Pro@programming.dev to Programming@programming.devEnglish · 1 month agoCursed knowledge we have learned as a result of building Immich that we wish we never knew.immich.appexternal-linkmessage-square56linkfedilinkarrow-up1147arrow-down14
arrow-up1143arrow-down1external-linkCursed knowledge we have learned as a result of building Immich that we wish we never knew.immich.appPro@programming.dev to Programming@programming.devEnglish · 1 month agomessage-square56linkfedilink
minus-squareirelephant [he/him]@lemmy.dbzer0.comlinkfedilinkarrow-up27·edit-21 month ago The bcrypt implementation only uses the first 72 bytes of a string. Any characters after that are ignored. what
minus-squareloweffortname@lemmy.blahaj.zonelinkfedilinkEnglisharrow-up17·1 month agoThis is how someone cracked Okta a few years back: https://medium.com/@rajat29gupta/bcrypt-and-the-okta-incident-what-developers-need-to-know-9d13a446738a
minus-squarechaos@beehaw.orglinkfedilinkarrow-up10·edit-21 month agoOlder Unix systems used to only do the first 8 bytes for passwords. Sometimes for my own amusement when logging into one of the Sun machines at school, I’d type in enough of my password to count and then just mash the keyboard.
minus-squareSenal@programming.devlinkfedilinkEnglisharrow-up4·1 month agofor a long time, hotmail (and i think windows live mail) only checked the first 16 characters.
minus-squarelad@programming.devlinkfedilinkEnglisharrow-up3·1 month agoThat’s almost as good as the ones that limit password on the sign-in UI, but not on the sign-up
minus-squarefuzzzerd@programming.devlinkfedilinkEnglisharrow-up3·1 month agoI have run across one that allowed arbitrary length when doing account creation and password reset but silently truncated the login input. Took me hours to figure out that my password was longer than the documented length, try it and then have no problems.
what
This is how someone cracked Okta a few years back: https://medium.com/@rajat29gupta/bcrypt-and-the-okta-incident-what-developers-need-to-know-9d13a446738a
Older Unix systems used to only do the first 8 bytes for passwords. Sometimes for my own amusement when logging into one of the Sun machines at school, I’d type in enough of my password to count and then just mash the keyboard.
for a long time, hotmail (and i think windows live mail) only checked the first 16 characters.
That’s almost as good as the ones that limit password on the sign-in UI, but not on the sign-up
I have run across one that allowed arbitrary length when doing account creation and password reset but silently truncated the login input.
Took me hours to figure out that my password was longer than the documented length, try it and then have no problems.