>always use 'nigger' as part of online account passwords
>applying for jobs
>one result today is pic related
(screenshot altered for privacy)
is this really a thing? how the fuck is it anybody's business but mine what actual words i use in my passwords?
Always use 'nigger' as part of online account passwords
nigger
Apply using @nigge.rs mail for keks
They really shouldn't be storing or seeing your password in plaintext. This is indicative of really, really bad security.
That is what I was thinking - they are literally running the plaintext password through filters checking if it contains nigger, spic or fuckjannies instead of hashing it.
This site looks exploitable as fuck.
are you me?
How is that even known? Do they store them in a .txt file?
It could be client-side, checking with a script in browser before hashing it. It probably isn't.
nice. thank you .
I just checked:
Couldn't see any client side shit
If it's not salted they can still disallow certain passwords, even if they are hashed
only exact matches though, they can't pick "nigger" out of "fie9wg48niggern3809wt"
my password was similar to what you said (fie9wg48niggern3809wt)
>they have a list of all possible passwords that contain the word nigger and the hashes of those passwords
>they check against it
>a list of all possible passwords
>they have a list of all possible passwords that contain the word nigger and the hashes of those passwords
no they don't, that would be retarded, especially since you can do substring matches clientside before it gets hashes, without needing rainbow tables and a shitload of ram to fucking crack the passwords on the server to check them for naughty words
or, you know, do nothing because it's a fucking password, nobody but the customer will ever see it, so it doesn't matter at all what it contains
imagine your female project manager coming up to you and saying "could we make sure to block the n-word for passwords?"
you don't get out much, do you tyler?
if they're storing their passwords in a plain text file then shit like sql injection wont work so they're pretty safe
That's one way to look at it.
>literally creates security vulnerability in order to virtue signal
God I really hope someone finds a good way to exploit this
That's practically impossible
And why wouldn't that still work exactly?
because if they're not using sql then... why would the sql you injected be interpreted as sql and not just be ignored? are you braindead?
You can still inspect the password before hashing it, to check password strength for example. In this case it's pretty weird though.
Retard
What the fuck
What does it do when you enter password as your password?
Can't they check this before hashing it and putting it in the database on the server side though?
t. doesn't know shit about webdev
How the fuck else are they supposed to check your password retard?
is this a troll or did you graduate a coding bootcamp?
don't worry, the fact you set the bar so low and you are an edgy retard means you wouldn't get the job in the first place. stay in school kid and stop trying so hard to fit in here.
Tell me how you are supposed to verify that a password is correct without seeing it in plaintext.
Yes
There is no security outrage here
ok, you "win" because of "seeing"; the guy you replied to should have just said storing though
wow
Based retard
Retards detected.
he’s really doubling down on this one
Go ahead and outline your revolutionary cryptography system that no one has ever thought of before.
Imagine going about your day this intelligent
>list of all possible passwords
Fascinating.
i'll give you a hint: if you hash a password twice, you get the same hash twice
The original text is not the password. The password is the first hash of the text. Are you seriously this retarded?
This is the hash of my password.
312f8c82d26dd7bebff51d02b5
Now tell me how you would verify my login with this information, and something else that is not my password in plain text.
lmao enjoy being blacklisted
can you link me this so I can bruteforce passwords filtering for bad words ? Any reduction in the amount of iterations needed is welcome so this website is probably a good target.
no i just started over, used a different password, and completed the application process. Hopefully I might soon be making a pathetic wage at a shitty warehouse job.
Lol
How does it know how to use da cumpootah
Still waiting for your revolutionary cryptography breakthrough.
Left my quantum computer in my other pocket. Can I just prove the Goldbach conjecture instead ?
You are sounding more and more like an idiot.
Sorry user I can't understand you if you don't use PGP. Give me your PGP key and then we talk.
I have no need to talk to an idiot who thinks quantum computing is related to password hashing.
What's your problem? You just send me the hash, I compare it with the hash I know.
If your point is "knowing the hash is knowing the password", then well, I don't know what to say to that, you can apply that to any iterated hash or even salted stuff too, but I don't know how that's supposed to make sense.
Wow, so you are literally retarded. One database leak and now everyone can login as anyone in your system.
does it allow the password "password"?
having checks to make sure someone isn't using a simple, common password is a good idea
nigger is a simple, common password
I've been e-mailed my plain text password multiple times when signing up for stupid company job application sites.
LMAO
Bruh
So password strength being displayed to you means the website is exploitable? You're a fucking retard.
Of course! You should never send your password to the server. You never heard of this super revolutionary cryptography method?
>always use 'nigger' as part of online account passwords
Yeah it's probably the same module that checks that your password has upper and lower case letters, numbers, symbols, etc. Nothing insecure about it, imo.
It's still pretty stupid to police people on the political correctness of their passwords.
I dont see the problem
It was probably the idiot developer of the password system. He's like oh I know let's block all bad words. Then he did it and no one else ever noticed or if they did they simply didn't care.
no one is wondering who/why the fuck requires you make an account to apply for a job?
so they can call you when they need you to scrub the toilets instead of the job you applied for
If they're just dumping everything to a text file that's probably even more likely it's vulnerable to an injection or DoS attack
>password length cannot be derived after plain text
>the letter 'a' is a valid password unless password criteria is client-side
>you're actually suggesting password criteria be client-side
Wow
>a system that isn't SQL is more vulnerable to an SQL injection than a system that is
People on Jow Forums are honestly fucking retarded. Stop arguing with that guy.
The server can check the password before it hashes it. This doesn't imply they're storing the password in clear text
You realize most webapps build their own password validation systems, right? Are you retarded, friend?
Jow Forums is not a fast board. Read the thread faggot. Or better yet use common sense.
Sucks for you, racist dickhead.
What the fuck are you talking aborut retard?
how someone be this retarded
This is what good quality bait looks like.
Injection attacks aren't exclusive to SQL.
If the file stores the data as a series of JSON objects, or even newline or null delimited plaintext, for example, and doesn't escape input, it would also be vulnerable to an injection attack.
1. enter "mahpassword" as your password, this text is hashed, say, to "e71fe5cb2e6b4c3087f8f69dfd998bd4" (md5), either on the client, before being sent to the server, or by the server, before storing it
1.a. note that at this point, the server has stored only the hash, and has either forgotten or never knew that the password was "mahpassword"
2. you want to login, you enter "mahpassword". the client or the server hashes your input, which results in the same, "e71fe5cb2e6b4c3087f8f69dfd998bd4". this is compared with the hash which was stored on the server. if they match, you must have entered the correct password
it's not rocket surgery
The password is "e71fe5cb2e6b4c3087f8f69dfd998bd4", not "mahpassword".
imo sites should use results from those top passwords sites as a blacklist
would result in a kind of simple global "you've used this password before", ensuring that no password can become common
no, it's not, because of you attempt to login with "e71fe5cb2e6b4c3087f8f69dfd998bd4", this is hashed and becomes "ef758b46608ab70b2beac7b5c8fed309", which doesn't match what the server has on file. only the plaintext password will result in the same hash as what the server has
So how does the server hash the password without seeing it in plaintext retard?
This. You cannot claim that any site which has password-requirements must also be storing passwords in clear text.
the client hashes the password retard
-- if you want to be extremely specific, the password isn't "mahpassword" at this point either, it's "a string whose md5 checksum equals e71fe5cb2e6b4c3087f8f69dfd998bd4", which only /includes/ "mahpassword"
the hashing can be done by the client, but it's not really a good idea, because then the client could be hacked to accept hashes as passwords, meaning someone only needs to steal hashes off the server to log into accounts
hashing on the server means you must know the plaintext to login, stolen server hashes won't help you
So does the server see the password in plaintext or not????
Answer the fucking question.
>allowing javascript
maybe, it depends
note that there's nothing stopping you hashing clientside AND serverside, which gets you the best of both worlds, server never sees the plaintext, and yet still stores hashes which can't be used to login with
If you hash client and server side, the hash of the original input into the client is the password.
Try using faggot instead of nigger.
yes, that is true
however, this is not what the server stores, and the server cannot tell what was originally entered (unless again, the client was hacked and a hash-like string was manually created... clientside hashing is probably pointless, maybe someone else can more confidently confirm or refute this)
if you want to filter words from a password, you should;
1. send the plaintext to the server (over an encrypted link, i hope!)
2. server checks for naughty boy words
3. hashes it if it's deemed politically sanitary
4. stores the hash, and discards the plaintext from memory
...
Based. I do the same thing.
Also be sure to say you are Hispanic + Native American (they can't prove it, they aren't going to do a genealogical search or DNA test).
When I was pic related, I would get 5% interview rate at best. Now it's 50% or greater.
I also enjoy wasting their time if I am rejected. You waste 2 hours of my time and keep me waiting for weeks on end, I waste 2 weeks (336 hours) of yours with full effort. VPNs, 2000 fake email addresses, instant email addresses, other applications.
Also, high IQ people should file for disability and SSI so they don't need to depend on the mercy of these retards.
I used to be very polite, some may even say amiable. 1-5% response rate for being an honest white male... Honesty is the best policy but you can't be honest with the dishonest. Hold them to their own categorical imperative and you will see their system thence justly collapses.
So the server sees the plaintext of the password.
And your IT departments sees that you are using the word NIGGER and forwards it to HR as a problematic applicant (ie DONT HIRE THIS GUY).
>Other Veteran
I was excited until I saw it was a drop down box...
When did Jow Forums get so dumb?
Nvm, you’re right, they got me.