(skeletor is leading by example by adding that unnecessary apostrophe…)

    • Toes♀
      link
      fedilink
      162
      edit-2
      8 months ago

      To fuck with computers that don’t know how to do UTF8, add a few emoji.

      I once set a WiFi ssid to 🌻 and I was amazed at how much problems that likely caused. I had people showing me their network manager was dumping random characters. Some other routers web interfaces became corrupted when trying to show the neighborhood. Some clients refused to connect. Even a bsod on a windows XP box.

      • @Potatos_are_not_friends
        link
        52
        edit-2
        8 months ago

        One of my projects was validation for form submission and emojis melted me. I gave up trying to do it from scratch and trusted a library.

        • AggressivelyPassive
          link
          fedilink
          428 months ago

          I’m currently in a project where the client has a custom, but not entirely consistent or known subset of utf-8.

          They want us to keep the form content as it is, but remove the “bad” characters. Our current approach is to just forward everything as it is and wait for someone to complain. How TF am I supposed to remove a character without changing the message?

          • Toes♀
            link
            fedilink
            148 months ago

            Yeah I had a backend with poor support for anything that wasn’t ASCII. So my solution was turning everything into hex before storing it. I wonder if people are still using it.

            • @[email protected]
              link
              fedilink
              8
              edit-2
              8 months ago

              Yeah I had a backend with poor support for anything that wasn’t ASCII

              PHP is like this. Poor Unicode support, but it treats strings as raw bytes so it usually works well enough. It turns out a programming language can take data from a form, save it to a database, then later load and render it, without having to know what those bytes actually mean, as long as the app or browser knows it’s UTF-8, for example through a Content-Type header or meta tag.

              The tricky thing is the all the standard string manipulation functions (strlen, substr, etc) don’t handle Unicode properly at all and they deal with number of bytes rather than number of characters. You need to use the “multibyte” (Unicode-ready) equivalents like mb_substr, but a lot of PHP developers forget to do this and end up with string truncation code that cuts UTF-8 characters in half (e.g.if it’s truncating a long title with Emoji in it, it might cut off the title in the middle of the three bytes that represent the Emoji and only leave 1 or 2 of them)

        • @[email protected]
          link
          fedilink
          5
          edit-2
          8 months ago

          You just need to ensure you validate character by character (NOT byte by byte) and allow characters in the Emoji Unicode ranges (which are well-defined in the Unicode standard). Using a library is a great idea though.

      • @aeronmelon
        link
        368 months ago

        They called it “The Sunflower Incident.”

          • Spaz
            link
            28 months ago

            64 characters long is wifi spec IIRC but some routers don’t follow spec, wouldnt go higher than 60. Idk if this helps answer your question.

          • @[email protected]
            link
            fedilink
            28 months ago

            I believe it’s 32 bytes, but it depends on the AP, some use a null terminator as the final byte.

      • @[email protected]
        link
        fedilink
        28 months ago

        I had an emoji in my phone hotspot a while ago. Unfortunately I had to remove it after a while because some devices refused to connect.

    • @Ottomateeverything
      link
      728 months ago

      To make sure millenials can’t read your password, 𝔀𝓻𝓲𝓽𝓮 𝓹𝓪𝓻𝓽 𝓸𝓯 𝓲𝓽 𝓲𝓷 𝓬𝓾𝓻𝓼𝓲𝓿𝓮.

      How would this mess with millennials? I think you mean gen z.

      • Xhieron
        link
        English
        808 months ago

        Common mistake: When you’re ascribing a bad quality to them, “millenials” means everyone born after 1960. If you’re ascribing a good quality to them, it only means people born between December 12, 1989, and December 14, 1989.

        • @tool
          link
          English
          58 months ago

          Were told our assignments in high school would get an automatic zero if we didn’t turn them in in cursive, even…

          • @[email protected]
            link
            fedilink
            78 months ago

            I knew someone who did physics in cursive. It was impossible to read (not bc it was sloppy, because seeing Greek letters as cursive threw me for a loop)

        • @Bytemeister
          link
          Ελληνικά
          38 months ago

          Yeah! Most of us can read analog clocks too!

          • @[email protected]
            link
            fedilink
            18 months ago

            I actually work in an after school program and I’ve been teaching kids how to read analog clocks. It is interesting to say the least

      • @proudblond
        link
        English
        78 months ago

        Even my gen alpha kid was learning cursive in third grade last year. I don’t expect him to write using it much but at least he knows how to read it.

      • slazer2au
        link
        English
        38 months ago

        𝔒𝔯 𝔶𝔢𝔬𝔩𝔡 𝔢𝔫𝔤𝔩𝔦𝔰𝔥 𝔱𝔬 𝔰𝔠𝔯𝔢𝔴 𝔴𝔦𝔱𝔥 𝔢𝔳𝔢𝔯𝔶𝔬𝔫𝔢.

    • The Picard ManeuverOP
      link
      308 months ago

      To make sure millenials can’t read your password, 𝔀𝓻𝓲𝓽𝓮 𝓹𝓪𝓻𝓽 𝓸𝓯 𝓲𝓽 𝓲𝓷 𝓬𝓾𝓻𝓼𝓲𝓿𝓮.

      Hey, millennials know cursive!

      • @[email protected]
        link
        fedilink
        308 months ago

        Forced to learn it in elementary school because “highschool and college require it!” by Boomers that didn’t recognize the tech revolution only to get to college and be told by those same boomers to never turn in a handwritten paper unless you wanted an auto fail.

    • @nezbyte
      link
      158 months ago

      CSVs are supposed be comma-separated files. Microsoft deviated from the specification and decided some languages would use semicolons for CSVs.

      Source: StackOverflow

      • @[email protected]
        link
        fedilink
        6
        edit-2
        8 months ago

        Microsoft deviated from the specification

        There is no specification for CSV, which is why it’s such a mess and different parsers and renderers have wildly different features. The closest thing to a spec is RFC4180 but that RFC simply describes the most common features across several CSV implementations, and is not actually a spec.

        I agree that it should be comma separated though. My understanding is that it caused issues in countries that use a comma as a decimal point.

        Also, Excel sometimes uses tabs rather than commas or semicolons.

      • @[email protected]
        link
        fedilink
        58 months ago

        Using comma would probably caused more problems as it is a decimal separator for those languages. My excel also uses semicolon in formulas instead of comma when separating parameters. Some VBA scripts break when using different language settings and some forumilas don’t translate automatically to different locale so they just give an error. Overall using excel in different locale setups is annoying.

        Best separator I have used is | as i have never seen it in the data as an input. Comma and semicolon both have caused issues in the past for me as they might pop up at wrong places.

    • jawa21
      link
      fedilink
      138 months ago

      Here’s my confusion: as soon as it is no longer separated by commas, it is by definition no longer a CSV. Is it an SCSV now?

      • MrPasty
        link
        fedilink
        128 months ago

        It turns into a CSV where the C stands for character.

    • @rtxn
      link
      English
      128 months ago

      Z̵̫̖͚̳̖̖̰̩̀̆͐͒͝ä̸̛̻́̈́̌͂̽̈́l̷̤̥̖̝͙̅g̵̱̤͙͕̥̮͌̽o̸̡̦̙̬̘͎̪̥̔ ̴͔̙̞̱̗͒͊͊̽̀̑͌ẏ̵̛̻̾o̸̡͍̤͔͌ų̶̠͔̯̲̖͇̯̅̒̓̃̏̓͊r̷͎̪̗̤̄̊̃̚͝ ̵̢̰͔̀t̵̡̘̤̙͕͎̅͂͛̀̚ȩ̷͙̙̖̲̟͍̉̎͝x̷͇̦̝̼͗͋̊t̶̫̹̳̩͇̼̠͚̿͆̅̋̔̃͐͗!̶̧̛͕̮̻̞͎͇̹͆͛͘̕̚͠

    • Thomas
      link
      fedilink
      9
      edit-2
      8 months ago

      To fuck with computers that don’t know how to do UTF8, add a few emoji.

      Even better, add some byte sequences that are invalid UTF-8.

  • @[email protected]
    link
    fedilink
    998 months ago

    From many years of experience on the interwebs, I can recommend this password:

    NUL,\t.;TAB\n\x07^C

    It’s very secure and works most of the time. I use it for everything.

  • @[email protected]
    link
    fedilink
    English
    588 months ago

    My main problem with passwords is the limits that sites put on what I can set for a password.

    I could not tell you how many times I reset my password using my password manager, then immediately log out, and log in using the credentials I just saved into my password manager, and they don’t work, because the site is truncating the password to 15/20/whatever characters.

    The number of times this limitation is not clearly stated, checked for, or even acknowledged by the site is too damn high.

    I’ve made it a habit of testing a login after every password set/reset to ensure I don’t have trouble with it in the future.

    • @GhostlyPixel
      link
      English
      268 months ago

      The amount of websites that limit passwords to 16 characters is alarming

      • @[email protected]
        link
        fedilink
        128 months ago

        I created an account on a hosted service we use at work the other day, my password had to be exactly 12 characters. No more no less.

      • @[email protected]
        link
        fedilink
        English
        128 months ago

        Usually 15, 16, 20, or 25 in my experience.

        15/16 I get, no idea why 20/25 is so common.

        My password manager generates 32 character passwords composed of random alphanumeric characters by default. I usually don’t modify it unless I hit a restriction, or its a site I’m particularly concerned about getting penetrated (in which case I increase the number of characters).

        I don’t mind sharing that because bluntly: anyone reading this, good luck figuring it out. The permutations is something along the lines of (26*2+10+(special characters))^32… Which is 3.5239… * 10^60… Otherwise known as 3.5 novemdecillion.

        Ha.

        • @Dasus
          link
          58 months ago

          Wish we just had like 256 char passwords so I could actually use passphrases instead of passwords.

          It’d be way more secure for me compared to what I’m doing now.

          I’d do like Star Trek haikus or some such which would be actually possible to remember.

      • @bbuez
        link
        88 months ago

        My fucking bank: 👀

    • @Raxiel
      link
      68 months ago

      See also: Sites that don’t allow “+” in email addresses while logging in, but do accept them at registration (including confirmation emails)

    • @perfectly_boiled_pizza
      link
      12 months ago

      PlayStation Network has a limit of around 30 characters but they let you pick something longer. They even send you an email confirming that your password has been updated. But if you try to login with your new password it won’t work.

      I’ll probably forget this within the next time I have to change it. I will then AGAIN try with 128 characters and then 125, 120, 115… while yelling at the emails they send me.

      • @[email protected]
        link
        fedilink
        English
        12 months ago

        Can you maybe add a note to the account in your password manager to remind yourself of the limitation? I dunno, I’m just some guy

        • @perfectly_boiled_pizza
          link
          22 months ago

          You’re absolutely right. I’ve got a talent for procrastination though. I tried giving myself an excuse while formulating this answer, but I realised that just fixing it would be quicker. Hahaha. Thank you

          • @[email protected]
            link
            fedilink
            English
            12 months ago

            My pleasure. I regularly put notes in my password manager about stuff like this.

            Have a good day.

  • AwkwardLookMonkeyPuppet
    link
    English
    508 months ago

    Funny, but csv values are quote encapsulated and special character escaped.

  • @normalexit
    link
    438 months ago

    The CSV cells are escaped with quotes. So just maybe throw some quotes in too. Unbalanced for style points. It won’t defeat a CSV library, but might break a script kiddie

    • @dejected_warp_core
      link
      58 months ago

      Unbalanced for style points.

      I like the cut of your jib. End it with a single backslash, for good measure.

  • @hakunawazo
    link
    31
    edit-2
    8 months ago

    '; DROP TABLE `passwords`; –

    • @[email protected]
      link
      fedilink
      48 months ago

      My bank doesn’t allow the characters you would need for a SQL injection in passwords. Checked client side, I don’t want to try and find out if it’s also checked server side, but I hope it is.

      • @hakunawazo
        link
        28 months ago

        No serious software would fall for such an easy attack anymore. With prepared statements it’s impossible to break queries like that. Beside that one principle is to avoid using user inputs directly in your database.

    • @[email protected]
      link
      fedilink
      168 months ago

      There was a (really short-lived) shady car dealership that used to have an A-Frame sign that they must’ve paid to get printed.

      It said “Your approved”.

      My approved?

      I imagine someone must’ve mentioned it to them, because they replaced it not much later.

      The new sign said “Everyones Approved”.

  • Waldowal
    link
    258 months ago

    The CSV specification (RFC-4180) is pretty clear. If a value contains commas, you wrap it in double quotes. If the value contains double quotes, you double each double quote to indicate its part of the value and not the end of the value.

    A properly formatted CSV should have no problems from Skeletor!

    • @[email protected]
      link
      fedilink
      22
      edit-2
      8 months ago

      There’s no formal spec for CSV. The RFC you mentioned describes the most common behaviour observed in many implementations, but it’s not a spec itself, as mentioned on the second page:

      While there are various specifications and implementations for the CSV format (for ex. [4], [5], [6] and [7]), there is no formal specification in existence, which allows for a wide variety of interpretations of CSV files. This section documents the format that seems to be followed by most implementations:

      Also, my understanding is that double quotes are only used for strings. Commas can appear outside of strings, for example in numbers in countries that use them as a decimal point. That’s actually why many implementations use semicolons or tabs as the separator.

  • @Tyfud
    link
    238 months ago

    While on the topic, this isn’t how passwords work in systems.

    Passwords are stored as one way hashes. So it’s cryptoed only in one direction, it’s lossy, and can’t be recovered back to the original password.

    When you log on, your cleartext PW is hashed in ephemeral memory/storage and then the cleartext password is thrown away.

    That hash is compared to the hash in the DB. If the hash matches, then you have access. If it doesn’t, then your PW is incorrect.

      • @[email protected]
        link
        fedilink
        English
        58 months ago

        And there are plenty of bad systems, especially in this fail fast BS paradigm clueless idiots like to use. We know because they keep getting hacked (looking at you, lastpass!)

        Yes, I’m a waterfall guy - get off my lawn!

    • @teejay
      link
      English
      308 months ago

      Sure, but the comic isn’t talking about legit password usage systems. It’s talking about how a comma could break the csv formatting of a csv file that came from a data breach and dump.

      • @Tyfud
        link
        2
        edit-2
        8 months ago

        That’s still not how it would work.

        Ok, assuming that we’re talking about, like you say, a system that gets a breach which is storing PWs in clear text/plain text, instead of hashing it, which is a big if as those kinds of systems are either amateur/homebrew, or extinct at this point, but I digress. Let’s say it’s there.

        The attacker would run a sanitization script out of the SQL table that would shift those problem characters into proxy characters, or correct them if it’s going to cause a problem. One or two passwords lost to correct for thousands isn’t a big deal. The result of trying to put some sort of SQL Injection or CSV formatting bug into your password, hoping it was stored as plaintext, and the attacker wouldn’t be sanitizing the common formatting issues, is just silly.

        Plus, it’s not like they’re only exporting it once. They’ve usually copied the DB down locally, so they’ll see the formatting is skewed when parsing the CSV, and correct it on the next export out.

        I’m all for the humor here, I was just calling out that nothing about the ideas the OP suggested would work in real life SecOps scenarios.

        Souce: Am engineer at large corporation. Deal with scenarios and systems like this all the time.

        Edit: People are downvoting this, seemingly because they don’t like that the answer makes the OP’s joke less funny and pretty unlikely. This is why it’s difficult and frustrating to have these kinds of conversations on Lemmy or reddit. I am an expert. I responded with additional information to correct some misunderstandings. It gets down voted because…?

    • @ChicoSuave
      link
      15
      edit-2
      8 months ago

      cryptoed

      Unless you were looking for a sick rhyme for tiptoed, try encrypted.

      • @Wilzax
        link
        98 months ago

        Encryption is inherently reversible though. Hashing is the most accurate term to describe it

        • @Tyfud
          link
          18 months ago

          You are correct.

      • @Tyfud
        link
        38 months ago

        No, I mean Crypto libraries.

        The field of science and engineering that has the algorithms and libraries we would need to use to perform a proper one way encrypted hash, is going to be found in a cryoptographic library.

        I suspect you’re thinking of Crypto in how it’s applied colloquially in the world today with a cryptographically signed linked-list ledger. There’s a whole world of cryptography that’s in use. Encryption is just one sub-function in that world.

    • @tool
      link
      English
      58 months ago

      While on the topic, this isn’t how passwords work in systems.

      Passwords are stored as one way hashes. So it’s cryptoed only in one direction, it’s lossy, and can’t be recovered back to the original password.

      When you log on, your cleartext PW is hashed in ephemeral memory/storage and then the cleartext password is thrown away.

      That hash is compared to the hash in the DB. If the hash matches, then you have access. If it doesn’t, then your PW is incorrect.

      Oh my sweet Summer Child. This is definitely how it’s supposed to work, but there are plenty of services that just don’t know what the fuck they’re doing.

      Have you ever been on a site that has a stupid-low character limit for a password? There’s literally no reason to do that, all the hashes are going to end up the same size in the DB anyway regardless of the original string length. Even bcrypt’s max secret character limit is 70-something characters.

      Ever change a password and have it not work on the next login because they’re silently truncating it after a certain character limit? Ever get an email with an actual password in it?

      The only reason you would do things like this is if you’re storing/processing passwords in plaintext and not hashing it client-side first.

      I can think of 3 offenders of this off the top of my head. It’s a lot more common than you’d think.

    • @[email protected]
      link
      fedilink
      3
      edit-2
      8 months ago

      Even if it’s hashed, some systems still use unsalted MD5 which is effectively just as bad as plain text.

      I don’t understand it. Argon2id has been around for nearly 10 years at this point, scrypt for 15, PBKDF2 for 20 and bcrypt for 25. It’s not hard.

      • @[email protected]B
        link
        fedilink
        English
        18 months ago

        Here is an alternative Piped link(s):

        This

        Piped is a privacy-respecting open-source alternative frontend to YouTube.

        I’m open-source; check me out at GitHub.

    • @tacosplease
      link
      38 months ago

      Can someone help me understand this? It seems interesting.

      • @BluesF
        link
        18 months ago

        Long string of effectively random (in terms of their connection to you) words + special characters that make it hard to either guess or brute force.

  • @Fridgeratr
    link
    188 months ago

    Remove apostrophes from your plural words, they show possession, not plurality. Until next time.

    • body_by_make
      link
      fedilink
      108 months ago

      \t is your best shot. For good measure, you’ll also want to add double quotes (can be used to escape commas in CSVs), double double quotes, back slashes, and |s, just to mess with anyone trying to sanitize a CSV with your password in it.

    • @No_Ones_Slick_Like_Gaston
      link
      68 months ago

      Yes, char(9) is the SQL string for it.

      However most modern password attributes are blocking this from SQL injections where a playfully named user “Drop Table” does not cause any harm

    • @perviouslyiner
      link
      1
      edit-2
      8 months ago

      Of course. In Windows you can hold Alt and type 0 0 9 before releasing the Alt key to enter the character without triggering any “move to next field” behaviour. In *nix it should be Ctrl+I.

      Similar with other control characters - NUL (0) might be harder to type, yet substantially more likely to break things!

      SHY is good if you’d like a character which can’t be seen, without needing to resort to Unicode.