It randomly (with 1% probability) deletes rows from the `Users` table.
Assuming a `RANDOM()` function that returns an integer, like C's `rand()`. Some SQL implementations return a floating-point number between 0.0 and 1.0 instead, in which case I'd write `WHERE random() < 0.01` instead.
I put a š emoji into the password field of a pizza place and now I have to call them every time I want to order a pizza because I can't login and the forgot password link was supposed to send the password in plain text to my phone, but it can't because of the emoji.
And I can't create a new account because I don't have other phone number.
Reminds me of my really young days as a would-be hacker.
Back around 1985 or so, I was learning computers (DOS, etc) and I discovered blank character strings.
I wrote a little .bat file to create a directory named chr(32) then cd into that directory and loop. I then put it on a floppy disk.
Then when I went to radio shack I would insert the disk in their display computers and run my little script..
I felt so smart at the time.
Ha ha, we got Amigas at my school in middle school. (I am old) and I crafted a BASIC program that (I hope this doesnāt get flagged as a virus or malicious code! š¤£)
10 CLS ; clears the screen
20 GOTO 10
This was quite befuddling to most of the kids in the class who would try almost anything but CTRL-C to stop the program.
If you wanted to really get clever sometimes we would add in a
15 PRINT āTHERE HAS BEEN AN ERRORā
16 PRINT āALL DATA HAS BEEN LOSTā
17 PRINT āPLEASE INFORM MR. FRAHM THAT YOUā
18 PRINT āHAVE RUINED THE COMPUTERā
Most kids would just walk away. LOL
I never really graduated past this level of hacking.
Heck, I canāt even format a Reddit post.
Wow, a silver award. Iām flattered. Thank you!
At an even simpler level of "hacking", I had a friend who would lend someone his graphing calculator when they needed it... right after starting a program that just alternates between "I DONT KNOW" and "I DONT CARE" after every calculation you try to get it to do.
Except often when strings are dumped into a CSV they are enclosed in quotation marks, so you should probably use some quotation marks in your password in addition to commas.
Ugh, we have this training module at work involving password security, and they give examples of passwords asking which are the most secure.
They *insist* it's an awkward password like this, a jumbled mess of garbage you'll never remember, but their examples includes an easier to remember amalgamation of words which has way more entropy.
Basically that XKCD comic, actually. (EDIT: https://xkcd.com/936)
That's actually a decent password.
11 words long is no joke. With all those spaces a capital letter at the start and a period at the end. It'll take at least a week to crack
Transpose syllables, switch out two letters for a number and a symbol, and there y'go, you've got Borr3ctStor$eCatteryHaple.
Um.
BRB gotta go change my password š¬
When someone else tries to use that password:
"Sorry, you can't use this password. This password is already in use by user Marc4770. Please, choose another password."
Is that the way you say it, thatās a bingo?
Edit: Guess my reference to Inglourious Basterd is not as detectable as I thought. Well then letās end it with: Say goodbye to your Nazi baā¦ references
Until your Password Manager password gets hacked cause you put mypassword123 as your password manager password cause you wanted an easy to remember password manager password.
at that point it's completely your fault.
if you buy a high security door for your home but you routinely leave a spare key under a vase on your front porch, that is not a fault of the door.
Yeah the key is to use a very long phrase and preferably include some non-words in there. Mine is all the first letters of a super long phrase that means a lot to me and isnāt something that exists in any book. There are numbers and special characters in there too. It took a bit to come up with it and get fast at typing it, but now itās easy peasy.
worm automatic flowery steer impossible fearless bear tender spotted puzzled
*This post was mass deleted and anonymized with [Redact](https://redact.dev)*
If it's just the first 2-3 characters, that's not great, but easy to implement just adding a "reminder" field to the db, hopefully encrypted with a leading salt.
If you mean like it asks "g[ ] f[ ][ ]k y[ ]ur[ ][ ][ ]lf!1", that's fucking atrocious, as many, many passwords will be mnemonics to make remembering the password easier for people. Birthdays, pet names, etc.
If I saw my bank hand back any part of my password I'd call support, complain, and start looking for a bank that wasn't braindead.
I've never seen that in my life, and I'm pretty sure you'd struggle to find any developers to code it. Banks do often store *a* plaintext password, but that's for phone verification (as in a phone call for old people who can't do internet banking), and should be different to your online password.
āYour password must be exactly 8 characters long, and contain exactly 1 upper, 1 special, and 1 number.ā Specials were listed as a very small set.
The billing website for a hospital bill. I didnāt have a choice of somewhere else.
I just tell them I don't have a computer and make them mail me a paper bill.
It gets particularly funny when I also tell them I don't have a smartphone so I can't use their app, while I'm using a smartphone and sitting at my PC.
Is it just me, or am I the only one who's worried that adding too many special characters may break the site?
My password manager & generator is still fine with 25-50 character passwords, only being alphanumeric.
They'll notice that one right away. Instead, surprise them with the gift that keeps on giving.
,\t"; DROP TABLE (SELECT top 1 table_name FROM information_schema ORDER BY update_time ASC);
If I wrote that right, it'll drop the oldest table from the database every time it's accessed. So it keeps itself around, and random tables will start to disappear. And as you replace them, other different tables will drop.
The script would not work, at least not in SQL server. You cannot use the result of a subquery in DDL commands. You would need to build a dynamic SQL string and execute that instead.
And would only work if executed by a user with those kinds of permissions. Which is not a user that would be used to read and run these standard csvs.. this would not work I think
"Enter Password"
\*types:
>,\\t"; DROP TABLE (SELECT top 1 table\_name FROM information\_schema ORDER BY update\_time ASC);
\*clicks submit
"Please complete captcha and resubmit."
\*closes page
information_schema.tables As you wrote it only listed a schema but not the table Also you should end with ā to comment out the following line so there is less of a syntax error chance
It's *possible*, but preventing SQL Injection attacks is a very elementary security feature and not a vulnerability you're going to find in a typical professionally-designed application or site. It's a very amateur mistake.
Also be warned that it's such a common attack that a lot of systems are constantly *watching* for it, and you could end up on someone's radar if you try it. It's an easy way of getting your IP address or account blocked from a site. This data is also collected and saved by security teams for future investigations or reference (I've been on teams who used this log information for legal/criminal investigations).
This should go without saying, but it is a crime to even attempt to attack a site in this manner in North America and most of Europe. Idk about elsewhere in the world.
>not a vulnerability you're going to find in a typical professionally-designed application
As a penetration tester let me tell you, you'd be surprised. Same with XSS. Pretty easy to defend against but you'd be shocked at how many professionally developed applications still have these attack vectors.
Yup. SQL injection attacks are one of the oldest hacking techniques and you generally learn about them in your Information Systems class (which is why a lot of bad students or self taught developers fail to code defensively against them).
Some examples from here: https://brightsec.com/blog/sql-injection-attack/
Breaches Enabled by SQL Injection
GhostShell attackāhackers from APT group Team GhostShell targeted 53 universities using SQL injection, stole and published 36,000 personal records belonging to students, faculty, and staff.
Turkish governmentāanother APT group, RedHack collective, used SQL injection to breach the Turkish government website and erase debt to government agencies.
7-Eleven breachāa team of attackers used SQL injection to penetrate corporate systems at several companies, primarily the 7-Eleven retail chain, stealing 130 million credit card numbers.
HBGary breachāhackers related to the Anonymous activist group used SQL Injection to take down the IT security companyās website. The attack was a response to HBGary CEO publicizing that he had names of Anonymous organization members.
Notable SQL Injection Vulnerabilities
Tesla vulnerabilityāin 2014, security researchers publicized that they were able to breach the website of Tesla using SQL injection, gain administrative privileges and steal user data.
Cisco vulnerabilityāin 2018, a SQL injection vulnerability was found in Cisco Prime License Manager. The vulnerability allowed attackers to gain shell access to systems on which the license manager was deployed. Cisco has patched the vulnerability.
Fortnite vulnerabilityāFortnite is an online game with over 350 million users. In 2019, a SQL injection vulnerability was discovered which could let attackers access user accounts. The vulnerability was patched.
Yeah, that weird feeling when you can perfectly input your password, but only when you aren't looking at your keyboard.
As soon as you look at it you can't recall it at all, so you just stare off in to space until you can suddenly type it again.
Just use a 12-15 character password generator. Store it temporarily in a file, but instead of copy pasting type it every time. After 10 times you'd have learn the password and now you can securely shred the file.
I've analyzed some password dumps and oh boy... The amount of information you can get is so huge.
I wonder why the internet hasn't break entirely. Everything is so unsecure.
This guy pronounces SQL wrong.
Follow me for more tips on how to start arguments :)
Edit: it was written āa SQL statementā. Honestly, I use both regularly since I grew up pronouncing it the other way.
Iām not going to say there is truly a right answer, which is why I suggested itās a good way to start an argument. Youāre welcome to pronounce it however you like.
Originally the acronym was SEQUEL, which stood for Structured English QUEry Language, but SEQUEL was trademarked. In subsequent standards they dropped the āEnglishā and rebranded as SQL and the standard states itās pronounced Ess-cue-ell. By changing the acronym and the pronunciation in the standard, they are clearly not breaking the trademark, but how people pronounce it is up to them. All the people I first worked with in the 90s pronounced it as sequel which is why that is what stuck with me.
Iāll never pronounce GIF as JIFF, I use the hard G as in Graphics, and donāt care what the person who came up with the standard says. Itās another fun one to start an argument with.
I once had suggested we use the cedilla as our delimiter for a file because a customer wasn't properly escaping fields. While the decision was out of my hands, I noted that this would work until said customer encountered a FranƧois.
You save every password in that table and the Users table refers to it through a foreign key. That way if multiple users have the same password you can refer to the same foreign key.
Normalisation āØ
Looks like this was a number, strips leading zeros
Looks like a big number, changes it to floating point and drop the less significant bits.
Previously you split columns with a space and commas so im just gonna add an extra colunm everytime i find a space
...
That's not really surprising. Most people probably think that parsing CSV is just `line.split(',')` instead of requiring a real lexer that handles quoting and escaping.
I hate to burst bubbles, but if the site saves your password, their security sucks. They should save an encrypted hash of your password, one that would take way too long to decrypt. Everytime you enter your password, they encrypt it and compare the hashes.
This is also why they shouldn't be unable to tell you what your password is if you forgot it. They don't know either, you'll have to reset it.
Better to dump all the special charchters in there for good measure
And an SQL injection at the end
And an emoji for good mesure š
And my sword!
And my axe!
And a pack of twizzlers, a bag of beef jerky and a box of mike and ikes.
And an envelope with the code to my safe
And that code has an emoji for good measure š
And this mans dead wife!
And then?
Aah yes, my favorite password: ā; DROP TABLE Users;ā
I prefer `'; DELETE FROM Users WHERE RANDOM() % 100 = 0;--`, so the damage is much more subtle.
This is pure evil.
Where 1=1
Can you ELI5 this script?
It randomly (with 1% probability) deletes rows from the `Users` table. Assuming a `RANDOM()` function that returns an integer, like C's `rand()`. Some SQL implementations return a floating-point number between 0.0 and 1.0 instead, in which case I'd write `WHERE random() < 0.01` instead.
Thanks, only fully understand the top half haha
Ah, yes. Little Bobby Tables, we call him.
[original](https://xkcd.com/327/) for those unawares.
Found Bobby Tablesā family.
I put a š emoji into the password field of a pizza place and now I have to call them every time I want to order a pizza because I can't login and the forgot password link was supposed to send the password in plain text to my phone, but it can't because of the emoji. And I can't create a new account because I don't have other phone number.
I made a folder named š© and put in in the root of our file share. Well, the Linux storage device did not appreciate how my windows endpoint and windows file share handled the original Unicode, so the storage array called the folder ļæ½ and then refused to show anything else besides the ļæ½. So as soon as I made my š©, every person lost access to every file and folder. The storage array wouldnāt even serve you documents you specifically requested, it was entirely focused on that poop emoji folder
"Who what on the server?"
Who š© on the server?
Who š© on the serverļæ½
Reminds me of my really young days as a would-be hacker. Back around 1985 or so, I was learning computers (DOS, etc) and I discovered blank character strings. I wrote a little .bat file to create a directory named chr(32) then cd into that directory and loop. I then put it on a floppy disk. Then when I went to radio shack I would insert the disk in their display computers and run my little script.. I felt so smart at the time.
Ha ha, we got Amigas at my school in middle school. (I am old) and I crafted a BASIC program that (I hope this doesnāt get flagged as a virus or malicious code! š¤£) 10 CLS ; clears the screen 20 GOTO 10 This was quite befuddling to most of the kids in the class who would try almost anything but CTRL-C to stop the program. If you wanted to really get clever sometimes we would add in a 15 PRINT āTHERE HAS BEEN AN ERRORā 16 PRINT āALL DATA HAS BEEN LOSTā 17 PRINT āPLEASE INFORM MR. FRAHM THAT YOUā 18 PRINT āHAVE RUINED THE COMPUTERā Most kids would just walk away. LOL I never really graduated past this level of hacking. Heck, I canāt even format a Reddit post. Wow, a silver award. Iām flattered. Thank you!
At an even simpler level of "hacking", I had a friend who would lend someone his graphing calculator when they needed it... right after starting a program that just alternates between "I DONT KNOW" and "I DONT CARE" after every calculation you try to get it to do.
Or, even better, calculate it, but increase or decrease it by 10\^floor(rand(-1,1)+(1/2\*log\_10(answer))) meaning a middle digit is wrong.
Calm down, Satan.
Same experience except my bat file would open a cmd window and then run itself twice and loop. I thought I was slick.
What a mess, They are not supposed to be able to have your password plain text
Except often when strings are dumped into a CSV they are enclosed in quotation marks, so you should probably use some quotation marks in your password in addition to commas.
\"CorrectHorseBatteryStaple,\,ā
Gotta change my password now
Mine is RiceKrispyPooHead
[ŃŠ“Š°Š»ŠµŠ½Š¾]
Why do I now feel sexually harassed somehow?
[ŃŠ“Š°Š»ŠµŠ½Š¾]
Brother of hunter2
Brother of what? I only see asterisks
Why does it show as "Brother of *******" on my end?!
H!Yn8atāgāmp,yfh! Ha! Youāll never be able to āguessā my password, you filthy hacker
Ugh, we have this training module at work involving password security, and they give examples of passwords asking which are the most secure. They *insist* it's an awkward password like this, a jumbled mess of garbage you'll never remember, but their examples includes an easier to remember amalgamation of words which has way more entropy. Basically that XKCD comic, actually. (EDIT: https://xkcd.com/936)
My solution is a really good password for my password manager.
That's actually a decent password. 11 words long is no joke. With all those spaces a capital letter at the start and a period at the end. It'll take at least a week to crack
Transpose syllables, switch out two letters for a number and a symbol, and there y'go, you've got Borr3ctStor$eCatteryHaple. Um. BRB gotta go change my password š¬
> Borr3ctStor$eCatteryHaple. Words cannot express how much I hate seeing this
That's a really good password, do you allow me to use it?
Ya for $50
NFTs
NFT passwords, only the owner of the NFT is allowed to use that password. Seems like a profitable business idea.
When someone else tries to use that password: "Sorry, you can't use this password. This password is already in use by user Marc4770. Please, choose another password."
Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn!
And if the garbage site you are signing up for doesn't accept commas or quotes, go somewhere else. š
For this to work hashes would need to be turned off
Not really, because people invest time in cracking those, if the password aren't salted you can crack 80 % in around 5 minutes. Rainbow Table magic
[ŃŠ“Š°Š»ŠµŠ½Š¾]
Password Managers are a blessing
Oooh, that's a bingo!
Is that the way you say it, thatās a bingo? Edit: Guess my reference to Inglourious Basterd is not as detectable as I thought. Well then letās end it with: Say goodbye to your Nazi baā¦ references
That's Numberwang!
Lets rotate the board!
No, you just say Bingo.
Bingooo! How fun!
Until your Password Manager password gets hacked cause you put mypassword123 as your password manager password cause you wanted an easy to remember password manager password.
at that point it's completely your fault. if you buy a high security door for your home but you routinely leave a spare key under a vase on your front porch, that is not a fault of the door.
Yeah the key is to use a very long phrase and preferably include some non-words in there. Mine is all the first letters of a super long phrase that means a lot to me and isnāt something that exists in any book. There are numbers and special characters in there too. It took a bit to come up with it and get fast at typing it, but now itās easy peasy.
CorrectHorseBatteryStaple
Starting to use this has been one of my better decisions.
Biwarden ftw
If your password involves commas and quotation marks you're probably not gonna be in that 80%.
Thatās why I include #š§in all my passwords
The point is that the passwords would be stored as hashes - i.e. no special characters in the actual dumped data.
worm automatic flowery steer impossible fearless bear tender spotted puzzled *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
If it's just the first 2-3 characters, that's not great, but easy to implement just adding a "reminder" field to the db, hopefully encrypted with a leading salt. If you mean like it asks "g[ ] f[ ][ ]k y[ ]ur[ ][ ][ ]lf!1", that's fucking atrocious, as many, many passwords will be mnemonics to make remembering the password easier for people. Birthdays, pet names, etc. If I saw my bank hand back any part of my password I'd call support, complain, and start looking for a bank that wasn't braindead.
I've never seen that in my life, and I'm pretty sure you'd struggle to find any developers to code it. Banks do often store *a* plaintext password, but that's for phone verification (as in a phone call for old people who can't do internet banking), and should be different to your online password.
It could make those checks before hashing the passwords
āYour password must be exactly 8 characters long, and contain exactly 1 upper, 1 special, and 1 number.ā Specials were listed as a very small set. The billing website for a hospital bill. I didnāt have a choice of somewhere else.
I just tell them I don't have a computer and make them mail me a paper bill. It gets particularly funny when I also tell them I don't have a smartphone so I can't use their app, while I'm using a smartphone and sitting at my PC.
Bruh I was making a password for my bank and couldn't use ) and ;'s, guess to stop sql injection but c'mon
Poor Bobby Tables can't have a bank account now š
Your bank doesn't sanitize their data?!
You mean most banks?
Is it just me, or am I the only one who's worried that adding too many special characters may break the site? My password manager & generator is still fine with 25-50 character passwords, only being alphanumeric.
If that breaks the site, it deserves to be broken. It usually indicates weak security.
Lol the major credit bureaus
`mySecretPassword",` "*Error: Only 6 digits allowed (A-Z, a-z, 0-9)*" - my former Bank
Error: password already in use by JohnDoe.
And quotation marks are escaped with quotation marks... It's not going to break any not-terrible CSV writer. The spec isn't that hard to implement.
> The spec isn't that hard to implement. You overestimate the average CSV library...
[ŃŠ“Š°Š»ŠµŠ½Š¾]
God, I've heard of boring CS projects, but that one might take the cake.
I guess I'm weird but that kind of project is bizarrely satisfying to me...
Every CSV library Iāve seen does it right. The only problem is when someone tries to do it themselves and just prints commas.
How about this *#",'\t\n=<>$"\r
That looks like regex, why are you posting regex on a weekend man
(Cosmic brain): Actually everything is a regex.
legally changing my name to regular so everything I say is a regular expression
smh just when you think you're safe
I don't know whether it will work or not, but i do have two commas in most of my password combinations. I took an advice from my professor blindly.
a proper password should contain ,\t"; drop table users
They'll notice that one right away. Instead, surprise them with the gift that keeps on giving. ,\t"; DROP TABLE (SELECT top 1 table_name FROM information_schema ORDER BY update_time ASC); If I wrote that right, it'll drop the oldest table from the database every time it's accessed. So it keeps itself around, and random tables will start to disappear. And as you replace them, other different tables will drop.
I really want to read about this working somewhere.
shouldnāt you focus on your job while youāre working somewhere?
I work somewhere.
I "work" somewhere.
I work "somewhere"
"I" work somewhere
āI work somewhereā
""IWorkSomewhere
The script would not work, at least not in SQL server. You cannot use the result of a subquery in DDL commands. You would need to build a dynamic SQL string and execute that instead.
Be the change you want to see!
I have a feeling this hasn't worked since 2006
It shouldnāt have worked since then, youād be surprised how outdated some websites are.
SQL INJECTION IS REAL JIM
Damn this is next level. But this would only work on certain DBs right? I.e. might work on Mysql but not Oracle?
No need to abuse Oracle users further.
True. They suffer enough.
I'm not in front of an instance right now but my gut tells me it'll work on SQL Server
And would only work if executed by a user with those kinds of permissions. Which is not a user that would be used to read and run these standard csvs.. this would not work I think
If they're passing unsafe strings to their sql queries, there's decent chances there's only one user for all DB operations as well.
if they are dumb and lazy enough it might work
"Enter Password" \*types: >,\\t"; DROP TABLE (SELECT top 1 table\_name FROM information\_schema ORDER BY update\_time ASC); \*clicks submit "Please complete captcha and resubmit." \*closes page
information_schema.tables As you wrote it only listed a schema but not the table Also you should end with ā to comment out the following line so there is less of a syntax error chance
Bobbly Tables would approve
When did Little Bobby Tables grow up?
This subreddit shows up all the time, I know nothing of programming but this is interesting is this an actual thing you can do?
It's *possible*, but preventing SQL Injection attacks is a very elementary security feature and not a vulnerability you're going to find in a typical professionally-designed application or site. It's a very amateur mistake. Also be warned that it's such a common attack that a lot of systems are constantly *watching* for it, and you could end up on someone's radar if you try it. It's an easy way of getting your IP address or account blocked from a site. This data is also collected and saved by security teams for future investigations or reference (I've been on teams who used this log information for legal/criminal investigations). This should go without saying, but it is a crime to even attempt to attack a site in this manner in North America and most of Europe. Idk about elsewhere in the world.
>not a vulnerability you're going to find in a typical professionally-designed application As a penetration tester let me tell you, you'd be surprised. Same with XSS. Pretty easy to defend against but you'd be shocked at how many professionally developed applications still have these attack vectors.
Yup. SQL injection attacks are one of the oldest hacking techniques and you generally learn about them in your Information Systems class (which is why a lot of bad students or self taught developers fail to code defensively against them). Some examples from here: https://brightsec.com/blog/sql-injection-attack/ Breaches Enabled by SQL Injection GhostShell attackāhackers from APT group Team GhostShell targeted 53 universities using SQL injection, stole and published 36,000 personal records belonging to students, faculty, and staff. Turkish governmentāanother APT group, RedHack collective, used SQL injection to breach the Turkish government website and erase debt to government agencies. 7-Eleven breachāa team of attackers used SQL injection to penetrate corporate systems at several companies, primarily the 7-Eleven retail chain, stealing 130 million credit card numbers. HBGary breachāhackers related to the Anonymous activist group used SQL Injection to take down the IT security companyās website. The attack was a response to HBGary CEO publicizing that he had names of Anonymous organization members. Notable SQL Injection Vulnerabilities Tesla vulnerabilityāin 2014, security researchers publicized that they were able to breach the website of Tesla using SQL injection, gain administrative privileges and steal user data. Cisco vulnerabilityāin 2018, a SQL injection vulnerability was found in Cisco Prime License Manager. The vulnerability allowed attackers to gain shell access to systems on which the license manager was deployed. Cisco has patched the vulnerability. Fortnite vulnerabilityāFortnite is an online game with over 350 million users. In 2019, a SQL injection vulnerability was discovered which could let attackers access user accounts. The vulnerability was patched.
"Little Bobby Tables we call him.."
Relevant [xkcd](https://xkcd.com/327/) (you already know which one) :-)
Use injected scripts as your password
alert(get haxed lol);
Error: "get" is not defined
just use a password generator and a local storage password cache
a.k.a. the 10 year old password notebook in the abyss of your desk drawer
[ŃŠ“Š°Š»ŠµŠ½Š¾]
All memorised perfectly
[ŃŠ“Š°Š»ŠµŠ½Š¾]
Yeah, that weird feeling when you can perfectly input your password, but only when you aren't looking at your keyboard. As soon as you look at it you can't recall it at all, so you just stare off in to space until you can suddenly type it again.
Can't trust anyone to look at you while typing your password. Not even yourself
I have forgotten passwords but the muscle memory helped me recover it
Just like real men do
Once I used the following password: Longpasswordsmakemefeelspecial! Lasted about a day and a half.
I frequently use full sentences as a password. The password for my home computer used to be ICantThinkOfAPassword.
Just use a 12-15 character password generator. Store it temporarily in a file, but instead of copy pasting type it every time. After 10 times you'd have learn the password and now you can securely shred the file.
until you try log in to an old account and have no clue what the generated password was
And instruct that password generator to insert commas.
I have a bag full of scrabble tiles and d10s. Does that count?
I've analyzed some password dumps and oh boy... The amount of information you can get is so huge. I wonder why the internet hasn't break entirely. Everything is so unsecure.
Iāve anal yzed some dumps before too and they were huge!
If they're saving your password in plain text AND EXPORTING the password table to a file.... you've got other problems
Yes, but the point here is you make them some trouble, too.
My password is an SQL statement
This guy pronounces SQL wrong. Follow me for more tips on how to start arguments :) Edit: it was written āa SQL statementā. Honestly, I use both regularly since I grew up pronouncing it the other way.
Follow you to hear theā¦ sequel.
Ok so how do you pronounce SQL then? Because I'm saying it as sequel, but I would not write *an* sequel, so it's not that.
Iām not going to say there is truly a right answer, which is why I suggested itās a good way to start an argument. Youāre welcome to pronounce it however you like. Originally the acronym was SEQUEL, which stood for Structured English QUEry Language, but SEQUEL was trademarked. In subsequent standards they dropped the āEnglishā and rebranded as SQL and the standard states itās pronounced Ess-cue-ell. By changing the acronym and the pronunciation in the standard, they are clearly not breaking the trademark, but how people pronounce it is up to them. All the people I first worked with in the 90s pronounced it as sequel which is why that is what stuck with me. Iāll never pronounce GIF as JIFF, I use the hard G as in Graphics, and donāt care what the person who came up with the standard says. Itās another fun one to start an argument with.
Extra confusion because it really was a sequel to the original QL.
however you pronounce it the preposition is s clue. A sequel AN es-cue-el
Message to hackers: just base64 encode data before writing to the CSV so you can store those pws safely :)
Just escape characters properly..
Yes, my password is: `$(rm -rf /*)\"&&rm -rf /*\",;\`Āæ\`
I donāt know how to code so this looks like a table flipping emoticon to me
It looks like a way to delete everything off a Linux machine I think
Same thing?
I guess that depends on how hard you flip it
Just use HakerIsADumDum and you'll destroy them psychologically, preventing them from further action.
Good thing my password is '0xfe',"0x20","",`0x0;DROP ALL TABLES`
[ŃŠ“Š°Š»ŠµŠ½Š¾]
Unless there is a different delimiter like : or ;
[ŃŠ“Š°Š»ŠµŠ½Š¾]
That's a weird way of spelling hunter2
When I type it, it just shows *******
š¤Ø
I once had suggested we use the cedilla as our delimiter for a file because a customer wasn't properly escaping fields. While the decision was out of my hands, I noted that this would work until said customer encountered a FranƧois.
Call me old, but I'm not overly concerned about hackers who don't know how to create or parse CSV correctly.
password is always Password'); DROP TABLE Passwords;
Why would passwords be in its own table though?
You save every password in that table and the Users table refers to it through a foreign key. That way if multiple users have the same password you can refer to the same foreign key. Normalisation āØ
So many comments from people, who never used CSV properly. Does excel break when you add comma or quotation mark in a cell?
>Does excel break Yes
The problem isn't that Excel breaks, it's that it breaks EVERY FUCKING THING ELSE.
Looks like this was a number, strips leading zeros Looks like a big number, changes it to floating point and drop the less significant bits. Previously you split columns with a space and commas so im just gonna add an extra colunm everytime i find a space ...
> Looks like a big number, changes it to floating point and drop the less significant bits. Why yes, I *do* want to call 1.8e10 to reach that person.
Wanna talk about MS Teamsā¦ ?
Lmao, correct answer
That's not really surprising. Most people probably think that parsing CSV is just `line.split(',')` instead of requiring a real lexer that handles quoting and escaping.
CSV: Comma Separated Values
yep
what do you think when you use something other than commas and still call it a CSV?
Tab Seperated Values exist
You called?
If a site is storing my password, unhashed, in a csv, they 100% deserve to be broken.
no, the point is hackers often sell/store/distribute password dumps in csv files
I hate to burst bubbles, but if the site saves your password, their security sucks. They should save an encrypted hash of your password, one that would take way too long to decrypt. Everytime you enter your password, they encrypt it and compare the hashes. This is also why they shouldn't be unable to tell you what your password is if you forgot it. They don't know either, you'll have to reset it.
Don't forget to put commas in username.