this post was submitted on 26 May 2025
578 points (96.3% liked)

Cybersecurity - Memes

3491 readers
1 users here now

Only the hottest memes in Cybersecurity

founded 2 years ago
MODERATORS
 
you are viewing a single comment's thread
view the rest of the comments
[–] Vigge93@lemmy.world 13 points 5 months ago (3 children)

That would be an extremely bad idea tho, because it would allow a malicious attacker to

  1. Try random usernames, and if the website returns a hash they know that user exists
  2. Once they have the hash, and the hashing algoritm, it is much easier to brute-force the password, bypassing any safeguards on the server

Username/password validation should happen entirely server-side, with as little information as possible provided to the client

[–] grrgyle@slrpnk.net 8 points 5 months ago

Username/password validation should happen entirely server-side, with as little information as possible provided to the client

Yyyup. This is why you also why it's good practice to respond with HTTP 404 if a public user has tried to access user data they shouldn't have access to, whether it exists or not. Don't give them the hint that they hit a path that has forbidden data.

[–] aesthelete@lemmy.world 3 points 5 months ago (1 children)

Username/password validation should happen entirely server-side, with as little information as possible provided to the client

💯

It's recommended practice to not even tell them which half of the username/password combination failed upon authentication failures.

[–] Clent@lemmy.dbzer0.com 1 points 5 months ago (1 children)

It is a password reset from. The username has already be confirmed in a previous step

[–] aesthelete@lemmy.world 1 points 5 months ago (1 children)

That still doesn't make it good practice to send the old password (hashed or not) to the client.

[–] Clent@lemmy.dbzer0.com 1 points 5 months ago (1 children)

You are making an unfounded assumption that the password is sent to the client which does the check and then shows the message rather than the server doing the check and responding with the message back to the client.

[–] aesthelete@lemmy.world 1 points 5 months ago (1 children)

Nah I'm not, look above. There's a way to do this that isn't terrible. I just kinda assume that they aren't doing it properly because I've worked in software for decades.

[–] Clent@lemmy.dbzer0.com 1 points 5 months ago (2 children)

No one is reimplementing their hashing algorithm in JavaScript. Doesn't matter how many decades in the industry you have, that's a silly assumption.

The parts of security here that involve best practices are invisible to the user. Things such as salting which many do not do but also how they handle the reset token which many do not think about.

However, none of that makes a good meme for people cosplaying cyber security gurus.

[–] aesthelete@lemmy.world 1 points 5 months ago* (last edited 5 months ago)

Of course they wouldn't implement it themselves, that's what the wonderful world of npm is for. /s

The software I've worked in is full of bizarre, dangerous junk. I used to assume that people did things at least the easier way if not the right way. Now, I expect them to do the dumbest, wrongest most esoteric thing possible and I'm often right.

anecdote


I once worked with a person that was essentially maintaining a series of statically compiled hashmaps by hand instead of, you know, doing the obvious and externalizing the fucking thing into a database table. The insane bastard even sat there incrementing the initial collection sizes when he got requests to add in new data.

[–] Vigge93@lemmy.world 1 points 5 months ago

You would assume that, but you would be very wrong. People are lazier/sloppier than you might think.

Searching for "client side authentication NVD" turns up a lot of examples. There is even a CWE for "Use of Client-Side Authentication:

https://cwe.mitre.org/data/definitions/603.html

[–] Clent@lemmy.dbzer0.com 2 points 5 months ago

People are forgetting this is a password reset form, not the login form.