Cybersecurity - Memes

2667 readers

6 users here now

Only the hottest memes in Cybersecurity

founded 2 years ago

MODERATORS

Sam1232188@lemmy.world

neurohost@lemmy.world

Sam1232188@lemmy.fmhy.ml

Alphadef@programming.dev

CannaVet@lemmy.world

559

Uh oh, somebody's not following best practices, that's a paddlin (infosec.pub)

submitted 6 days ago by cm0002@lemmy.world to c/cybersecuritymemes@lemmy.world

103 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] turmacar@lemmy.world 2 points 6 days ago (12 children)

The hash or a checksum can be sent to the page to be checked by the same function running in your browser that is checking if the new password has special characters etc.

[–] Vigge93@lemmy.world 13 points 6 days ago (10 children)

That would be an extremely bad idea tho, because it would allow a malicious attacker to

Try random usernames, and if the website returns a hash they know that user exists
Once they have the hash, and the hashing algoritm, it is much easier to brute-force the password, bypassing any safeguards on the server

Username/password validation should happen entirely server-side, with as little information as possible provided to the client

[–] aesthelete@lemmy.world 3 points 6 days ago (7 children)

Username/password validation should happen entirely server-side, with as little information as possible provided to the client

💯

It's recommended practice to not even tell them which half of the username/password combination failed upon authentication failures.

[–] Clent@lemmy.dbzer0.com 1 points 5 days ago (1 children)

It is a password reset from. The username has already be confirmed in a previous step

[–] aesthelete@lemmy.world 1 points 5 days ago (1 children)

That still doesn't make it good practice to send the old password (hashed or not) to the client.

[–] Clent@lemmy.dbzer0.com 1 points 5 days ago (1 children)

You are making an unfounded assumption that the password is sent to the client which does the check and then shows the message rather than the server doing the check and responding with the message back to the client.

[–] aesthelete@lemmy.world 1 points 5 days ago (1 children)

Nah I'm not, look above. There's a way to do this that isn't terrible. I just kinda assume that they aren't doing it properly because I've worked in software for decades.

[–] Clent@lemmy.dbzer0.com 1 points 5 days ago (2 children)

No one is reimplementing their hashing algorithm in JavaScript. Doesn't matter how many decades in the industry you have, that's a silly assumption.

The parts of security here that involve best practices are invisible to the user. Things such as salting which many do not do but also how they handle the reset token which many do not think about.

However, none of that makes a good meme for people cosplaying cyber security gurus.

[–] Vigge93@lemmy.world 1 points 5 days ago

You would assume that, but you would be very wrong. People are lazier/sloppier than you might think.

Searching for "client side authentication NVD" turns up a lot of examples. There is even a CWE for "Use of Client-Side Authentication:

https://cwe.mitre.org/data/definitions/603.html

[–] aesthelete@lemmy.world 1 points 5 days ago* (last edited 5 days ago)

Of course they wouldn't implement it themselves, that's what the wonderful world of npm is for. /s

The software I've worked in is full of bizarre, dangerous junk. I used to assume that people did things at least the easier way if not the right way. Now, I expect them to do the dumbest, wrongest most esoteric thing possible and I'm often right.

anecdote

I once worked with a person that was essentially maintaining a series of statically compiled hashmaps by hand instead of, you know, doing the obvious and externalizing the fucking thing into a database table. The insane bastard even sat there incrementing the initial collection sizes when he got requests to add in new data.

load more comments (5 replies)

load more comments (7 replies)

load more comments (8 replies)