Password 15 max!?! : They know 0
-
ElectronProgrammer wrote:
they couldn't because it would break their system
At which point you should offer your services to redo their website (spit) to conform to legal requirements, at a reasonably inflated price of course.
Never underestimate the power of human stupidity - RAH I'm old. I know stuff - JSOP
Unfortunately I do not know web programming (only some basic HTML 2.0 without CSS). But I would be able to redo implement their database with proper password hashing :) .
-
I was just signing up for (YAOA) Yet Another Online Account -- Microchip.com. When I attempted to add my shortened (only 32 chars pwd -- Usually use 64) I got the following: https://i.stack.imgur.com/D0mFy.png[^] Think About This If the password is hashed, it doesn't matter how many characters the password is, because they are storing the hash!!! This absolutely proves that whoever created this web site login have no understanding of anything that is related to create a web site login. X| That is my rant. Thank you for participating.
Oh, Intel do this too, so I am sure it is alright. Right? :laugh: They also store previous passwords so you can not re-use them. Useful... not!
-
I was just signing up for (YAOA) Yet Another Online Account -- Microchip.com. When I attempted to add my shortened (only 32 chars pwd -- Usually use 64) I got the following: https://i.stack.imgur.com/D0mFy.png[^] Think About This If the password is hashed, it doesn't matter how many characters the password is, because they are storing the hash!!! This absolutely proves that whoever created this web site login have no understanding of anything that is related to create a web site login. X| That is my rant. Thank you for participating.
-
Quite right. I avoid QA so as not to lose what remains of my hair and my sanity. :omg: X|
Freedom is the freedom to say that two plus two make four. If that is granted, all else follows. -- 6079 Smith W.
Are you implying that Richard is bald and nuts? :rolleyes: :-D
M.D.V. ;) If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about? Help me to understand what I'm saying, and I'll explain it better to you Rating helpful answers is nice, but saying thanks can be even nicer.
-
They are probably not hashing the password. I had a similar experience not long ago where, not only were they not hashing the password but, on signup, they sent me the password in clear text to my email (and every month since) and, they published my email on their website feed celebrating the fact that they had one more costumer. I complained about all that and they told me that they stored the passwords in clear text so that they could better help costumers having trouble signing in. When I then asked them to erase my account they told me they couldn't because it would break their system since it was not prepared to remove accounts. So much for the right to forget.
ElectronProgrammer wrote:
When I then asked them to erase my account they told me they couldn't because it would break their system since it was not prepared to remove accounts.
That's the typical moment where a "you'll soon hear from my lawyer" (even when it might be a lie) is pretty handy.
M.D.V. ;) If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about? Help me to understand what I'm saying, and I'll explain it better to you Rating helpful answers is nice, but saying thanks can be even nicer.
-
Are you implying that Richard is bald and nuts? :rolleyes: :-D
M.D.V. ;) If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about? Help me to understand what I'm saying, and I'll explain it better to you Rating helpful answers is nice, but saying thanks can be even nicer.
-
Oh, Intel do this too, so I am sure it is alright. Right? :laugh: They also store previous passwords so you can not re-use them. Useful... not!
-
Are you implying that Richard is bald and nuts? :rolleyes: :-D
M.D.V. ;) If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about? Help me to understand what I'm saying, and I'll explain it better to you Rating helpful answers is nice, but saying thanks can be even nicer.
No; I'm stating that I am. :sigh:
Freedom is the freedom to say that two plus two make four. If that is granted, all else follows. -- 6079 Smith W.
-
They are probably not hashing the password. I had a similar experience not long ago where, not only were they not hashing the password but, on signup, they sent me the password in clear text to my email (and every month since) and, they published my email on their website feed celebrating the fact that they had one more costumer. I complained about all that and they told me that they stored the passwords in clear text so that they could better help costumers having trouble signing in. When I then asked them to erase my account they told me they couldn't because it would break their system since it was not prepared to remove accounts. So much for the right to forget.
They probably don't sanitize their database inputs either, so... obligatory [xkcd: Exploits of a Mom](https://xkcd.com/327/) (Doing this probably breaks the law. Kids, don't try this at home!)
Freedom is the freedom to say that two plus two make four. If that is granted, all else follows. -- 6079 Smith W.
-
Quote:
nly 32 chars pwd -- Usually use 64
Wow, do you hash the passwords in your brain? :-D
"In testa che avete, Signor di Ceprano?" -- Rigoletto
No need to hash : ThisByteThisByteThisByteThisByteThisByteThisByteThisByteThisByte.
-
I was just signing up for (YAOA) Yet Another Online Account -- Microchip.com. When I attempted to add my shortened (only 32 chars pwd -- Usually use 64) I got the following: https://i.stack.imgur.com/D0mFy.png[^] Think About This If the password is hashed, it doesn't matter how many characters the password is, because they are storing the hash!!! This absolutely proves that whoever created this web site login have no understanding of anything that is related to create a web site login. X| That is my rant. Thank you for participating.
raddevus wrote:
web site login
I am not into web design, but is this still done by hand ? I would have thought that you had libraries or templates to take care of such a general website requirement.
-
Oh, Intel do this too, so I am sure it is alright. Right? :laugh: They also store previous passwords so you can not re-use them. Useful... not!
Mark Tumilty wrote:
They also store previous passwords so you can not re-use them.
It's crazy. And just today I got an email from google on one of my "subscription account emails -- used for dumping ground" that said,
Google said:
"Google found some of your passwords online. Anyone who finds them can access your accounts. Your Google Account is still secure. This leak came from somewhere else on the web, and you can secure your saved passwords now using Password Manager."
How do they know my password? If they know it, why don't they tell me the pwd so I can know which one they are talking about. It's crazy.
-
Quote:
nly 32 chars pwd -- Usually use 64
Wow, do you hash the passwords in your brain? :-D
"In testa che avete, Signor di Ceprano?" -- Rigoletto
CPallini wrote:
Wow, do you hash the passwords in your brain?
:) All my passwords are sha-256 hashes. For realz. I wrote this program[^] which allows you to draw your password. It's all FOSS (fully open source software), runs on all major platforms, and you can get all the source code at my github[^]. And you can even try it in your browser[^] with nothing to install.
-
raddevus wrote:
web site login
I am not into web design, but is this still done by hand ? I would have thought that you had libraries or templates to take care of such a general website requirement.
Rage wrote:
but is this still done by hand ? I would have thought that you had libraries or templates to take care of such a general website requirement.
That is spot on! This is the entire issue. There are so many ways to do authentication and it changes constantly and it's just a huge cluster out there. It's confusing and annoying and you could probably make a trillion $ if you could just summarize it and make it work easily for devs. If you take the time to even do a basic search about it you'll fall down a rabbit hole and into another dimension, because the Internet is clogged up with all the ideas about authentication from the Epoch til now. It's all just a huge ball of mud.
-
Unfortunately I do not know web programming (only some basic HTML 2.0 without CSS). But I would be able to redo implement their database with proper password hashing :) .
The only tool you need is a sledge hammer to adjust their servers with. No webby code crap needed.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason? Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful? --Zachris Topelius
-
CPallini wrote:
Wow, do you hash the passwords in your brain?
:) All my passwords are sha-256 hashes. For realz. I wrote this program[^] which allows you to draw your password. It's all FOSS (fully open source software), runs on all major platforms, and you can get all the source code at my github[^]. And you can even try it in your browser[^] with nothing to install.
-
Mark Tumilty wrote:
They also store previous passwords so you can not re-use them.
It's crazy. And just today I got an email from google on one of my "subscription account emails -- used for dumping ground" that said,
Google said:
"Google found some of your passwords online. Anyone who finds them can access your accounts. Your Google Account is still secure. This leak came from somewhere else on the web, and you can secure your saved passwords now using Password Manager."
How do they know my password? If they know it, why don't they tell me the pwd so I can know which one they are talking about. It's crazy.
-
Rage wrote:
but is this still done by hand ? I would have thought that you had libraries or templates to take care of such a general website requirement.
That is spot on! This is the entire issue. There are so many ways to do authentication and it changes constantly and it's just a huge cluster out there. It's confusing and annoying and you could probably make a trillion $ if you could just summarize it and make it work easily for devs. If you take the time to even do a basic search about it you'll fall down a rabbit hole and into another dimension, because the Internet is clogged up with all the ideas about authentication from the Epoch til now. It's all just a huge ball of mud.
-
They probably don't sanitize their database inputs either, so... obligatory [xkcd: Exploits of a Mom](https://xkcd.com/327/) (Doing this probably breaks the law. Kids, don't try this at home!)
Freedom is the freedom to say that two plus two make four. If that is granted, all else follows. -- 6079 Smith W.
-
Google can take the password displayed online and test it against your account. They do not need to know it. Login to google from your own link and change it.
englebart wrote:
Google can take the password displayed online and test it against your account.
I really had to think about what you meant. You mean they hash the one they found online and then test it against the hash that they stored for my password. Hmmm...Interesting. thanks for making me think that through more clearly. :thumbsup:
