@benjojo heads up, the alt text is full of characters that are escaped in... HTML? And I have a feeling it's not gonna read correctly on a screen reader 😅 even apostrophes are escaped

@benjojo why does that site use the 4chan color scheme

@niels @benjojo Every corporate run website is white & red like this. Isn't 4chan a yellow beige with green?

@benjojo "the name must contain at least two words, with a a maximum of 40 characters"

"Q: Why?"

"Author is a white westerner"

@benjojo it's funny but if you don't have an alt text, can you just not put an alt-text ? I don't really care that this image is called "v21n3HmS6Fxs2c2K4X.png"

it's maybe something you didn't know happened tbh

@benjojo indeed, I have questions.

@benjojo ... You don't want to know the answer!

@benjojo I have a suspicion.... Code doesn't properly handle $pdkdf2:..., probably because of some migration? (Were passwords previously stored plaintext?).
Smells like epic fail, though.

@benjojo I have many questions, one of them being "can I use a different website instead"

@benjojo@benjojo.co.uk Please explain to the Python developer (me).

@flesh @benjojo The $ is a unix crypt hash symbol, which indicates the string that follows is an encrypted password string. If the password were to be stored in say plain text, the program to check the password might infer some things about the password that are untrue if it starts with a $ and always error out since it's comparing what it thinks is a hash to a plaintext of the password, and they don't match. One might reasonably assume from this that this restriction is in place because they do indeed save the passwords as plain text...

@GLaDTheresCake@todon.nl @benjojo@benjojo.co.uk Horrid, thank you.

@benjojo 20 characters max is already a giant red flag. There is no reason for this limitation, unless the system was written 25 years ago and never updated since.

@benjojo the crypt hash symbol feels like a relatively benign option when you could pick shell variable expansion

@benjojo oooh, reminds me of the time I broke the uni print system with a password that ended in a back slash

@benjojo@benjojo.co.uk what if it’s a command injection they were too lazy to actually fix, I would try backticks lol

@benjojo hrmm...my mind jumped to Perl scalar sigil...but then I am a literal greybeard at this point

@benjojo tech normie question, is that like the start of what youd enter as like a command string if you wanted to hack into a badly secured thingie?

edit: nvm i see u explained it. that it basically means passwords are stored in plain text??? yikes!

@benjojo LMAO oh noooo

@benjojo The only way I can make this make sense is if they started with encrypted passwords in their database and are migrating to unencrypted passwords for new accounts and using the first character of the password field to determine if a password is encrypted or not. Could be wrong, but I can't imagine any reason that doesn't amount to the website being hot garbage.

@benjojo Me: Enters \nadmin:admin as password
(htpasswd)

@benjojo Related; avoid making passwords that start with a space.