52
saas
3y

The password field for our university website isn't case sensitive 🀣.

Comments
  • 4
  • 34
    @Ranchonyx

    The password field for OPs university website isn't case sensitive.
  • 13
  • 6
    @yabbat IT IS NOT CASE SENSITIVE AND THEREFOR I AM NOT SCREAMING AT YOU RIGHT NOW
  • 11
  • 2
  • 13
    userPassword.toLower()

    Could be worse, could have the damn sql query be

    # password LIKE "{userPassword}"

    The shit I've seen, would haunt you for life.
  • 6
    user: *
    pw: *

    πŸ˜„
  • 0
    It Isn't actually that bad
  • 12
    @theabbie but it is.

    Since they're using a to lower function, I'm going to assume it's because it's stored as plaintext in the DB.

    It should be hashed, and then case wouldn't matter.
  • 3
    @sariel there's no reason to make that assumption. If it is lowered before it's hashed, it would still be fine.

    Only security risk is drastically reducing brute force time
  • 0
    @sariel It's only making it slightly less secure, but just 26 less characters won't make any difference, even if it's plaintext, it's a university database, if it gets breached all data is already lost, password won't make any difference.
  • 1
    @COD4 @heyheni understand :) The issue isn't about lowercasing passwords. It's about how it's stored, and how the auth function does the lookup. If you don't follow basic practices like hashing the password as-is, then you probably also broke rules like searching for the password field in plain text.

    My next step when I see an app like that is to see if they're sanitizing my password in any way before running it through the database lookups. We might have a good case of Bobby Tables. Depending on how old Bobby was when XKCD #327 was written, its likely he's now in college :)
  • 0
    so you mean it's not hashed, and directly stored on database, how terrible :|

    website, address?
  • 3
    It's a security fiasco.

    It doesn't matter if it's case insensitive or not - it matters that I now _know_ about internal stuff.

    It's the same if you e.g. print the nginx version / PHP version… or have HTTP headers like Via / X-Cache-Hit / ...

    Don't allow people to know your environment - it's the simplest and most important rule in security.
  • 1
    @theabbie so shitty security practices are ok.

    Nah, I don't agree with that. Security of PII is federally regulated for educational institutions. If you don't comply, your accreditation can be in jeopardy.

    Don't be a lazy piece of shit dev, at the very least hash the passwords. Make your requirements whatever, but don't store them plaintext.
  • 1
    @sariel I assume it's because they want to be able to tell a student their password if they forget it, they could allow resetting it, but, who cares.

    Hashing password is too simple and they won't leave it if they were aware of it, either they're unaware or it's intentional, most universities set default password, security was never a concern for universities.
  • 0
  • 1
    @C0D4 why would you call toLower() on the password, when you could just use ILIKE on the server.

    SMH my head, shorter code is always better
  • 6
    @theabbie Arent you the one that leaked a load of your friends personal data through Github that one time?
    Makes sense that you dont think insecure password storage is that bad.
  • 1
    @LLAMS πŸ˜„πŸ‘
  • 1
    @LLAMS OP being a student of University and not doing anything to fix it and rather crying here is a bigger disappointment, Also, I am surprised people still remember it.
  • 3
    @theabbie the north remembers πŸ‘€
  • 0
    @C0D4 I'm going to try this like 🐱
  • 0
    @Wizard1997 not giving you that. Has already been hacked twice 🀣.
  • 0
    @theabbie our login id and passwords were told to us, by sending them in the entire batch's group. I have the password of all the students and can wreak havoc. 😌
  • 0
    @theabbie i did. told the IT guys. sent an email to the execs. They'll be fixing it in a month is the response.

    Also, laughing not 😒
  • 0
    @saas

    PleaseπŸ™ i need this.
  • 0
    Why do you even have passwords if everyone knows each other's one
  • 0
    Sometimes universities let their students set up university websites. Can't really blame the students - many are beginners. They might have yet to learn about security practices etc.

    But the university is of course to blame. There should be a review process so student code gets checked by someone with experience - too often that's not the case.

    Iirc at my university they used to allow students to set up frontends under the university domain, however any access to the backend of the university systems was prohibited via access restrictions. Students had to set up their own backend and route properly. Not really sure how that all worked, though.
  • 0
    So they are teaching how not to develop software. Chill its just an exercise.
Add Comment