• 0 Posts
  • 13 Comments
Joined 1 year ago
cake
Cake day: June 12th, 2023

help-circle

  • While on the topic, this isn’t how passwords work in systems.

    Passwords are stored as one way hashes. So it’s cryptoed only in one direction, it’s lossy, and can’t be recovered back to the original password.

    When you log on, your cleartext PW is hashed in ephemeral memory/storage and then the cleartext password is thrown away.

    That hash is compared to the hash in the DB. If the hash matches, then you have access. If it doesn’t, then your PW is incorrect.

    Oh my sweet Summer Child. This is definitely how it’s supposed to work, but there are plenty of services that just don’t know what the fuck they’re doing.

    Have you ever been on a site that has a stupid-low character limit for a password? There’s literally no reason to do that, all the hashes are going to end up the same size in the DB anyway regardless of the original string length. Even bcrypt’s max secret character limit is 70-something characters.

    Ever change a password and have it not work on the next login because they’re silently truncating it after a certain character limit? Ever get an email with an actual password in it?

    The only reason you would do things like this is if you’re storing/processing passwords in plaintext and not hashing it client-side first.

    I can think of 3 offenders of this off the top of my head. It’s a lot more common than you’d think.





  • BTW, any authenticator app works when it tells you to use one. They all use a standard, so it doesn’t matter which one you use.

    Eh, it’s a little more nuanced than that, there’re more standards for MFA code generation than just TOTP.

    And even within the TOTP standard, there are options to adjust the code generation (timing, hash algorithm, # of characters in the generated code, etc.) that not all clients are going to support or will be user-configureable. Blizzard’s Battle.net MFA is a good example of that.

    If the code is just your basic 6-digit HMAC/SHA1 30-second code, yeah, odds are almost 100% that your client of choice will support it, but anything other than that I wouldn’t automatically assume that it’s going to work.



  • tool@lemmy.worldtoProgrammer Humor@programming.devWould you agree?
    link
    fedilink
    English
    arrow-up
    6
    arrow-down
    1
    ·
    1 year ago

    If Linux was dominant it wouldn’t be Linux. There would be more pressure to monetize and there would always be someone willing to sell out for that money. You can see this even in the Linux community today. I’m sorry I had to be so negative about it though, it sounds nice.

    This is a very Desktop/workstation-centric view of the situation and you’re completely neglecting 3/4ths of the story. Linux is already hilariously dominant on the on-prem server and Cloud side of things. Like, it’s not even close. Pretty much any website you visit, the odds are overwhelming that it’s running Linux. Even Microsoft runs most of the underlying infrastructure for Azure and Github on Linux. Android is the #1 mobile phone platform in the world, which runs on, you guessed it, Linux.

    And it’s already monetized to the gills. Red Hat has multi-billion earnings per quarter, every quarter, and Canonical is almost certainly going to IPO this year.

    It’s already dominant in pretty much every space it touches and it has been for a very long time. Desktop/workstation is pretty much the singular exception to that.