Making an account on something today when I came across a novel to me password restriction
one honk maybe more
niels@bsd.network
replied 19 Mar 2026 21:58 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/yWsT1qJ71j4DGwqj4F
benjojo
replied 19 Mar 2026 22:37 +0000
in reply to: https://bsd.network/users/niels/statuses/116258079754729299
jackemled@furry.engi..
replied 20 Mar 2026 00:10 +0000
in reply to: https://bsd.network/users/niels/statuses/116258079754729299
JennyFluff@chitter.x..
replied 19 Mar 2026 15:40 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/yWsT1qJ71j4DGwqj4F
miah@hachyderm.io
replied 19 Mar 2026 15:47 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/yWsT1qJ71j4DGwqj4F
uvok@woof.tech
replied 19 Mar 2026 15:48 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/yWsT1qJ71j4DGwqj4F
@benjojo I have a suspicion.... Code doesn't properly handle $pdkdf2:..., probably because of some migration? (Were passwords previously stored plaintext?).
Smells like epic fail, though.
robinsyl@meow.social
replied 19 Mar 2026 15:54 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/yWsT1qJ71j4DGwqj4F
flesh@transfem.socia..
replied 19 Mar 2026 15:55 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/yWsT1qJ71j4DGwqj4F
GLaDTheresCake@todon..
replied 19 Mar 2026 16:05 +0000
in reply to: https://transfem.social/notes/ak17v1imi59b00pl
@flesh @benjojo The $ is a unix crypt hash symbol, which indicates the string that follows is an encrypted password string. If the password were to be stored in say plain text, the program to check the password might infer some things about the password that are untrue if it starts with a $ and always error out since it's comparing what it thinks is a hash to a plaintext of the password, and they don't match. One might reasonably assume from this that this restriction is in place because they do indeed save the passwords as plain text...
flesh@transfem.socia..
replied 19 Mar 2026 16:09 +0000
in reply to: https://todon.nl/users/GLaDTheresCake/statuses/116256689717483051
ninafelwitch@tech.lg..
replied 19 Mar 2026 16:24 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/yWsT1qJ71j4DGwqj4F
@benjojo 20 characters max is already a giant red flag. There is no reason for this limitation, unless the system was written 25 years ago and never updated since.
alexhudson@c.im
replied 19 Mar 2026 16:39 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/yWsT1qJ71j4DGwqj4F
@benjojo the crypt hash symbol feels like a relatively benign option when you could pick shell variable expansion
emily_s@mastodon.me...
replied 19 Mar 2026 16:56 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/yWsT1qJ71j4DGwqj4F
@benjojo oooh, reminds me of the time I broke the uni print system with a password that ended in a back slash
xeno@hexokina.se
replied 19 Mar 2026 17:59 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/yWsT1qJ71j4DGwqj4F
@benjojo@benjojo.co.uk what if it’s a command injection they were too lazy to actually fix, I would try backticks lol
jeffm@sdf.land
replied 19 Mar 2026 18:05 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/yWsT1qJ71j4DGwqj4F
@benjojo hrmm...my mind jumped to Perl scalar sigil...but then I am a literal greybeard at this point
hi_cial@donphan.soci..
replied 19 Mar 2026 23:51 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/yWsT1qJ71j4DGwqj4F
@benjojo tech normie question, is that like the start of what youd enter as like a command string if you wanted to hack into a badly secured thingie? edit: nvm i see u explained it. that it basically means passwords are stored in plain text??? yikes!
Elizafox@social.tree..
replied 20 Mar 2026 00:00 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/yWsT1qJ71j4DGwqj4F