this post was submitted on 03 Nov 2023
302 points (87.0% liked)

Technology

59207 readers
3247 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 49 points 1 year ago* (last edited 1 year ago) (3 children)

The website should feed your password straight into a well known hashing algorithm or key derivation function that has undergone a decade or more of careful scrutiny, without any other processing. The output will usually be a fixed length base64 or hex string.

There's a short list of about three options that are currently considered acceptable, and a few more are probably fine but are a little too easy to crack these days (e.g. anything that shares the same math as bitcoin... what if someone throws a mining datacentre at your password?)

If the site breaks, maybe you don't to be a customer of that service.

[–] [email protected] 19 points 1 year ago

Can you still log in to wellsfargo accounts using the T9 translation of your password?

[–] [email protected] 8 points 1 year ago

make one account with emoji password to test their system, if it break, good, go create hour account somewhere else

[–] [email protected] 6 points 1 year ago (2 children)

It's not the processing on the server that's the problem. To reach the server the password needs to go through several layers of character encoding, if any of them fails the server will receive something different from what you meant. And when you try to login from another device and the layers will be different you'll effectively be sending a different password.

[–] [email protected] 4 points 1 year ago (1 children)

The same character encoding that would break emoji would break a significant portion of the words names, so if your system can't handle it, then you deserve all the trouble that you run into.

Unicode isn't that hard.

[–] [email protected] 1 points 1 year ago

You're not wrong, but some systems, especially smaller ones are intended for English-only situations (or originally were) so non-English language situations might not be as well tested and/or may cause things to break.

Remember there are some sites that still refuse service if you put a " in your password. I'm not saying it's right, but it's a definite possibility.

[–] [email protected] 0 points 1 year ago (1 children)
[–] [email protected] 1 points 1 year ago

That is very much not a 90s problem. Especially if the company has a website and an app or is a small company not thinking about these things.

In theory this shouldn't be an issue but it definitely could be an issue on certain services.