Pro@programming.dev to Programming@programming.devEnglish · 6 days agoCursed knowledge we have learned as a result of building Immich that we wish we never knew.immich.appexternal-linkmessage-square56fedilinkarrow-up1145arrow-down14
arrow-up1141arrow-down1external-linkCursed knowledge we have learned as a result of building Immich that we wish we never knew.immich.appPro@programming.dev to Programming@programming.devEnglish · 6 days agomessage-square56fedilink
minus-squareirelephant [he/him]@lemmy.dbzer0.comlinkfedilinkarrow-up26·edit-25 days ago The bcrypt implementation only uses the first 72 bytes of a string. Any characters after that are ignored. what
minus-squareloweffortname@lemmy.blahaj.zonelinkfedilinkEnglisharrow-up16·5 days agoThis is how someone cracked Okta a few years back: https://medium.com/@rajat29gupta/bcrypt-and-the-okta-incident-what-developers-need-to-know-9d13a446738a
minus-squarechaos@beehaw.orglinkfedilinkarrow-up10·edit-25 days agoOlder Unix systems used to only do the first 8 bytes for passwords. Sometimes for my own amusement when logging into one of the Sun machines at school, I’d type in enough of my password to count and then just mash the keyboard.
minus-squareSenal@programming.devlinkfedilinkEnglisharrow-up4·4 days agofor a long time, hotmail (and i think windows live mail) only checked the first 16 characters.
minus-squarelad@programming.devlinkfedilinkEnglisharrow-up3·4 days agoThat’s almost as good as the ones that limit password on the sign-in UI, but not on the sign-up
minus-squarefuzzzerd@programming.devlinkfedilinkEnglisharrow-up3·4 days agoI have run across one that allowed arbitrary length when doing account creation and password reset but silently truncated the login input. Took me hours to figure out that my password was longer than the documented length, try it and then have no problems.
what
This is how someone cracked Okta a few years back: https://medium.com/@rajat29gupta/bcrypt-and-the-okta-incident-what-developers-need-to-know-9d13a446738a
Older Unix systems used to only do the first 8 bytes for passwords. Sometimes for my own amusement when logging into one of the Sun machines at school, I’d type in enough of my password to count and then just mash the keyboard.
for a long time, hotmail (and i think windows live mail) only checked the first 16 characters.
That’s almost as good as the ones that limit password on the sign-in UI, but not on the sign-up
I have run across one that allowed arbitrary length when doing account creation and password reset but silently truncated the login input.
Took me hours to figure out that my password was longer than the documented length, try it and then have no problems.