Pro@programming.dev to Programming@programming.devEnglish · 2 days agoCursed knowledge we have learned as a result of building Immich that we wish we never knew.immich.appexternal-linkmessage-square47fedilinkarrow-up1129arrow-down13
arrow-up1126arrow-down1external-linkCursed knowledge we have learned as a result of building Immich that we wish we never knew.immich.appPro@programming.dev to Programming@programming.devEnglish · 2 days agomessage-square47fedilink
minus-squareirelephant [he/him]@lemmy.dbzer0.comlinkfedilinkarrow-up18·edit-21 day ago The bcrypt implementation only uses the first 72 bytes of a string. Any characters after that are ignored. what
minus-squareloweffortname@lemmy.blahaj.zonelinkfedilinkEnglisharrow-up11·24 hours agoThis is how someone cracked Okta a few years back: https://medium.com/@rajat29gupta/bcrypt-and-the-okta-incident-what-developers-need-to-know-9d13a446738a
minus-squarechaos@beehaw.orglinkfedilinkarrow-up8·edit-223 hours agoOlder Unix systems used to only do the first 8 bytes for passwords. Sometimes for my own amusement when logging into one of the Sun machines at school, I’d type in enough of my password to count and then just mash the keyboard.
minus-squareSenal@programming.devlinkfedilinkEnglisharrow-up2·9 hours agofor a long time, hotmail (and i think windows live mail) only checked the first 16 characters.
minus-squarelad@programming.devlinkfedilinkEnglisharrow-up1·7 hours agoThat’s almost as good as the ones that limit password on the sign-in UI, but not on the sign-up
what
This is how someone cracked Okta a few years back: https://medium.com/@rajat29gupta/bcrypt-and-the-okta-incident-what-developers-need-to-know-9d13a446738a
Older Unix systems used to only do the first 8 bytes for passwords. Sometimes for my own amusement when logging into one of the Sun machines at school, I’d type in enough of my password to count and then just mash the keyboard.
for a long time, hotmail (and i think windows live mail) only checked the first 16 characters.
That’s almost as good as the ones that limit password on the sign-in UI, but not on the sign-up