this post was submitted on 10 Jan 2025
22 points (95.8% liked)

Cybersecurity - Memes

3333 readers
3 users here now

Only the hottest memes in Cybersecurity

founded 2 years ago
MODERATORS
Sam1232188@lemmy.world
neurohost@lemmy.world
Alphadef@programming.dev
CannaVet@lemmy.world
22
I hate passwords (feddit.org)
submitted 7 months ago* (last edited 7 months ago) by cron@feddit.org to c/cybersecuritymemes@lemmy.world
21 comments fedilink hide all child comments
 

How on earth can you both not accept the password I copied from my password safe and tell me that I cannot use the same pasaword again?

you are viewing a single comment's thread
view the rest of the comments
[–] cron@feddit.org 1 points 7 months ago (1 children)

Why on earth would someone truncate a password? I could make at least 10 more memea about bad handling of passwords

[–] kautau@lemmy.world 0 points 7 months ago* (last edited 7 months ago) (1 children)

Why? Probably some wild row length limit being hit where a table storing user data was storing an asinine amount of data, just terrible DB organization in an org where someone said “who even needs a DBA.”

How? If you can truncate user passwords, you should never handle user passwords again, unless you’re a student or hobbyist learning a valuable lesson.

[–] MajorHavoc@programming.dev 0 points 7 months ago (1 children)

How? If you can truncate user passwords, you should never handle user passwords again, unless you’re a student or hobbyist learning a valuable lesson.

Yeah. The real reason to be alarmed is worse than the obvious one.

If a partial version of what was originally set actually works later, it implies a scary chance they're not even hashing the password before storing it.

[–] sloppy_diffuser@sh.itjust.works 0 points 7 months ago* (last edited 7 months ago) (1 children)

Also suggests the user may be reusing the same prefix if only the changed bits are getting truncated.

Should use different random passwords every time. Completely random or a random string of words. While it doesn't solve the cleartext password storage issue, a data breach won't compromise all your other accounts to same degree.

Doesn't hurt to also randomize usernames, emails, and even security question answers.

edit: or my new favorite passkeys, just make sure you trust whatever tool is managing your private keys.

[–] kautau@lemmy.world 1 points 7 months ago* (last edited 7 months ago)

Not how password hashing works. Demonstrated with sha256:

hunter2butitsreallylong:
a9953dfbfec699349341edc857dcfe5c7a617c81f312cf57297d5b852881bab3

hunter2:
f52fbd32b2b3b86ff88ef6c490628285f482af15ddcb29541f94bcf526a3f6c7

a hash algorithm encompasses all provided data and returns a single fixed length data response

https://en.wikipedia.org/wiki/Cryptographic_hash_function

Any changes, even just removing a few characters, drastically changes the output of the hash function (https://en.wikipedia.org/wiki/Avalanche_effect)

You have no way of knowing a user password when you are storing hashes, you can't truncate them, and the user password length doesn't matter (up to a certain point where it's technologically dumb to hash user input over a certain amount of data)

I do agree however that changing / randomizing your password is important, as someone brute forcing or running rainbow tables etc on a hash dump can quickly attack a common password across different dumps