855

Creepy..... WTF

Comments
  • 24
    LOL WTF???
  • 67
    Great security feature!
  • 6
    Unbelievable... Smh
  • 7
    Hahahaha!!!! I'm dying. No words to describe this.
  • 66
    If you entered the name of your lover as a password, you sure would feel uncomfortable.
  • 8
    Password123
  • 13
    Report as bug. explain consequences. profit~ 😉
  • 3
    Come on tell us the website
  • 23
    This also means that they dont hash the password..
  • 14
    How to build a password list... Step 1!
  • 15
    @BlackMagic You are wrong, they can take the password from the input and verify it in real time
  • 13
    @BlackMagic how do you think passwords is checked on login?
  • 3
    That is made of so much win... *facepalm*
  • 2
    What. The. Fuck!?
  • 2
    WTF !! kkkk !!
  • 13
    As a developer this angers me! Shit I encrypt everything even public posts! This is the most stupid shit i have ever seen! This is because some developer doesn't care about user security! Fuck these people!
  • 2
    @wubstepper most users are so trusting with their credentials, they shove it into everything including their neighbour's mailbox. We love our beloved users, guys like these just make them victims... which also angers me. Cause once you have their credentials from this site, very few users use multiple passwords for various sites.
  • 2
    @wubstepper what's the purpose on encrypting public posts?
  • 4
    @sasikanth can we please get the website? This is very unsecure... They really need to be taught not to do this...... This goes without question as being horrible.
  • 2
    @altermind just for the ability of saying "everything I do and use is encrypted" lol
  • 3
    @wubstepper #fuckemalltodeath #garrison4prez
  • 2
  • 1
    Seens this more than once actually
  • 1
    @wubstepper
    1. I think that quite nobody will care if you encrypt everything...
    2. Encrypt everything makes code maintenance very hard
  • 1
    @altermind that's not the point. The important part is how many care when you *don't* encrypt everything.
  • 1
    @altermind okay to clarify this is only on my personal projects for shirts and giggles. If it was an actual project I wouldn't do that. I understand that doing this is tedious. TRUST ME I know it's interesting to do xp
  • 1
    @altermind @lerk Even if I don't encrypt everything on professional projects I do encrypt a majority of info.
  • 1
    @altermind @lerk because you never know what an attacker can do with info. It could be a personal profile hidden from someone and what if they hacked into the db? They would have account details and everything. Gotta be prepared for the worst ALL THE TIME!
  • 10
    Tell them this is your password, demand them to tell you who is using it!
  • 1
  • 3
    I...
    What...
    Why...
    I want to know which PM thought this was a good idea.
  • 0
    How do they know?
  • 0
    @veslav probably plain text passwords
  • 1
    @wubstepper I mean that's bad.
  • 1
    I died a little lot on the inside
  • 0
    @veslav I mean yeah that's pretty bad...
  • 0
    @sasikanth

    PLEASE TELL US THE WEBSITE!!!
  • 0
    It would be great if it prints out the other user's username who is having the same password.
  • 3
    @ravan the odds of it having console.log is pretty high....
  • 3
    Please for the love of got try a SQL injection as I feel they don't sanitize
  • 0
    @wubstepper how are you indexing posts for site searches etc? (Obviously would take to long to decrypt all posts and search every time someone search)
  • 0
    Also nothin states that this information is not hashed uniquely to a user, the user aggregate could have its own copy and separate context could just have the stuff piped through in order to for-fill this feature. Yes it is a shitty feature but the implementation doesn't have to be insecure. Especially if it is in a different database like users in MySQL and this feature in Redis or something.
  • 2
    @all Guys, I found it on Twitter and took screenshot and posted it here. Let me try to find original tweet and share the link here.

    PS: As there are lot of people asking for the website tried @all. I'm sure it will not work but fuck we devs try anyway.
  • 2
  • 0
    @bweston I have a function to decrypt the posts and it's indexed by a unique URL which as also been hashed....
  • 0
    @wubstepper so you store the post keywords unencrypted in a map table pointing to a URL?
  • 0
    @bweston no I don't encrypt key words. The whole thing. It's a very convoluted process with many working parts. But hey it's works lol.
  • 2
    Place your bets on this using plain text passwords
  • 2
    @wubstepper They could just hash your input and compare the hashes, so this doesn't mean that they sore unencrypted passwords
  • 0
    @codelis I've thought that but why would you keep hashing random strings. That's asking too much of a server for a huge company. That could easily slow down the server. I'm also taking into consideration that if they are searching hashes it's also live. So not only hashing.

    Inupt->hash->search->{show string if taken}
    Inupt->hash->search->{show string if taken}
    Inupt->hash->search->{show string if taken}

    The reason for the multiple diagrams is to show that's a lot of processes if it's a live search if the DB also depending in the DB will depend of speeds. This is bad and always will be bad no matter how they do it.
  • 5
    Absolutely no salt.
  • 0
    @wubstepper well you could hash it on the client for the signup process
  • 0
    @codelis idk this whole thing just seems WAYYYYYYYYYYYY off no matter how they do it.
  • 1
    If it was written "you can't use your old password " then it was understoodable but no one displays warnings like this, i guess you are the one doing this locally by creating a fake sample page 😌
  • 1
    So who's gonna write a web scraper for.... research?
  • 0
    "Secure environment "
  • 1
    "We respect your privacy concerns"
  • 0
    @puneet, as I mentioned I found it on Twitter and shared it here. You can see the link for original tweet in one of my comments
  • 0
    Wtf...
  • 1
    @bjorngi @blackmagic

    At least ist means they dont salt or pepper their hashes... Hashing is not enougth..
  • 1
    @JaggerJo Yeah, you're right. my mistake
  • 0
    Seriously???? What???!!
  • -1
    @wubstepper Why does it matter? I think depends on what the password gives access to. Imagine, you wouldn't lock in a standard 1 cent coin without any market or sentimental value in a large EX classed vault. Because that would be overkill^3.
    Same with sites having bad security. If the password is, for lets say saving some sorting preferences on a site, who cares about if the passwords leak?
    But its another thing if it were a web shop with saved orders, sensitive info like CC numbers and so on.
  • 3
    @sebastian Every password on every site needs to be secured at the minimum level (hash and salt) because users are not smart enough or industrious enough to create new passwords for every site. At that point, the password you are storing is more valuable than your content.
  • 1
    It's a little unnerving that half the people in this thread, based on their comments, have no clue how security works.
  • 0
    @derrekbertrand RIGHT! Security is key!
  • 1
    @edisonn
    Even if they do it right on their backend, expising a message like that is definitly a security issue ...
  • 0
    I'll prank some users with that soon but only with js, no actual password queries shyt
  • 0
    I smell a business requirement, that really needed to get pushed, and somebody just didn't say ... "WTF that's dangerously stupid"
  • 0
    Wait........ What?!?!?
  • 0
    I don't think this is a bad thing, apart from the fact that passwords aren't being salted. Using a password that's in common use is a huge security risk for the user, and forcing a unique password goes a long way toward improving security. Easy-to-guess passwords get knocked out of the pool early.
  • 0
    @Strosser you could implement this feature with salted passwords...
  • 0
    So totally weird but did anyone notice text under an overlay? I know we've been talking about bad password practices but let's talk about that bad visual practice too 😂
  • 0
    This is some next level stupidity. Not to mention a complete lack of privacy/security. Smh.
  • 0
    This would've made a perfect repost for wk25
  • 0
    Realy bag :P xD
  • 0
    @BlackMagic or that they hash it while checking for others, or do it front-end. All bad
  • 0
    Just realised this could be a great idea to stop common password usage.

    The someone else could literally be the list of most common passwords dumped online that attackers use to try stop people using them
  • 0
    That's not a Security threat, that information is useless. Even I can say someone in this world has a given Password. It might be useful if someone keeps a weird Password like you and you have found your "Soulmate"
Add Comment