Creepy..... WTF

LOL WTF???

Great security feature!

Hahahaha!!!! I'm dying. No words to describe this.

If you entered the name of your lover as a password, you sure would feel uncomfortable.

Password123

Report as bug. explain consequences. profit~ 😉

Come on tell us the website

How to build a password list... Step 1!

@BlackMagic You are wrong, they can take the password from the input and verify it in real time

@BlackMagic how do you think passwords is checked on login?

That is made of so much win... *facepalm*

WTF !! kkkk !!

@wubstepper most users are so trusting with their credentials, they shove it into everything including their neighbour's mailbox. We love our beloved users, guys like these just make them victims... which also angers me. Cause once you have their credentials from this site, very few users use multiple passwords for various sites.

@wubstepper what's the purpose on encrypting public posts?

@wubstepper #fuckemalltodeath #garrison4prez

@wubstepper
1. I think that quite nobody will care if you encrypt everything...
2. Encrypt everything makes code maintenance very hard

@altermind that's not the point. The important part is how many care when you *don't* encrypt everything.

Tell them this is your password, demand them to tell you who is using it!

I...
What...
Why...
I want to know which PM thought this was a good idea.

How do they know?

@wubstepper I mean that's bad.

I died a little lot on the inside

@sasikanth

PLEASE TELL US THE WEBSITE!!!

It would be great if it prints out the other user's username who is having the same password.

@ravan the odds of it having console.log is pretty high....

Please for the love of got try a SQL injection as I feel they don't sanitize

@wubstepper how are you indexing posts for site searches etc? (Obviously would take to long to decrypt all posts and search every time someone search)

Also nothin states that this information is not hashed uniquely to a user, the user aggregate could have its own copy and separate context could just have the stuff piped through in order to for-fill this feature. Yes it is a shitty feature but the implementation doesn't have to be insecure. Especially if it is in a different database like users in MySQL and this feature in Redis or something.

@all Guys, I found it on Twitter and took screenshot and posted it here. Let me try to find original tweet and share the link here.

PS: As there are lot of people asking for the website tried @all. I'm sure it will not work but fuck we devs try anyway.

Here is the link https://twitter.com/westmaaan/...

@wubstepper so you store the post keywords unencrypted in a map table pointing to a URL?

Place your bets on this using plain text passwords

@wubstepper They could just hash your input and compare the hashes, so this doesn't mean that they sore unencrypted passwords

Absolutely no salt.

@wubstepper well you could hash it on the client for the signup process

If it was written "you can't use your old password " then it was understoodable but no one displays warnings like this, i guess you are the one doing this locally by creating a fake sample page 😌

So who's gonna write a web scraper for.... research?

"Secure environment "

"We respect your privacy concerns"

@puneet, as I mentioned I found it on Twitter and shared it here. You can see the link for original tweet in one of my comments

Wtf...

@bjorngi @blackmagic

At least ist means they dont salt or pepper their hashes... Hashing is not enougth..

Seriously???? What???!!

@wubstepper Why does it matter? I think depends on what the password gives access to. Imagine, you wouldn't lock in a standard 1 cent coin without any market or sentimental value in a large EX classed vault. Because that would be overkill^3.
Same with sites having bad security. If the password is, for lets say saving some sorting preferences on a site, who cares about if the passwords leak?
But its another thing if it were a web shop with saved orders, sensitive info like CC numbers and so on.

@sebastian Every password on every site needs to be secured at the minimum level (hash and salt) because users are not smart enough or industrious enough to create new passwords for every site. At that point, the password you are storing is more valuable than your content.

It's a little unnerving that half the people in this thread, based on their comments, have no clue how security works.

@edisonn
Even if they do it right on their backend, expising a message like that is definitly a security issue ...

I'll prank some users with that soon but only with js, no actual password queries shyt

I smell a business requirement, that really needed to get pushed, and somebody just didn't say ... "WTF that's dangerously stupid"

Wait........ What?!?!?

I don't think this is a bad thing, apart from the fact that passwords aren't being salted. Using a password that's in common use is a huge security risk for the user, and forcing a unique password goes a long way toward improving security. Easy-to-guess passwords get knocked out of the pool early.

@Strosser you could implement this feature with salted passwords...

This is some next level stupidity. Not to mention a complete lack of privacy/security. Smh.

This would've made a perfect repost for wk25

Realy bag :P xD

@BlackMagic or that they hash it while checking for others, or do it front-end. All bad

Just realised this could be a great idea to stop common password usage.

The someone else could literally be the list of most common passwords dumped online that attackers use to try stop people using them

That's not a Security threat, that information is useless. Even I can say someone in this world has a given Password. It might be useful if someone keeps a weird Password like you and you have found your "Soulmate"