Charles OuGuo
benjojoMaking an account on something today when I came across a novel to me password restriction
JennyFluff 
💾@benjojo indeed, I have questions.
Miah Johnson@benjojo ... You don't want to know the answer!
qwazix
uvok cheetah@benjojo I have a suspicion.... Code doesn't properly handle $pdkdf2:..., probably because of some migration? (Were passwords previously stored plaintext?).
Smells like epic fail, though.
Smells like epic fail, though.
Robin Syl 🌸
@benjojo I have many questions, one of them being "can I use a different website instead"
Tzimisce Flesh@[email protected] Please explain to the Python developer (me).
Lillian Violet@flesh @benjojo The $ is a unix crypt hash symbol, which indicates the string that follows is an encrypted password string. If the password were to be stored in say plain text, the program to check the password might infer some things about the password that are untrue if it starts with a $ and always error out since it's comparing what it thinks is a hash to a plaintext of the password, and they don't match. One might reasonably assume from this that this restriction is in place because they do indeed save the passwords as plain text...
@GLaDTheresCake @[email protected] Horrid, thank you.
Glitzersachen@GLaDTheresCake @flesh @benjojo
This was my first thought as well....
Leeloo@GLaDTheresCake @flesh @benjojo
Ooh, interesting.
My thoughts were PHP injection.
Either way, there is no reasonable explanation that doesn't include the words "horribly insecure".
Vile Ox@leeloo @GLaDTheresCake @flesh @benjojo
"Either way, there is no reasonable explanation that doesn't include the words "horribly insecure"."
There is one, alluded by someone up the thread: trolling. It is possible that the system is secure, but an admin with a (twisted) sense of humor decided to do some mild nerd-sniping.
Not very likely, just reasonable.
Luna Ruby Artemis 💛🤍💜🖤@flesh @benjojo Basically it's a special format to store encrypted passwords that lets you specify the algorithm and various parameters. Among other things, it lets you do things like on-the-fly algorithm upgrades for password hashing:
https://en.wikipedia.org/wiki/Crypt_(C)#Key_derivation_functions_supported_by_crypt
And yeah, as Lillian pointed out, this means that they're storing some (most?) passwords in plain text.
https://en.wikipedia.org/wiki/Crypt_(C)#Key_derivation_functions_supported_by_crypt
And yeah, as Lillian pointed out, this means that they're storing some (most?) passwords in plain text.
Nina Felwitch 
@benjojo 20 characters max is already a giant red flag. There is no reason for this limitation, unless the system was written 25 years ago and never updated since.
EndlessMason@ninafelwitch @benjojo
Or there's some sync involving a system like that somewhere in the org ... Or in the org of the company that just m&a'ed you
Or there's some sync involving a system like that somewhere in the org ... Or in the org of the company that just m&a'ed you
John Q@benjojo the crypt hash symbol feels like a relatively benign option when you could pick shell variable expansion
Emily_S
Earthshine@benjojo I mean I think that meme might answer itself kinda? (Not excusing it)
Xenotime, Librarian of Æther 
@[email protected] what if it’s a command injection they were too lazy to actually fix, I would try backticks lol
Jeff McAdams@benjojo hrmm...my mind jumped to Perl scalar sigil...but then I am a literal greybeard at this point
Morgan ⚧️@benjojo heads up, the alt text is full of characters that are escaped in... HTML? And I have a feeling it's not gonna read correctly on a screen reader 😅 even apostrophes are escaped
@raphaelmorgan yeah this is a long time spec incompatibility that Mastodon has (alt texts are supposed to be HTML, but Mastodon believes that they are not), I might fix my side one day to be broken in the same way that Mastodon is, but that doesn't really feel right
Henrik Pauli@benjojo I was trying to make this work in my head and I've come up with an insane yet somewhat plausible solution :D
They have a registration module they cannot change, which stores cleartext in the database just as it has done in times ancient. A cronjob (or something) comes around and hashes passwords and saves them in crypt-compatible format (or worse, just a $ prepended...) so it knows which ones not to worry about next time. The auth module has been updated to deal with the crypts.
gaytabase
Niels
Pat
Luna Lactea
the vessel of morganna
Keeper of the orb@benjojo tech normie question, is that like the start of what youd enter as like a command string if you wanted to hack into a badly secured thingie?
edit: nvm i see u explained it. that it basically means passwords are stored in plain text??? yikes!
Elizabeth 
💬
maswan@benjojo I have a worse explanation for you: Passwords starting with $ are interpreted as a shell variable when they system a command with the password as part of the command line.
Gnome Tsunami
FandaSin
Ygor
Strfnurfn
Felix
will-h@benjojo "the name must contain at least two words, with a a maximum of 40 characters"
"Q: Why?"
"Author is a white westerner"
@flangey the real bizarre thing about this is that it was website primarily for South American users, yet also had the most tedious name requirements I think I've ever had to pass, I actually couldn't submit the name of my company in true form because it wouldn't believe that it was possible
Greem (Graeme. Not Graham!)@flangey @benjojo ha, bang on. I've spent the better part of 3 decades explaining to people that the concept of a Christian name and surname isn't a global concept.
We've had students with one name. We've had students with no family name. We've had students *only* with a family name.
We've had students whose official name (on their passport) isn't the one they use in daily life, for banking/health etc.
We've had students with extremely long names and titles etc.
Western norms don't fit!
lizbian
Bruno Girin@lizbian @greem @flangey @benjojo As a French person living in Spain, I am regularly faced with forms that want 2 surnames.
Similarly, the French system only allows you to name a child using a name that can be spelt with letters from the French alphabet. It went to court some time ago because meant you couldn't use some traditional Breton names that are spelt with a ñ in them.
Daniel Baird@brunogirin @lizbian @greem @flangey @benjojo reminds me of this classic post https://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/
Not a Spring OnionI needed to fix a problem with our tooling this week.
Because an external (globally operating) mailing list service isn't accustomed to spanish names.
As in two surnames in an email.
Combined with companies that allow names only in the form [email protected]
Leading to people using upcase letters in their mail address: Firstname.SurnameSurname
A thing apparently so uncommon that the mailing list service automatically lowercased the address on contact creation.
Leading to a mismatch for all following mails...
Johan Groenen@benjojo php eval risk, unencrypted password storage?
Martin's Pipe Dreams@[email protected] the lost art of input handling
Tournesol 🌻🥞@benjojo it's funny but if you don't have an alt text, can you just not put an alt-text ? I don't really care that this image is called "v21n3HmS6Fxs2c2K4X.png"
it's maybe something you didn't know happened tbh
it's maybe something you didn't know happened tbh
@tournesol if you go and open the original post on my website you will see that there is an alt text, The software that you're using is just not picking it up
@benjojo oh wow yes sorry. it seems tht honk-like services are not well handled
David Monniaux@benjojo shell escape? Perl? this is scary
Daniel Fisher(lennybacon)
duffn@lennybacon @benjojo @dumbpasswordrules
Contributions welcome! https://github.com/duffn/dumb-password-rules
Woozle Hypertwin@benjojo "Tell me {you've got bad security practices} / {how to hack your site} without telling me."
Merri
Lykso@benjojo The only way I can make this make sense is if they started with encrypted passwords in their database and are migrating to unencrypted passwords for new accounts and using the first character of the password field to determine if a password is encrypted or not. Could be wrong, but I can't imagine any reason that doesn't amount to the website being hot garbage.
VinDuv
Ratsnake Games 🔞@benjojo the next time i set up a service, i'm gonna include that exact rule *just to send hackers on a wild goose chase*, and make extra sure to properly escape my inputs