And there are plenty of bad systems, especially in this fail fast BS paradigm clueless idiots like to use. We know because they keep getting hacked (looking at you, lastpass!)
Sure, but the comic isn’t talking about legit password usage systems. It’s talking about how a comma could break the csv formatting of a csv file that came from a data breach and dump.
While on the topic, this isn’t how passwords work in systems.
Passwords are stored as one way hashes. So it’s cryptoed only in one direction, it’s lossy, and can’t be recovered back to the original password.
When you log on, your cleartext PW is hashed in ephemeral memory/storage and then the cleartext password is thrown away.
That hash is compared to the hash in the DB. If the hash matches, then you have access. If it doesn’t, then your PW is incorrect.
Oh my sweet Summer Child. This is definitely how it’s supposed to work, but there are plenty of services that just don’t know what the fuck they’re doing.
Have you ever been on a site that has a stupid-low character limit for a password? There’s literally no reason to do that, all the hashes are going to end up the same size in the DB anyway regardless of the original string length. Even bcrypt’s max secret character limit is 70-something characters.
Ever change a password and have it not work on the next login because they’re silently truncating it after a certain character limit? Ever get an email with an actual password in it?
The only reason you would do things like this is if you’re storing/processing passwords in plaintext and not hashing it client-side first.
I can think of 3 offenders of this off the top of my head. It’s a lot more common than you’d think.
deleted by creator
It’s now how passwords work in good systems
And there are plenty of bad systems, especially in this fail fast BS paradigm clueless idiots like to use. We know because they keep getting hacked (looking at you, lastpass!)
Yes, I’m a waterfall guy - get off my lawn!
deleted by creator
Sure, but the comic isn’t talking about legit password usage systems. It’s talking about how a comma could break the csv formatting of a csv file that came from a data breach and dump.
deleted by creator
Unless you were looking for a sick rhyme for tiptoed, try encrypted.
Encryption is inherently reversible though. Hashing is the most accurate term to describe it
deleted by creator
deleted by creator
Oh my sweet Summer Child. This is definitely how it’s supposed to work, but there are plenty of services that just don’t know what the fuck they’re doing.
Have you ever been on a site that has a stupid-low character limit for a password? There’s literally no reason to do that, all the hashes are going to end up the same size in the DB anyway regardless of the original string length. Even
bcrypt’s max secret character limit is 70-something characters.Ever change a password and have it not work on the next login because they’re silently truncating it after a certain character limit? Ever get an email with an actual password in it?
The only reason you would do things like this is if you’re storing/processing passwords in plaintext and not hashing it client-side first.
I can think of 3 offenders of this off the top of my head. It’s a lot more common than you’d think.
Even if it’s hashed, some systems still use unsalted MD5 which is effectively just as bad as plain text.
I don’t understand it. Argon2id has been around for nearly 10 years at this point, scrypt for 15, PBKDF2 for 20 and bcrypt for 25. It’s not hard.