owenblacker, 2 months ago

@Edent If you make sure a specific character type appears every 5th char, that might help?

(Just occurred to me as a way of solving my brain of this problem, which is long-term passwords with slight variations.)

Edent, 2 months ago

@owenblacker
Oh, like P4sS_W0rd_1234 ?

As others have pointed out, BitWarden has a nifty button to show you character count.

jribbens, 2 months ago

@Edent @owenblacker 1Password has the same thing, choose 'Show in Large Type' and it shows the password in a (very) large font with each character numbered.

TeflonTrout, 2 months ago

@Edent "correct horse battery staple"

villares, 2 months ago

@Edent isn't it a red flag for the site? I mean, it should only keep a hash of your password, right?

Edent, 2 months ago

@villares
Not necessarily. It could be staring a salted hash of each character. Or a salted hash of several combinations.

henryk, 2 months ago

@Edent @villares No, it is necessarily bad. Salting only works with the complete password. Even a salted 1-character hash has only ~60-80 possible values that can be quickly enumerated.

Now, you could try to handwave something about secure environments, SGX, or something, but I doubt that very much.

I'd lean towards informing the relevant regulatory body that the site in question employs unsafe security practices, likely incompatible with whatever they're required to do.

Edent, 2 months ago

@henryk That's a fair point.
But if they're storing every combination of 3 characters, is that also necessarily bad?

naught101, 2 months ago

@Edent @villares why though?

Edent, 2 months ago

@naught101 @villares
Because it reduces the risk that the entire password can be intercepted / eavesdropped.
It depends on what they think their threat model is.

sn0opy, 2 months ago (edited 2 months ago)

@Edent 1Password got you covered. They have a feature called "Show in large type” which adds numbering

kraftner, 2 months ago

@Edent I would be much more worried about the fact that they are obviously storing the password in plaintext... 😬

rgarner, 2 months ago

@Edent irb(main):001> p = 'gD@YGXa6k*^EB&I5@b$0'
irb(main):002> [p[2],p[8],p[16]]
=> ["@", "k", "@"]

That's just because I'm mostly Ruby this week. I confess that I have done this in the past in psql.

Edent, 2 months ago

@rgarner
Do we need to stage an intervention? 🤪

rgarner, 2 months ago

@Edent

CREATE TEMPORARY TABLE staging_intervention (
concerns TEXT,
submitter TEXT
) ON COMMIT DROP;

COPY staging_intervention
FROM STDIN
DELIMITER ',' CSV HEADER;

INSERT INTO intervention_items (concerns, submitter)
SELECT concerns, submitter
FROM staging_intervention
ON CONFLICT(concerns, submitter) DO NOTHING