅̋̔̃͐͗!̶̧̛͕̮̻̞͎͇̹͆͛͘̕̚͠
Here’s my confusion: as soon as it is no longer separated by commas, it is by definition no longer a CSV. Is it an SCSV now?
It turns into a CSV where the C stands for character.
