Hacker News

Ken Thompson's Unix Password(leahneukirchen.org)

2100 pointsstargrave posted 12 days ago662 Comments
662 Comments:
whalesalad said 12 days ago:

I remember cracking the password from a Windows system in high school. There was a centralized login mechanism using Novell but everything was cached locally. So you could boot a Linux CD and copy the password file to a memory stick, and crack at home. I think I used lophtcrack? The head admin account for the entire school district (basically root) had the password “north”. It took like a fraction of a second to crack. It was so simple that for weeks I didn’t even believe it to be true, and didn’t realize the name of the account was an admin.

I was expelled a few months later for all the fun I had after discovering this. Good times.

lordlic said 12 days ago:

I was expelled from university for pulling off the exact same exploit with the "workstation only" feature in Novell. In my case, they put a computer in every dorm room, and every single one of them had a domain-wide administrator account cached in its SAM file. It was inevitable that a student would find it. It's been almost 15 years now but I believe the password was rac3c4r or something trivial like that. I ran Ophcrack overnight and in the morning I had admin access to every machine on campus.

I also had the bright idea to try this on library computers and email kiosks around campus used by thousands of students. Rather than booting into Ophcrack I'd just log in with the admin account and run pwdump from a USB stick to collect password hashes. I figured out how to enumerate Windows machines over the network using NetBIOS and ran the pwdump utility remotely using psexec, so that I could hit every computer in the library at once, or every computer in a computer lab, etc.

I ended up cracking credentials for most students and faculty on the entire campus. I was really young at the time and thought this was some real cool James Bond shit. I never once used it for evil: never read anyone's email, never viewed anyone's private files, never poked around the academic file shares for test solutions, never tried to steal credit card numbers or social security numbers from the finance office's file share. It was purely a hack for the thrill of breaking down barriers and outsmarting the security. But MONTHS later after I had long since grown tired of tinkering with this stuff, a couple of uniformed police officers pulled me out of Calculus class and took me downtown. They tossed my dorm room and confiscated my computer and my phone and every piece of digital storage I owned. The school threw the book at me, I guess because they were so embarrassed by their incompetence on display from being beaten by a 16 year old.

(Posting on my alt account for obvious reasons.)

minikites said 12 days ago:

>I never once used it for evil: never read anyone's email, never viewed anyone's private files, never poked around the academic file shares for test solutions, never tried to steal credit card numbers or social security numbers from the finance office's file share.

I don't understand this justification. The system owners can't know that to be true and have to proceed as if the systems are compromised. Would you still feel safe if a burglar broke into your house and left a note saying they didn't take anything?

lordlic said 12 days ago:

It's not a justification. What I did was wrong. I'm just telling you what I did and why I did it. I wasn't interested in hurting anyone or in gaining any advantage for myself, only in breaking the system.

Also, I didn't actually go in anyone's house. If passwords are really so inherently private even apart from their access implications, maybe we shouldn't be sharing Ken Thompson's old password.

loeg said 12 days ago:

Yes, a good defense against a charge of burglary would be not having stolen anything. In an imaginary perfect criminal justice system, charges/penalties are based on damage done. Less damage done is a lesser crime.

blackflame said 12 days ago:

I was expelled for the same reason and here's what the school admins said about it. https://www.sandiegouniontribune.com/pomerado-news/sdpn-rbhs...

ambicapter said 12 days ago:

> In an imaginary perfect criminal justice system, charges/penalties are based on damage done.

Hell no. Otherwise you could just set up one gigantic crime by comitting a bunch of small "no damage done" crimes along the way-say, stealing a string of credentials one at a time, but not actually using them until you have all of them together and then you commit your major heist/crime.

brigandish said 12 days ago:

Mens rea is an important consideration so it's not just about damage done (though the fear a key could be used in pursuit of a worse crime is also a harm) but the intent/recklessness of an act.

lazyasciiart said 11 days ago:

Well, the imaginary perfect criminal justice system would probably arrest you right as you had completely committed to causing the damage, instead of afterwards. But it should still be justifying the arrest based on the act that caused damage, not the harmless acts that set you up to be ready to do it.

dual_basis said 11 days ago:

Ah, like Minority Report

loeg said 11 days ago:

The crime in this hypothetical degrades from Burglary to Trespass, not "no crime."

Mirioron said 12 days ago:

Lesser punishment doesn't mean no punishment. Furthermore, you can always argue that the intent is to commit a major crime.

vangelis said 10 days ago:

A burglar might kill someone, book them on home invasion charges even if the house was empty.

JauntyHatAngle said 12 days ago:

Isn't this more like duplicating everyones house key? He never actually went into the houses.

waway said 12 days ago:

Except he went in the Admin's house:

> I'd just log in with the admin account and run pwdump

lordlic said 12 days ago:

Just to be clear, in case this matters, it wasn't an account belonging to an administrator, it was a default superuser account called (if I remember right) "TECH" in all caps, and didn't have any files or anything in it. It's not like it was a person and I was poking around their private stuff.

inakarmacoma said 12 days ago:

Only if you can know he didn't actually go in. Even now, do you believe he never liked at a single private file?

lordlic said 12 days ago:

What possible reason would I have to lie about it? You think I'm worried about investigators raiding my VPN service so they can track down and charge a grown-ass man in juvenile court for something that happened 15 years ago? You think I'm worried about my reputation on this throwaway account with a grand total of five previous comments? What's the point in believing that this whole escapade happened at all if you're going to randomly doubt a particular element of it?

I was a kid, I was stupid, but I wasn't an asshole. I didn't go peeking and violating people's privacy because that would have been a dick move. Just like tons of people on Hacker News today have access to personal data on SaaS systems we maintain and don't go peeking. Just like tons of people are perfectly capable of picking their neighbor's locks but don't walk into their house for no reason. It's not even tempting. I don't care what's in my neighbor's house, and I don't care what's in random other students' homework documents or email or whatever. The only interesting part was breaking the security.

said 11 days ago:
[deleted]
jakobegger said 11 days ago:

If someone secretly stole my key and made a copy of it, I hope the court would send them to jail, regardless of why they made the copy.

dunmalg said 11 days ago:

No, it's generally not illegal to copy someones key. It's illegal to STEAL the key, of course, but copy? Not a crime. Some states have laws that prohibit "providing access" to a government facility which can be applied to copying government keys, but your house key? Nope.

SOURCE: am locksmith

badfrog said 12 days ago:

> Would you still feel safe if a burglar broke into your house and left a note saying they didn't take anything?

That doesn't make it okay, but it certainly should result in a much lesser sentence than if the perpetrator had damaged or stolen property.

jacobsenscott said 12 days ago:

No. The serious crime is breaking in. Usually when someone's house is broken into they don't care about the stuff at all. They care that their personal space and sense of security has been violated. Also the criminal doesn't know what they'll find when they get in in but they are setting up a situation that can escalate quickly. Kids home alone? Someone with a shotgun? The very act of breaking in means they are ready to commit violence. If someone breaks into our house and sleeps there all weekend while we are on vacation, but doesn't take anything, does that deserve a lesser sentence than if they took a $100 TV? Not in my opinion.

htfu said 11 days ago:

"The very act of breaking in means they are ready to commit violence."

You really believe this? What makes you think you speak for people in general, or know the mind of the average burglar?

And how far does your equivalence view stretch, if someone trespasses and uses your pool is that the same as taking your outdoor furniture? Why not?

RhodesianHunter said 12 days ago:

Well that's an opinion, but not how the law actually works, where misdemeanor/felony levels and minimum sentencing are based in dollar value stolen.

de_watcher said 12 days ago:

The purpose of the whole system is education. He used it exactly for that.

Just make it more secure so the next people can have a bigger challenge.

soperj said 12 days ago:

It was clearly an illusion of safety to begin with if they broke in. At that point you're at least informed, and it didn't cost you anything.

Aeolun said 12 days ago:

> Would you still feel safe if a burglar broke into your house and left a note saying they didn't take anything?

You might feel safe if he didn’t, but you wouldn’t actually be safe, would you?

jessaustin said 12 days ago:

Feelings are more important than reality!

dannyw said 11 days ago:

See: NSA and mass surveillance

whalesalad said 12 days ago:

Yes! The SAM! It’s all coming back to me now.

zippergz said 12 days ago:

Do you know how they ended up finding out about it and catching you?

lordlic said 12 days ago:

Yeah. My technical tracks were covered. It was the roommate of one of my friends. He overheard me talking about it and ratted me out.

reachtarunhere said 11 days ago:

It's always that kid. I did something similar in high school with luckily no serious repercussions but yup it was another kid who ratted me out. I could have changed my grades and stuff but luckily I was pretty content. The network admin who I really looked up to and asked lots of technical questions vouched for me. I think the fact that I only played around with the admin account for fun and never touched anything else helped my case.

daedalus6174 said 12 days ago:

What a punk

Aeolun said 12 days ago:

That is an understatement. I wonder what kind of backstabber he grew up to be :/

CraneWorm said 11 days ago:

The concerned kind. Refusing to keep their mouth shut when others exploit the system.

This is a problem, here GP is a hero, a hacker, a free spirit. But there is no point in romanticizing such behavior.

If you find a vulnerability in a system, you disclose it to the people that should know about it. You can do that anonymously, or you can alert people in a subtle way.

What you don't do is sit on it and brag to people what a clever person you are.

Aeolun said 11 days ago:

What the OP did is (in this case) irrelevant to what the asshole did. There were multiple ways he could have gone about dealing with the situation that did not involve fucking someone over, but he chose to do that instead.

I just cannot attribute something like that to altruism.

CraneWorm said 10 days ago:

Listen, knowing only OP's side of the story it's easy to sympathize. Especially if he's a part of our inngroup of technical people.

Dismissing the whistle-blower as a "kid, that wanted to just fuck someone over" is hardly fair.

Assadi said 10 days ago:

snitch

CraneWorm said 10 days ago:

I was wondering when this one would come up. "Snitches end up in ditches" mentality is at fault here.

You pretend that someone cracking everyone's password is not a problem that the organization should address or even know about.

We should not turn our gaze away. "This is not my problem" is simply not a correct response. Snowden knew that, and yet, some people call him a snitch and a traitor.

philpem said 11 days ago:

Probably a politician.

waway said 12 days ago:

wow, that's very scummy. That must feel worse than them finding you because you slipped up technically.

jakobegger said 11 days ago:

I think that if someone boasts that they've cracked everyones password, reporting them is the right thing to do.

socceroos said 11 days ago:

Perhaps the discretionary thing to do in the case where the perpetrator is relatively whitehat is to mention to IT that "it appears common knowledge that all admin passwords are compromised" without exposing their identity.

mettamage said 11 days ago:

High school kids or uni students being discretionary?

What an interesting alternate reality that would be.

CraneWorm said 11 days ago:

> wow, that's very scummy.

You misspelled "prudent".

CraneWorm said 11 days ago:

good citizen

ikurei said 11 days ago:

Can't help but wonder, didn't you think about reporting this, anonimously at least?

If you figured this out, it wasn't all that unlikely that a less scrupulous hacker could have.

(Not judging, both because I don't like to and because you were a kid.)

tikiman163 said 11 days ago:

Sigh, I grow tired of pointing this out, but if they were able to figure out someone was doing this, and even who it was, then you weren't a l33t hacker. You used common tools and used a known exploit that people were watching.

You broke rules for personal enjoyment and weren't even good enough to not get caught. You didn't beat them, they beat you. It doesn't matter if you went unnoticed for several months, the fact is standard monitoring and logs were your down fall. Nobody ever thinks of the log files and network monitoring tools as being part of security. Not being prevented from accessing the system is not the same thing as successfully hacking a system unless you aren't caught either.

tastroder said 11 days ago:

> You broke rules for personal enjoyment and weren't even good enough to not get caught.

Otherwise known as being young and in their formative years. Plenty of HN had similar experiences and luckily even 15 years ago this harsh view on teenage stupidity was in the minority.

He also doesn't seem claim to be a l33t whatever.

> Not being prevented from accessing the system is not the same thing as successfully hacking a system unless you aren't caught either.

> You didn't beat them, they beat you.

They beat themselves, which was understandable back in the day but that's a popular narrative to this day. If a school kid with random scripts or untargeted ransomware gets into a system I put far more blame on the process that prevented them from being patched than said kid.

CodexArcanum said 11 days ago:

He points out below that he was caught because another student overheard him discussing it and ratted on him. I feel like a real hacker wouldn't make a bunch of untested assumptions about situations they have no context for.

KnMn said 9 days ago:

Real Hacker™

neotek said 12 days ago:

Our high school network ran on Novell NetWare, but I wasn't anywhere near smart enough to crack anything so I just wrote a little program in QBASIC that looked like the NetWare login prompt which rejected all login attempts but dumped what was entered into a text file, and left it running on one of the PCs in the computer room. It wasn't even a compiled program, it was just running inside QBASIC's IDE.

Yet it was running for three days before the admin got around to checking the machine, and all he did was try to log in, failed, and rebooted the machine — bringing it back to the real NetWare login screen. I got his password and pretty much everybody else's too, and to this day, more than 20 years later, I still use bits of his admin password from time to time when I'm creating temporary accounts.

AgentME said 12 days ago:

This is exactly why some versions of Windows required you to press ctrl-alt-delete to open the login form. Programs aren't allowed to block Windows from receiving ctrl-alt-delete, so a fake login program would not be able to stay on the screen after the user pressed ctrl-alt-delete. (Of course this only works if the user knows to always hit ctrl-alt-delete when they go to login. If the user sees an already-open (fake) login screen and does not hit ctrl-alt-delete, then they're vulnerable.)

judge2020 said 12 days ago:

The new Windows 10 login screen doesn't seem to support anything running on it, all I've seen is a duo security prompt that A. Only showed up after a login and B. Doesn't work on Windows 10 in a non-rdp session on a Microsoft account[0]. Sadly this also means you can't run something like Wallpaper Engine on the lock screen[1].

0: https://duo.com/docs/rdp-faq#can-i-use-duo-with-a-microsoft-...?

1: https://steamcommunity.com/app/431960/discussions/0/15001264...

JonathonW said 12 days ago:

The specific threat that ctrl-alt-delete's supposed to mitigate is where a user's already logged in, but a program's running that mimics the login prompt. Since applications can't handle ctrl-alt-del in Windows, if you pressed it at a fake login prompt, you'd get the Windows Security dialog/screen rather than a login prompt and it would be obvious that something's wrong.

Its utility's limited these days since consumer configurations of Windows have users trained not to expect to have to press ctrl-alt-del to log in. I'm not sure that it's even enabled by default on domain-joined machines any more as of Windows 10 (still available via Group Policy, though).

judge2020 said 12 days ago:

I've noticed sometimes the lock screen won't show the login dialog via the regular "press any keyboard key" action or via mouse dragging it up, I had to press ctrl-alt-delete. Maybe there are some heuristics that decide this that I don't know about.

sys_64738 said 12 days ago:

I think ctrl-alt-delete generates a hardware interrupt.

newscracker said 11 days ago:

It is not a hardware interrupt in the sense that there's nothing special about this key combination to generate a specific interrupt. The only related interrupts are the keyboard interrupts that happen for every keyboard activity, which the BIOS interprets and takes actions like turning on a key LED and storing the actions in a memory buffer (this is all in "real mode" on x86 processors) before that goes further up to the application. Capturing the keyboard interrupt could allow one to intercept specific keystrokes (like Ctrl+Alt+Del) before the OS gets it, but that's not possible in the OSes the most people use today (which all run in "protected mode").

deaddodo said 12 days ago:

In real mode, the BIOS intercepts it. But it's still not a hardware interrupt; it just never gets to the OS.

vinkelhake said 12 days ago:

Hah, I and a friend did a very similar thing with our school's NetWare. We managed to get ours to silently log the user in after collecting the credentials so it was mostly invisible. We created it to get the password from a particular guy, but in true dragnet style we installed it on as many machines as we could.

I have no idea how network drives were managed with NetWare, but some students always managed to find world writable dirs (that shouldn't be). Then it was a matter of finding some obscure subdirectory, create a new one (typically containing alt+255 characters) and stick games there. Fun times.

We did get his password (and many others), but never actually did anything with it.

knodi123 said 11 days ago:

I did the exact same thing, wrote the login faker in pascal.

Mine would print the "typo" error message, save credentials, and then log me out and show you the real login screen.

I managed to get the passwords of every student and teacher, but alas, I stored them in a file called hacked_passwords.txt , in my home directory. Got busted, and got a dozen saturday detentions.

Breza said 9 days ago:

You learned an important lesson about the importance of naming things.

matthewwiese said 12 days ago:

This is fiendishly clever; you more than made up for a lack of technical skills by exploiting the wetware angle. Lovely little story :)

Zenst said 12 days ago:

Reminded of my past experience and then remembered that already told that story:- https://news.ycombinator.com/item?id=17418559

lnx01 said 11 days ago:

I did exactly the same thing. Wrote to a file on my personal network share and then did this:

out &h64&hfe

Instareboot on a DOS machine.

staticfloat said 12 days ago:

My highschool (well, homeschool resource center) IT admin couldn't log into one of the macs in the A/V lab one day; I heard him talking about it, and being on good terms with him, I offered to try and hack in. I literally googled "how to hack macos password", chanced upon an `nidump` vulnerability recent enough that it hadn't been patched, used that to dump the password hash file, fed that to JTR (compiled on that same machine, to add insult to injury), and almost instantly ended up with the admin password for the entire domain: 1337

It turned out that someone hadn't changed the password, he had just mistyped it over and over again. At the time, I didn't know what "1337" meant, I just thought it was a weird number, and it wasn't until many years later that I suddenly burst into laughter, realizing the "elite" level of security in that lab.

Thanks for the good times, Ron! I'm really glad he just laughed and trusted me as I explored technology instead of freaking out when my portscanners started making the printer spew out a bunch of garbage.

jonny383 said 12 days ago:

I got kicked out of school when I was fifteen for doing this. My class was the first year to have a mandatory laptop program. Each laptop was running Windows XP on the schools AD domain. I booted up OPH-crack at home, and didn't get a result. So then I torrented a larger rainbow table and ran it again for three days. Boom, there I had it.

My motivation for this was wanting to install my own software on the laptop that my (underprivileged) family was forced to pay for (much more than what it was worth). This was not an optional item, it was a requirement of the state-run school. The student user account was not given local administrator rights on the computer.

After using the administrator account for six months to install my own software (this is when I first taught myself how to program), the school did a random "computer" check, where they confiscated everyone's computer - unannounced, at random, and simultaneously. My computer was asleep, signed onto the administrator account.

During the inspection, the school's IT administrators and an external contractor not only went through all of the files on the local computer, but they also my Gmail account which had credentials saved in Firefox.

When my father was called into the office to discuss what they found, the school had the state police there to discuss charges. After listening to them rant on for about thirty minutes, my father turned to the female police officer and calmly said "I would like to press charges against [ ...... ] school, and Mr [ ...... ] personally for accessing my child's email account in an unauthorized manner". The head master agreed to not proceed with charges but I was no longer welcome at the school.

Unrelated, but five years later, Mr [ ...... ] was charged with possession of child pornography and jailed for fifteen years.

nvarsj said 11 days ago:

Wow - this is awful. For simply getting admin rights on your own laptop? How do school admins get away with treating the kids like inmates? Good on your dad, he handled it well.

philpem said 11 days ago:

You don't get to be headmaster of a school without wanting to feel power over the kids.

And if that's the only power you have in your life, you'll protect it viciously.

Teachers are usually in it for the warm fuzzy feeling of doing something good, but I've never met a headmaster who didn't behave like I described above.

kcolford said 11 days ago:

At my small highschool it was well known that the teachers essentially rotated being principal. They all hated it but it had to be done. While I was there it was the history teacher. Before that it was the science teacher. After I left the english teacher took over the role. Yes it was <100 people so there really was only one teacher for each subject with some overlap.

cf141q5325 said 11 days ago:

i wouldnt call it unrelated. He clearly had past behavior violating the privacy of his students with the cover of politics and police. Its how predetors like this operate, finding an authority position and exploiting it. And he clearly got away with it that time.

milchek said 12 days ago:

I wish my story was as cool and involved some technical expertise.

In year 10, a friend of mine saw our school network admin type the admin password in (he used his index fingers and typed in each character one at a time like someone with very little typing experience - this was 1998)

Anyway, I used this info to log in as the admin and I promptly deleted all of the student accounts in the school. Students around me immediately started complaining they couldn’t log in or access their assignments.

It was a stupid and immature thing to do.

Guess it’s a good reminder and lesson that you should always be careful who is watching you over your shoulder.

slowmo_qwerty said 12 days ago:

Oh, did something similar to change a friend's grades in college. Pretended to be on my smartphone while the professor signed in, and filmed their fingers on the keyboard. Took some trial and error watching the low-res video (this was before phones had nice cameras) frame by frame to figure out which keys he was hitting.

masto said 12 days ago:

My high school's administrator password was “math”. I think the statue of limitations has expired by now.

I got it by writing a simple login spoofer in Turbo Pascal. The funny thing is I never bothered to remove it and after I graduated, I heard from the actual administrator that they were having a strange problem where the first login of the day spit out a disk full error.

knodi123 said 11 days ago:

> I got it by writing a simple login spoofer in Turbo Pascal.

Ha, I did the exact same thing, in turbo pascal as well!

Man, I miss those simple computer systems. I used to go to other peoples' desks and type the word "end" in column 100 of the first line of their program. They'd go mad with frustration trying to figure out why their program always ran instantly, with zero errors and zero output. Or I'd like them watch me type in my 6-digit numeric password, but they still couldn't log in as me because I was slyly holding down the alt key as I typed, so the password was really a single extended ascii character...

Getting up to all those hijinks gave me a love of computers that really set the direction my life would take.

avens19 said 12 days ago:

Our high school's local admin password on every machine was the name of the school district. Used it to install P2P software and emulators on lots of the machines throughout my time there. On grad day I was setting up a slideshow with my CS teacher and the domain login wasn't working. I said "just log in with local admin". He said "I don't know the password". I did it in front of him. His words: "I don't want to know what you've done with this"

josephwegner said 12 days ago:

Dang, well done.

I spent three solid semesters wasting my "Computer Science" electives on breaking into the Novell system... I found tons of these encrypted passwords, and it never occurred to me to just crack one. I did find plenty of other ways to get in, though :)

blackflame7000 said 12 days ago:

Yea historically the SAM file on windows has always been a weak spot because of its NTLM hashing scheme. By breaking passwords larger than 7 letters into multiple sub-password hashes it virtually guaranteed rainbow tables would destroy its security.

walshemj said 12 days ago:

I used this weakness whilst working at British Telecom to legally break into some NT boxes on behalf of a FTSE 100 company whos system my team got asked to take over.

They had had a bad break up with another supplier and had lost access.

I used our Art directors MAC to break in - I did consider setting up a diy cracking farm using all our suns and running it over night but I suspect that the security department might not have approved.

tomc1985 said 12 days ago:

Out of curiosity, why did they do this? Was hashing super computationally expensive when NTLM first appeared (NT 3.51 I think?)

jackjeff said 12 days ago:

I wonder if it’s for export control. 7 chars x 8 bits = 56 bits. This used to be the limit for max size of symmetric keys by the US.

zerocrates said 12 days ago:

The "split into 7s" thing is from LM, which goes back to the OS/2 days... and it uses DES, which operates with 56-bit keys: 7 8-bit characters. Old DES-based crypt() has a similar limit: 8 7-bit characters.

NT hashes use MD4, which wasn't invented until 1990.

takeda said 11 days ago:

I believe LM also stored the passwords in uppercase as well. The NTLM password was used, but LM was also saved for compatibility (by default) with older Windows machines.

L0pth Crack utilized this when cracking, it first found the uppercase password, then it only had to brute force the case when cracking NTLM.

stuntkite said 12 days ago:

I did the same thing at my school but it was a brand new SMT magnet school so we showed the net admins and helped to prevent it... Zipslack (first 100mb linux distro) with l0phtcrack was part of my EDC. I believe the first time it was shown to the adults was after someone locked the school network admin out of everything so we helped him recover. We even set up a security lab for the admin team. The next year anything that looked like hacking was grounds for expulsion which lead to a lot more problems with it if you ask me. The school with a wing full of hackers wasn't gonna quit looking at new tools. The school just decided it was like teen sex or smoking. Banned! Lol.

starpilot said 12 days ago:

Did the same thing with cain & abel. Took 2 days to crack an admin password, it was "weebles". Didn't get expelled though.

blyry said 11 days ago:

My school hacking story: 7th grade, springtime, ~1998. The district used software that ran on login and populated your desktop/start menu and permissions. This was a mixed network of windows 98 and XP for all the newer computers. I found a bug where if you corrupted your own user profile folder, windows would load a temporary one after reboot and not apply all the restrictions, giving access to explorer. You could also get access to explorer by going through the f1 help menu in a couple of different programs.

Promptly used explorer to navigate to my english teachers computer via the hidden c$ share, and delete the executable from the program files folder. Next time she logged in, BOOM nothing. no start menu, no desktop, no permissions. The admins had an incredibly consistent and predictable naming scheme, and my idiot "friends" I shared the vulnerability with promptly used this to nuke like 3 labs and a bunch of teachers computers.

Fast forward 1 month, we all got pulled out of PE by a cop and sentenced to 1-3 weeks of community service.

* I abused that profile bug to work exclusively out of portable firefox on a usb drive instead of being tied to internet explorer 6 and 7, which allowed me to bypass proxy settings and get access to gmail and read slashdot/ign/halo.bungie.org during school hours! Those were the days.

darkfire613 said 12 days ago:

My school district was the Madison Metropolitan School District. I discovered quite by accident that the admin password for the school computers was just ‘mmsd’. It was literally my first guess.

agent008t said 11 days ago:

There is something very wrong with the school (system) if you actually got expelled for that. If that is the whole story, they should have explained why it was wrong and tried to encourage you to learn more, responsibly, by actually asking you to help them with securing their system. That is roughly what my headmaster in Russia did in similar circumstances. The thought of expelling a kid over something silly like this wouldn't even cross anyone's mind.

Iv said 12 days ago:

In our engineering school the password hash used to be publicly accessible. Someone had devised a johntheripper binary to look like seti@home and made it run on several machines with the admins' benediction.

We had a meagre limited amount of quota on these shared systems (between 1 and 10 MB) but teachers had 1 GB. We stored the Quake binary on one teacher's account, Starcraft 1 on another and start kicking.

Good times...

drkstr said 12 days ago:

One day I was board in comp sci and decided to CD into drives a - z. Found a bunch of Novelle NetWare utils sitting on a hidden drive. One of them listed all the users on the system, while another sent back generic user info. Thing is, this was a very large high school and a bunch of accounts never signed in. All you had to do was log in with a blank password and it would prompt you to select one on login. Any funny business on the network was done on a burner account. It was all just fun and games, but never did get caught. Although, one of my teachers did say the network admin sent out an email to all my teachers, telling them not to let me touch their computer. No matter. It would be foolish to login from a location that has a record of you physically being there.

ollie87 said 11 days ago:

Used to do it on Windows 95/98 at my school with Cain and Abel.

You could save the *.pwl files to a floppy, take them home, and crack them in a few minutes. All you needed was a PC that a teacher had logged into recently.

guyzero said 11 days ago:

In high school a teacher in the computer lab tossed a piece of note paper in the garbage, a fellow student saw it, fished it out and brought it to me because I would be interested in having an admin password I guess. It was indeed the admin password for the QNX machines we used.

Life was so simple in the 80's.

tonyrice said 12 days ago:

This exact thing happened to me, except I accessed a network drive linking to some juicy information. The school expelled me and the state went after me. I ended up getting a misdemeanor expunged!

said 12 days ago:
[deleted]
harryh said 12 days ago:

I did this in college to hack the digital sign on the Purnell Center at CMU. Did not get expelled. Also good times.

passivepinetree said 12 days ago:

That's fascinating. Would you mind sharing the full story?

blackflame said 12 days ago:

I was also expelled for basically doing the exact same thing. Exploiting cached domain admin passwords for Novell via a local SAM file. NTLM hashing does something incredibly dumb for legacy purposes by splitting passwords longer than 7 letters into multiple hashes for the first 7 letters and the second 7 letters. We got caught because a kid left a flash drive with teachers passwords in a computer lab and when the teacher tried to find out who the drive belonged too, he found that kids homework and his own password. There's some news stories that came from it:

https://www.sandiegouniontribune.com/pomerado-news/sdpn-rbhs...

https://www.sandiegouniontribune.com/sdut-poway-letter-to-st...

https://www.latimes.com/archives/la-xpm-2008-may-13-me-brief...

https://www.kpbs.org/news/2008/apr/29/officials-investigate-...

Kinnard said 11 days ago:

What ended up happening to you after you got expelled?

qzx_pierri said 12 days ago:

righteous

alpb said 12 days ago:
tandav said 12 days ago:

Offtopic. Many teams use mailing lists. That UX always scared me. Is anybody know good tutorials on how to getting started to use this kind of interfaces?

rolleiflex said 12 days ago:

This is a common refrain, mailing lists do need a lot of instructions at the bottom to make sense — email wasn't made for groups. It's like 'group' SMS, your phone might provide you with a single chat window with all your friends, but what it really is doing is just sending a separate SMS to every one of the recipients.

So you need the 'the manual' attached to every message to make sure people get it right. Looks downright scary sometimes though, especially the prospect of getting swiped at by UNIX greybeards if you do it wrong.

Incidentally, I'm working on a modern version of this whole page in a Reddit-like interface. (https://aether.app) It doesn't solve all of the pains of listserv, but it does help with most, including this one you mentioned.

jachee said 12 days ago:

> It's like 'group' SMS, your phone might provide you with a single chat window with all your friends, but what it really is doing is just sending a separate SMS to every one of the recipients.

Most modern phones use MMS Group messaging for groups larger than two. It's more efficient and flexible than SMS.

u801e said 12 days ago:

> email wasn't made for groups

I've always wondered why people didn't use newsgroups instead of mailing lists.

rolleiflex said 12 days ago:

It's likely a combination of bad UX, complex set-up, flaky delivery and having no great interface to manage the groups, memberships, unsubscribes. At least that's the parts we're trying to fix.

tedmiston said 12 days ago:

Google Groups (kinda) solves this problem. On the viewing side, the app is pretty decent, and then you can still receive / reply through email if desired.

A good example group - https://groups.google.com/forum/#!forum/tiddlywikidev

I wish Apache projects would move more towards something like this.

swiley said 11 days ago:

Google groups is freaking awful!

It actually was decent in the beginning but with each change google broke more features and made the UI far less usable. Not to mention, you force anyone you want in your group to create a google account.

yellowapple said 12 days ago:

"Any sufficiently complicated group communication system contains an ad-hoc, informally-specified, bug-ridden, slow implementation of half of Usenet."

rolleiflex said 12 days ago:

I wish. Over Microsoft Teams, I would take that any day of the week.

yellowapple said 11 days ago:

Like I said: "bug-ridden, slow" :)

pfarrell said 10 days ago:

uhh... including Usenet?

hmm.. Looks like the Morris Corollary won't work on this version.

gaius_baltar said 11 days ago:

> Incidentally, I'm working on a modern version of this whole page in a Reddit-like interface. (https://aether.app) It doesn't solve all of the pains of listserv, but it does help with most, including this one you mentioned.

> Try for free for 14 days

No.

boomlinde said 12 days ago:

A decent email client will display these as a foldable hierarchy, sort of like HN or Reddit's posting interface, just with the body of the posts hidden. With that and full text search it's not so hard. It's the web interfaces that are a bit bulky.

anaphor said 12 days ago:

A lot of them will use an algorithm similar to this one https://www.jwz.org/doc/threading.html

boomlinde said 11 days ago:

Great read! Just noting that the website redirects you to an obscene (but funny) image if this site is the Referer. Disable Referer before clicking or copy the link into the toolbar manually.

herewulf said 11 days ago:

Incidentally, forgetting I had inverted colors for nighttime reading, to me the image looked like a fuzzy peach colored microphone or something similar. Took me a while to figure out how it was obscene! :)

grenoire said 11 days ago:

Somebody got very salty at the brogrammers over here...

anaphor said 11 days ago:

Haha, I completely forgot about that, sorry.

said 12 days ago:
[deleted]
LukeShu said 12 days ago:

For the most part, you wouldn't use the web interface, which exists mostly for archival/search-engine purposes. You use a plain email program, and get used to hitting "reply all" instead of "reply" (this will have it be "To:" the person you're replying to, and will "Cc:" the mailing list address), you send a regular email to the mailing list address when you want to start a new thread. A halfway decent email program will thread the replies, like HN does.

jwr said 11 days ago:

As an internet old-timer, I initially thought this was a joke, but then realized that it's entirely reasonable for a whole "generation" of internet users to grow up without using mailing lists, and that indeed they may seem scary at first!

xhgdvjky said 12 days ago:

I'd recommend finding a mailing list conversation about a topic you know and then hitting all the buttons (there are only a few). you should be able to figure out the links from context

jeena said 12 days ago:

Many email applications can be set to a threaded view to be able to see who replied what to which message: https://support.mozilla.org/en-US/kb/message-threading-thund...

davidw said 12 days ago:

You can use Google Groups as either a mailing list or via the web. It's pretty handy and easy to administer if you don't mind outsourcing that to Google.

codegladiator said 12 days ago:

Each reply has its own page, just click next/prev to follow the thread (or jump using the tree at the bottom)

pjc50 said 11 days ago:

The interface is email. You know how to use your email client, right?

oefrha said 12 days ago:

Ken Thompson is a top poster. Busted.

elcritch said 12 days ago:

He’s probably a bit peeved he has to use a new password. ;)

yjftsjthsd-h said 12 days ago:

I'm shocked at how well the old hashing stood up; sure, it's totally crackable today, but a well-picked password still took 4+ days to crack on modern hardware, which is remarkable. (Granted, it doesn't sound like they did anything fancy like throwing a hundred cloud instances at it or something; I'm not saying you should use DES today:) )

melling said 12 days ago:

30 years ago I cracked everyone’s Unix password on an old Sun computer.

It didn’t take long because everyone had a password that was in the dictionary.

Needless to say, people were not happy with the messenger.

noir_lord said 12 days ago:

Inherited a system at current (for a few more weeks) employer (recently written so no excuse) that had used a weak hash for the password, I pointed out to my boss how bad it was and that it shouldn't have happened, he didn't pay a great deal of attention.

So I threw the OpenMP variant of John the Ripper at it (I'd just built a 8C/16T Ryzen machine and was curious) it broke ~80% of the passwords in under an hour and all of them over an afternoon of not been in use.

Went to see the boss and gave him the list of passwords including his (which was one of the weaker ones) - he gave me the time to fix it and some other glaring security issues.

The more things change the more they stay the same.

I know enough about security to know that I really don't know about security.

hermitdev said 12 days ago:

Reminds me of a security issue we had on our linux servers at a former employer. Short of it is, one could run any command as another non-root user without having sudo access or knowing the user's password. rsh access was inadvertently left wide open on thousands of servers.

A coworker and I stumbled into this one morning when I was helping him figure out how to remotely invoke a linux command from a windows gui. I don't recall why we were using rsh as we'd normally ssh into our servers. As we sat there trying to figure out how to enter the password, we decided to just try and run the command w/o a password. We were shocked when it just worked - we were never prompted for a password. When I reported this to my director, he asked me how bad it was. I was like, watch this: I sent an email as the CEO to him saying "you're fired.". He immediately went to our infrastructure team to get it fixed. Fun times...

autoexec said 12 days ago:

> I know enough about security to know that I really don't know about security.

I'm not sure anyone ever gets past this point. There's way too much for any person to know and not enough hours in a day or days in a year or years in a lifetime to master everything. Even when it comes to computers in general at some level it just becomes magic to me. I might be able to point to a chip and say "that's the sound chip" or "that's a math co-processor", and even write software for it, but I have no idea what goes on inside and I wouldn't know where to even start trying to build one from scratch.

noir_lord said 12 days ago:

That’s my feeling as well, I try to follow best practices at the level I work at and hope everyone on the levels below me did the same.

glouwbug said 12 days ago:

Had I done this to any of my bosses I'd have been fired

buckminster said 12 days ago:

That's funny - I was going to post that I was first exposed to this thirty years ago when my password was cracked on an old Sun computer! I didn't complain, it was a wake up call. (You weren't at OUCS were you?)

scottlocklin said 12 days ago:

Ah, I remember doing that. Not quite 30 years ago, but jeez, getting close. Funny, it helped me remember some of the professor's wives names, and for some reason I can remember the husband-hunting Italian lady's password (amici) while I've forgotten both her name, her thesis project and everything else about her.

It was actually decently well received by the department head; he sent out a memo to the staff to not use their wives names for emails and looked like an early computer security innovator in the physics department.

Thrymr said 12 days ago:

30 years ago you could just sniff the passwords on the local subnet because everyone was using telnet and ftp in the clear.

outworlder said 12 days ago:

20 years ago you could also sniff passwords for all Windows users in the same subnet as you. Windows used the NTLM scheme which was known to be weak even back then. An AMD K6 running overnight cracked almost all of them at my university's lab, including the Active Directory domain admin.

SCHiM said 11 days ago:

An NT hash can be used as a credential all by itself, no need to crack those ;)

flyGuyOnTheSly said 12 days ago:

You can't really blame them... it was called a pass "word".

therealx said 12 days ago:

I got myself and my best friend in high school fired from a fairly good gig because I cracked some dumb passwords and a CEO took it the wrong way. I still don't think he fully forgave me for it.

tonyedgecombe said 12 days ago:

No good deed goes unpunished.

zackbloom said 12 days ago:

More specifically, pointing out someone else's stupidity is rarely welcome.

privateSFacct said 12 days ago:

I had both experiences in high school. One situation -> bad result. The other I was made a quasi IT fixer - they put me to work (Novel Netware and other stuff). I would be called out of class to fix things. Since I was naturally super interested in how everything worked together and all the features and the librarians or VP or teachers were not it worked out. At the time I took it reasonably seriously.

In hindsight some teacher must have spoken up for me to come up with the solution when they were trying to come up with an appropriate response.

noir_lord said 12 days ago:

Novell Netware - blast from the past.

I had to go apologise to IT (who could barely keep a straight face) at college for sending a message from 'God' saying "I saw what you did last night and it disgusted me".

I thought it was going to just the lab but since I was poking around in something I really didn't understand I manage to send it out site wide.

Fortunately they saw the funny side.

ineedasername said 12 days ago:

I sent more than one message from God by telnet to <mail server> 25. Good times!

Around the same time, someone at my school made a much, much worse semi-accidental prank. Semi-accidental because he didn't think it would work. See, the campus list serve was setup to only allow certain senders to send messages. Makes sense, only a few top administrators should be able to do that. This person theorized that a simple <smtp: from> hack, using an authorized person's email, might circumvent the restriction. He was right! Unfortunately, rather than "test 1 2 3" or something, he sent a message, from the president, that all classes had been cancelled. Had he stopped there, maybe it would have been chalked up to a prank. But he went further: The president would be using this free time to, um, entertain amorous visitors at their leisure. So, yeah, expelled. His excuse, when interviewed by the student newspaper, was "I didn't think it would work."

alttag said 12 days ago:

I send unauthenticated email on port 25, every semester, in front of my students, as part of a discussion on internet application protocols. I can't use "God", because the addresses are validated, but I do send "from" the school's IT director. I even give them the commands to do it themselves (along with a strict talking to about how it's not truly anonymous because their network access is authenticated).

I've been able to do it at every university I've studied or worked at.

technothrasher said 12 days ago:

Many, many years ago when I was in college at the University of Rochester, I found a paper in the computing lab with the root passwords for about twelve machines at Stanford. I emailed them and told them I'd destroyed it but that they should be much more careful. I got yelled at.

sverige said 12 days ago:

Just curious, did you get yelled at because you destroyed the only copy of their password memory aid? ;)

technothrasher said 12 days ago:

If they were keeping their only copy at an unrelated University thousands of miles away, they had more problems than I thought ;)

I'm actually not sure anymore what the details of their return email was, as it was over 25 years ago. But it was basically, "We will report you to law enforcement if you contact us again."

sverige said 12 days ago:

They must've been really embarrassed to send that kind of response.

obelos said 12 days ago:

This must have been a popular pastime in the 90s as I did the same thing for my university's security on their new, centralized student accounts server. This effort was further aided by there being a predictable salt used for the password hashes that indicated which passwords were still set to the (again, predictable) default pattern. They were kind not to kick me out and not fire me as I was both a student and part time employee in their networking services department.

pfooti said 12 days ago:

25 years ago I didn't need to crack anyone's unix passwords- they were all broadcasting them in cleartext every few minutes because they were using eudora or some other mail client, and I had converted an old sun workstation I found into a packet sniffer.

ceejayoz said 12 days ago:

I remember in middle school using "arena" as a password.

"No one will ever guess this!"

lhoff said 12 days ago:

At my middle school the default password for all accounts was "linux". The school was Windows (Win2k) only ;) it was around 2006/2007) I had access to a dozent Teacher accounts from oder ones who never used a Computer.

Actually that was the first time that i heard the word Linux and learned the meaning just few years later.

segfaultbuserr said 12 days ago:

> I'm shocked at how well the old hashing stood up; sure, it's totally crackable today, but a well-picked password still took 4+ days to crack on modern hardware, which is remarkable

It's not because the hash is strong, but the password itself is strong (if the attackers don't know additional information about chess). The sole purpose of using a strong <del>hash or a</del> KDF on password is making low-entropy passphrase harder to crack by increasing the cost of every round, especially for cryptographic purposes. But if the passphrase is already strong (6 random words from the Diceware wordlist), you can use MD5, and I won't be surprised if it takes one year to crack. Having 10 random words is guaranteed to be uncrackable under all circumstances, because it's literally a 128-bit key.

If your password has 80-bit of entropy, it makes even listing all possible passwords (without any hashing or encryption) a difficult job. Symmetric encryption works in a similar way, it's secure not because of the computational resources it takes, but the number of possible keys it has.

What is the moral of the story? Consider to use a password manager!

leni536 said 12 days ago:

> But if the passphrase is already strong (6 random words from the Diceware wordlist), you can use MD5...

Is this actually true? Note that you don't need the actual password, just a hash collision.

segfaultbuserr said 12 days ago:

MD5 is vulnerable to collision attacks, which allows the attacker to control both messages, m and m', and find a case where h(m) == h(m').

But if a hash, h(m), is given, finding m' where h(m) == h(m') is much more difficult, it's known as a second-preimage attack. "Image" basically means "output", "preimage" means "input", "second-preimage attack" means "find another input that has the same output already given here".

Wikipedia says a preimage attack against full MD5 still requires 2^123.4 steps (2009), only a theoretical possibility. Second-preimage should be much harder.

I don't know if there are improvements, but it's still extremely difficult. Well, of course it's not to say that you should use MD5.

comex said 12 days ago:

A second-preimage attack is where you want to find m' where h(m) == h(m')... and you know m already. This is not very useful for password hashing; it would give you a second password that would also work to log into the account, but what's the point of that if you already know the first password? The relevant attack for password hashing is a regular preimage attack, where you don't know m (and it would be acceptable to find either m itself or any other string that hashes to the same value).

comradesmith said 12 days ago:

You don't need to know m, just h(m) which is commonly found in database breaches

taejo said 11 days ago:

That's just a "pre-image attack". A "second pre-image attack" is a different scenario, not relevant to password-hashing for the reasons grandparent described, where you already know a pre-image, and must find a different one.

anchpop said 12 days ago:

It doesn't seem like it should be obviously true to me. If the hash algorithm was rot13 it would be pretty easy to determine the password from the hash regardless of the strength of the password

fwip said 12 days ago:

Yep, you need both the input and hash to be strong.

A weak hash reveals information about its input, narrowing the search space. In the example case of md5 or rot13, you can use this to compute collisions for a given hash.

Also, a hash that is lightning-quick to compute is faster to brute force. That's why bcrypt has a tunable "cost" factor - to make the hashing take longer and make guessing the password slower.

segfaultbuserr said 12 days ago:

I used ambiguous language, "strong hash".

I should've used "strong KDF" rather than "strong hash", a hash can be strong for other purposes, but makes a poor KDF for hashing passwords, such as single-round SHA-256.

In the ideal world, if your password is a random word with 128-bit entropy, no strong KDF is needed, there's no need for PBKDF2, bcrypt, or Argon2, a single round of SHA-256 is sufficient.

> In the example case of md5 or rot13

MD5 still has strong preimage/second-preimage resistance, unlike ROT-13.

But nobody uses random 128-bit strings as passwords, here's how key stretching and cost-factor comes to play.

schoen said 12 days ago:

You could argue that ROT13 accidentally has second-preimage resistance because given m, you won't be able to find n≠m where ROT13(n)=ROT13(m). :-)

nicoburns said 12 days ago:

Some quick (and uninformed) mental maths makes this ~22 random alphanumeric characters:

26 (a-z) + 26 (A-Z) + 10 (0-9) = 62 characters This which can be represented with (just under) 6 bits of information. (2^6 = 64). And 128/6 < 132/6 = 22.

I'd guess quite a few people who use password managers use password this length...

hultner said 12 days ago:

Can ROT-13 really be called a hash though? It's literally an ancient chipher.

ben509 said 12 days ago:

By the plain* meaning of "hash", it can't, it's a symmetric cipher.

* Where "plain" excludes a technical or mathematical definition that might include e.g. troll_hash(x) { return 9; }

ncmncm said 12 days ago:

All ciphers are also hashes.

Using chaining, encipherment of the last block is also a hash of the whole input.

Secure hashes are optimized for different characteristics than typical ciphers, but with enough headroom and time each can fill in for the other.

Of course some are not very good, for either use.

comradesmith said 12 days ago:

Rot13 is not a hashing algorithm. A hashing algorithm is a one-way function where many entities in the input domain map to the same entity in the output codomain. This means if you have the hash you can't determine the input with out making a guess.

Rot13 is a function with a one to one mapping between the domain and codomain. If you have the output you can apply a function to get the input.

drkstr said 12 days ago:

Not sure why the downvotes. Comradesmith's assessment of rot13 is absolutely correct. Clearly rot13 is more like PGP, in that you can recover the plain text from cypher text.

myle said 12 days ago:

But you don't care about finding the original password. You only care about finding a string that after applying the hash function, gives the same out.

That's why you can have a hash function like h(x) = 0, whose value gives you no information about x, and still not being able to use it.

makomk said 12 days ago:

Really it's because of a mixture of the two. The traditional DES-based crypt is basically a really early KDF - it was intentionally designed to be slow in order to thwart brute-forcing attacks. (Of course, since it was based on the speed of late-70s computers and had a limited password length, it's pretty feasable to brute force with modern hardware.)

MD5 wouldn't be invented for another decade or two...

robocat said 12 days ago:

And "Good news — no pwnage found!" On Troy Hunt's https://haveibeenpwned.com/Passwords

Which shows that it is fairly strongly "unique", since no-one else has used it and been pwned (or he hasn't reused it and been pwned).

ralfd said 12 days ago:

I hope this site is not fishing for passwords ...

lhoff said 12 days ago:

Its quite truthworthy. Its run by Troy Hunt (known security researcher) and : "When you search Pwned Passwords The Pwned Passwords feature searches previous data breaches for the presence of a user-provided password. The password is hashed client-side with the SHA-1 algorithm then only the first 5 characters of the hash are sent to HIBP per the Cloudflare k-anonymity implementation. HIBP never receives the original password nor enough information to discover what the original password was." from https://haveibeenpwned.com/Privacy

hnick said 12 days ago:

My only concern with the site is some privacy implications. I entered a friend's email just to check for him and it wasn't validated at all, and I found out a few sites he had accounts with. Nothing too concerning was revealed, but privacy for its own sake is a valid goal IMO.

Sebb767 said 12 days ago:

As far as I know hibp specifically hides sensitive breaches (such as the Ashley Madison one) to non-verified access. Also, he basically only shows public data; your privacy was already gone back when the original company failed to secure their servers.

hnick said 12 days ago:

Understood, it's a small complaint, the data is already out there on the web and it's not his fault. But there is value in aggregation or the site wouldn't exist. It makes it easier to just put a few emails in there and see what shows up for fun or malice.

It's great that sensitive breaches are apparently hidden but I'd be wary of judging for other people what is sensitive. Some like Ashley Madison are obvious, others less so.

0xdeadbeefbabe said 12 days ago:

Are you gonna fire Troy?

hnick said 12 days ago:

Yes, of course.

Actually, I don't understand your comment.

0xdeadbeefbabe said 11 days ago:

I'm just alluding to the people that got fired and expelled for involving themselves with "passwords" in the comments above.

robocat said 12 days ago:

If you have JavaScript enabled, the cleartext password is hashed in the browser and the hash is truncated, and a list based on the truncated hash is retrieved to be checked against - the only information leaked is that you searched for one password amongst many. Read Troy's articles about how fishing is protected against - I have written the above from memory.

You can download all the hash files if you wish to run purely locally.

Also the site hosting Troy's list is Cloudflare. Cloudflare act as a https proxy for a large number of sites, so they already have access to a large number of passwords.

edf13 said 12 days ago:

Yes - the 4 days is cool... you’d hope if some where had been hacked with your pass you would be notified within that timeframe

hangonhn said 12 days ago:

Would this suggest that 3DES with a sufficiently long password is still safe for now?

tialaramex said 12 days ago:

This suggests you don't understand how DES-based crypt() worked, so let's take both angles here:

1. Would it be safe to build a password hash like crypt() based on 3DES today?

Maybe, kind of, it depends, don't do this. "Based on" is key here. You'd have to come up with some way to try to use 3DES in this fashion, just as the developers of Unix crypt() used DES. Basically you're trying to build a cryptographic hash out of a primitive that's not really intended for that purpose, you also need to add more salt than the Unix team did back then, and then you need it to run very slowly, preferably on everybody's hardware not just the generic (likely x86-64) general purpose CPU you're using. Lots of people already built _good_ ways to do password hashing in the 21st century, and if none of those are available somehow you should just use PBKDF2 with SHA256 and a nice big iteration count and that'll be tolerable.

2. Oh, I didn't realise, I just meant is 3DES fine for encryption?

You should not do this. The main thing wrong with DES is the key size is too small, which 3DES fixes (effective key size with full 3DES is 112 bits, which is very short today but probably not the biggest hole in whatever security system you're building). But the next biggest thing wrong with it is that it's a block cipher with a small block size, 64-bits. 64-bits is small enough that bad guys may be able to collide your blocks and set fire to everything. To avoid this: Don't use 64-bit block ciphers, go get a real cipher like AES that uses 128-bit blocks. Done. Why are you still here? Could it be secure if you can defuse the collision risk (e.g. you only encipher very small amounts of data)? Sure, but now you're defining the problem to make the choice of primitive look safe, which is always a terrible idea.

hangonhn said 11 days ago:

Thanks for the great answer. I am not familiar with DES but the reason I wondered about this is because I saw that some VPN hardware devices still has 3DES as an option and even as the default encryption algorithm. I was really baffled by this because I had assumed that 3DES has completely fallen out of favor. So I guess the company isn't choosing sensible defaults. But at the time, I thought maybe they knew something I didn't (although I still switched the algorithm to AES since there's no reason not to).

colejohnson66 said 12 days ago:

Doubt it. It took 4 days for just one top of the line GPU. Any dedicated attacker will have farms to parallelize it even further. It’s not exactly linear, but with just 4 GPUs (~$4000; well within the reach of any dedicated attacker), that’s one day. Not to mention the fact that GPUs have still been roughly following Moore’s Law in terms of performance.

It’s probably safe from the casual attacker who just downloads a password list and runs a one word dictionary attack, but for a dedicated attacker, let alone a nation state, it’s not secure.

TL;DR: Just use AES. Even an ASIC isn’t powerful enough for that. Searching the entire key space would take more energy than the universe has. Compare that to DES that can have its entire key space searched in a few days.[0]

Edit: you said triple DES, not single. My point still stands. DES, even 3DES, is not secure. If I can crack a DES password in 4 days, I can crack a 3DES password in 12. AES with a strong password is virtually uncrackable.

[0]: https://en.wikipedia.org/wiki/EFF_DES_cracker

tzs said 12 days ago:

> If I can crack a DES password in 4 days, I can crack a 3DES password in 12

It's multiplicative, not additive. 3DES is about 2^56 times as difficult to crack as DES. (Not 2^112 times because there is an attack that effectively limits it to twice the effective bits of DES, rather than the three times you might expect at first).

segfaultbuserr said 12 days ago:

> there is an attack that effectively limits it to twice the effective bits of DES

* Meet-in-the-Middle attack.

https://en.wikipedia.org/wiki/Meet-in-the-middle_attack

This attack is surprisingly simple, if you encrypt the message twice by

    ciphertext = encrypt(encrypt(message, key1), key2)
Then,

    decrypt(ciphertext, key2) == encrypt(message, key1)
An important security property all symmetric ciphers should offer is immunity to chosen-plaintext attack, if the attacker controls "message", it shouldn't make the cipher more easy to crack.

But in this case, the attacker can obtain all the 2^56 possible encryption of message by enumerating key1, put it in a lookup table (assume the table-lookup time is O(1)) , then we can try all possible decryption of ciphertext by enumerating key2. Then compare it with the lookup-table for a match, bingo!

If key is 56-bit, the attacker gets 2^56 outputs for the left side, 2^56 outputs for the right side, total number of operations is 2 x 2^56 == 2^57, not 2^112.

To increase the security claim to 2^112, we need triple encryption, not double encryption, thus 2DES is never used.

The idea that simple double-encryption doesn't work because of such a simple attack shocked a lot of newcomers.

tedunangst said 12 days ago:

This is mostly irrelevant in the context of password hashing however. We're simply feeding passwords into a blackbox at X/s until we get a match. 3DES runs at approximately X/3 compared to DES. If it takes 4 days to feed a bajillion passwords into DES, it takes 12 days to feed the same number into 3DES.

jwilk said 11 days ago:

It might be relevant, because the original asker said "with a sufficiently long password". (Implicitly: with a password longer than 8 characters that the original DES scheme would allow.)

marcosdumay said 12 days ago:

It's more complicated than this, because there are known attacks against 3DES. It's at most 2^28 times more complex, AFAIK, but there are probably better attacks than the few I know.

jwilk said 11 days ago:

Are any of these attacks relevant to password cracking?

colejohnson66 said 12 days ago:

> It's multiplicative, not additive. 3DES is about 2^56 times as difficult to crack as DES. (Not 2^112 times because there is an attack that effectively limits it to twice the effective bits of DES, rather than the three times you might expect at first).

If you’re using 3 different keys, yes, that makes sense. But if you’re just keystretching one key, wouldn’t it just take 3 times as long because you encrypt, decrypt, encrypt (3 processes)?

SettembreNero said 12 days ago:

3DES is a little more secure than plain DES (but still worse than AES)

JoeAltmaier said 12 days ago:

I had a password for an old school system (which I wrote) that was "any 21 characters where the 21st character is a 'z'". People would watch me type it (mashing 20 keys then the 'z') and be amazed I could remember a password that long.

p4bl0 said 12 days ago:

I have a similar anecdote. I had a password that was 14 characters long, for a school system too. One day I mistyped it and it still worked. I was puzzled and discovered that it actually took only the first 8 characters into account. From that day, whenever someone was around, I typed the first 8 characters as fast as I could (pretty fast as it was something I typed in quite often) and then I continued to type random stuff like crazy for a few seconds then hit enter and loved to see how people face when they saw it working like if what I typed actually was my exact password.

grawprog said 12 days ago:

I discovered that's the way my banking app actually worked until only a few updates ago. The password was originally limited to 8 characters (why this was the case for an online bank password is beyond me) but the app would allow you to enter more characters into the password input. It only accepted the first 8 characters though so anything you entered after those was ignored. I discoveres this when I mistyped my password adding an extra.character at the end and hitting submit without thinking and was amazed and kind of worried to find it still worked.

virgilp said 12 days ago:

I’ve had the goddamn Citibank _require_ that I use a password 6 or 7 characters long on one of their systems. This year (2019).

trustissue said 12 days ago:

What system is this? I had used a 20+ character password on their website using my password manager to enter it every time. One day they said the password was wrong, which was unlikely since the password manager was entering it. I ended up doing a password reset and set it to something shorter like 15 characters, and then it worked. I don't know if they truncate or not, but they've definitely allowed much longer passwords than 6 or 7 characters. I've hit this issue with their website more than once so I know they've fixed it and re-broken it a few times in the past.

virgilp said 12 days ago:

I think it was the one for showing you the pin of a corporate credit card.

pvinis said 12 days ago:

Another bank I had around 3 years ago used only the 5 first characters, and these 5 first had to be numbers.

I guess anyone can just hack a password in like 1 second on a phone or something?

ajford said 12 days ago:

When I was living in Puerto Rico for work, the local credit union I was using had this same problem. Although the tooltip and messaging on the page said 8-16 chars, only the first 8 were used, and from my testing it had to be case insensitive.

I promptly updated my direct deposit with my employer and used my more secure off-island bank as the destination for the majority of my pay, and had only the minimum required to avoid fees and act as spending money put in that acct.

marzell said 12 days ago:

This was the case for Vanguard for a long time... also, it wasn't case sensitive. I'm not sure when it changed, but I think it was in the last couple years.

MauranKilom said 12 days ago:

It's more fun when they limit you to X characters (no special characters!) while choosing the password but let you input any number of characters when logging in, and failing you when you typed too many.

Razengan said 12 days ago:

Hey that's actually a neat idea! You could expand upon that system by having it only check the 2nd, 5th, 10th, Nth etc. characters.

So people could type in different gobbledegook each time between the characters that matter.

To further defeat keyloggers, shoulder snoopers etc., let each valid character be an option from a set of two or more characters.

So, if my password is: Any 8 characters, but 2nd character must be A/B/C/x/y/z, and the 6th must be !/@/# then I could type:

    9A4jc@23

    #C(@$!as

    oxo!c#-1
or any other valid combinations to get in.

How more secure would something like that* generally be compared to static passwords?

* (Of course this is a simplified example for illustration. In practice you'd use more characters/options.)

jedberg said 12 days ago:

> How more secure would something like that generally be compared to static passwords?

It's not secure at all. If someone knows the rules of the system, the entropy on that is tiny, because it's basically a 2 letter password with only 6/3 options.

The only security would be from the obscurity of the attacker not knowing the password rules.

Razengan said 12 days ago:

> because it's basically a 2 letter password with only 6/3 options.

That was obviously an oversimplified example to explain the rules.

In practice you could make it as obscure as you want, while keeping it easy for you to remember.

Like the sentences I just typed here. No limit on the number of characters. I could enter different long sentences each time, as long as the characters at specific positions match certain sets.

jerf said 12 days ago:

There is no way that "use a (proper) subset of the characters for bits of entropy" is going to beat "use all the characters for bits of entropy". Almost by definition, the second is going to have more entropy.

You're not getting anywhere, because people trying to guess your password don't have to guess your scheme. All you're doing is making it easier for them. There is no sense in which you are making it harder.

In the optimum case, you'd require them to get the right characters in the slots you're counting, but to not use the wrong characters in the slots you're not counting, thus demonstrating that they actually know the scheme in question and aren't just getting lucky. There would be exactly one character you'd accept in the slot you're counting, and there would be exactly one character they could use to indicate they understand your pattern in the slots you're not counting. This maximizes the chance they have proved to be in possession of your password, rather than just getting lucky because you didn't count their misses. This is, of course, simply using a password normally.

dkonofalski said 12 days ago:

That's just the same thing as a password, though. Even a short password is still just ensuring that specific characters are in specific positions. The only situation where this would be useful is against people with physical or viewable access to the password being typed.

OJFord said 12 days ago:

> In practice you could make it as obscure as you want,

If only that made it as secure as you want.

https://en.wikipedia.org/wiki/Security_through_obscurity

Gene_Parmesan said 12 days ago:

And they would almost certainly know the password rules, because anyone making an account would have to be told the rules in order to understand what was happening.

shhsshs said 12 days ago:

Unless the rules were unique and hidden for each user!

    User1: 1,3,7,10,12,15
    User2: 2,3,5,8,10,13
I think we’re on to something big.
waway said 12 days ago:

It's complicated enough for people to remember 8 character long passwords, good luck with an additional level of complexity.

Razengan said 12 days ago:

Each user could provide their own rules.

mywittyname said 12 days ago:

If I had a key logger on your system, I'd just try;

    9A4jc@23
Bam. Access granted.
saagarjha said 12 days ago:

If you had a keylogger, it wouldn't really matter how good your authentication scheme is…

FroshKiller said 12 days ago:

Keyloggers aren’t very useful when authentication uses TOTPs from a hardware token.

chupasaurus said 11 days ago:

TOTPs from a hardware tokens aren't very useful if system doesn't support TOTP as an auth backend.

SamBam said 12 days ago:

But if each of those is a valid password, how does it defeat keyloggers or shoulder snoopers in any way? They just have to type in the same password.

Now, if the rules were totally secret, you could make it such that each time you used a password, it was no longer valid. That would defeat the keylogger, while still allowing you to remember your 3 special characters. But of course you can't ever assume your rules are secret (security by obscurity and all that).

KineticLensman said 12 days ago:

> You could expand upon that system by having it only check the 2nd, 5th, 10th, Nth etc. characters

A bank I use does something like this. On account creation you give it a long key string and on subsequent log-in it asks for three different characters (e.g. the 4th, 3rd and 9th characters) from the string.

said 12 days ago:
[deleted]
dmd said 12 days ago:

You can "impress" people this way still, just by surreptitiously typing Ctrl-u to clear what you've typed so far.

anyfoo said 12 days ago:

I'm guilty of that. I tend to mistype my passwords a lot, since I try to keep them pretty complicated, but since I usually realize quickly enough to imperceptibly hit Ctrl-U and retype in a smooth motion, I just let onlookers believe that my password is very, very long.

cellular said 12 days ago:

You password is "the21stcharacterisa'z"

dev_dull said 12 days ago:

Such a funny idea. I’d would have loved to see people’s faces when you typed it in.

carlmr said 12 days ago:

>Since the DES-based crypt(3) algorithm used for these hashes is well known to be weak (and limited to at most 8 letters)

>ZghOT0eRm4U9s:p/q2-q4!

How is that 8 letters?

ryanlol said 12 days ago:

The part before : is the hash, the part after is the cracked 8 character password.

gwbas1c said 12 days ago:

Honestly, that confused me too. I really thought the whole password was that long.

nikbackm said 12 days ago:

Same here, thought it strange they could brute-force such a long password! Even with MD5.

danek said 12 days ago:

Lol I‘m familiar with chess notation but was so confused by this that I was googling to see what chess move uses a “Z” :(

SilasX said 11 days ago:

Ditto. I was like, I get the pawn moving from Queen 2 to Queen 4, but what’s that stuff before the colon?

robotstate said 12 days ago:

Thank you for explaining this.

larrik said 12 days ago:

still 13 characters...

edit: LOL, I guess I'm a little dumb today

progval said 12 days ago:

"p/q2-q4!" is the password, "ZghOT0eRm4U9s" is the password's hash. "p/q2-q4!" is 8 characters.

ct0 said 12 days ago:

Very easy to type as well

BeeOnRope said 12 days ago:

The password is p/q2-q4! which is 8 characters.

freeplay said 12 days ago:

p/q2-q4!

That is the password. 8 characters.

said 12 days ago:
[deleted]
said 12 days ago:
[deleted]
teddyuk said 12 days ago:

8

said 12 days ago:
[deleted]
said 12 days ago:
[deleted]
said 12 days ago:
[deleted]
umanwizard said 12 days ago:

If anyone is curious, the equivalent in modern notation is “1. d4!”. Moving the pawn in front of the queen forward by two spaces. The exclamation point indicates that the annotater believes it to be a particularly strong move (describing a standard move from opening theory that way is a bit tongue-in-cheek).

GCA10 said 12 days ago:

Yes. The smugness in the exclamation mark is quite funny in a way that keeps me grinning for way too long. It's a bit like a three-year-old declaring "I've got shoes on!"

blub said 12 days ago:

Yes, "1. d4!" and "1. e4!" are a sort of a Grandmaster joke in chess, showing their strong preference for one the classic competing openings.

sanderjd said 12 days ago:

What does the p/ part mean? My chess experiences is all after the popularity of descriptive notation...

gatesphere said 12 days ago:

p/q2-q4!

p : pawn

/ : at

q2 : queen's file, rank 2

- : moves to

q4 : queen's file, rank 4

! : good move!

sanderjd said 12 days ago:

Oh hmm, I didn't realize the notation was so unnecessarily verbose :) Of course it's a pawn moving from q2 to q2, that's the only thing there at the beginning of the game!

draegtun said 10 days ago:

Actually in descriptive notation the move would have been:

    P-Q4
Ken padded this out to 8 characters.
sanderjd said 8 days ago:

That makes way more sense!

rimliu said 12 days ago:

Pawn?

scardine said 12 days ago:

Right after finishing Electronics vocational school I spent the next year working as an intern at Unicamp (Campinas University in Brazil). The job was at the computer lab of the School of Electrical and Computer Engineering[1]. This was before ethernet (yeah, I' that old), so dumb terminals were linked to the CPUs through RS-232 cables - when I was not burning my fingertips soldering DB-25 connectors I was tinkering with every computer I could get my hands on.

I saw /etc/passwd and asked my boss how to decrypt the passwords. He told me it was a one-way encryption, so the login program would just encrypt the password you provided and compare to the encrypted value. He went on explaining the old crypt algorithm and even made a bet I could not guess his password. He said it was related to a movie.

So at 17 I was hooked and started studying the sources. In the end I just patched and recompiled the passwd binary to store clean text passwords in a hidden file. Later I learned this was called a trojan horse.

And even now, 30 years later, I remember his face when I told the movie was Citizen Kane and his password was "rosebud".

Thank you Miguel and Gorgonio for teaching me about C and Unix! This knowledge paid my rent for 3 decades and I still love the job.

[1] http://www.internationaloffice.unicamp.br/english/teaching/g...

[2] https://en.wikipedia.org/wiki/RS-232

cantrevealname said 12 days ago:

One lone password from the original list, Bill Joy's password, is still uncracked as far as I can tell. Bill Joy is the co-founder of Sun Microsystems, author of vi, and a key developer of BSD UNIX. He apparently picked the best password.

Here's the /etc/passwd entry:

  bill:.2xvLVqGHJm8M:8:10:& Joy,4156424948:/usr/bill:/bin/csh
royce said 2 days ago:

It's now been cracked - and now we know why it took so long:

https://minnie.tuhs.org/pipermail/tuhs/2019-October/019124.h...

Snawoot said 10 days ago:

I already checked all passwords made of any printable character up to 7 symbols length. Full 8-symbol bruteforce will take about 120 days on my hardware, so I prioritized passwords with no special symbols first.

Does anyone with hashcat and GPGPU want to join me?

berbec said 12 days ago:

Interestingly enough, this password does not show up on haveibeenpwnd!

bitwize said 12 days ago:

Probably a dearth of chess passwords in their database. Try haveibeenpawnd.

1-6 said 12 days ago:

Wow, you deserve the comment of the day.

AnimalMuppet said 12 days ago:

For that comment, bitwize should be knighted.

dredmorbius said 12 days ago:

Or queened!

quickthrower2 said 12 days ago:

Or at least promoted.

Noumenon72 said 12 days ago:

Thank you for not suggesting he get rooked.

philpem said 11 days ago:

Geez, you should pawn that comment off ;)

schappim said 12 days ago:

Brilliant!

syastrov said 12 days ago:

That cracked me up

eyeundersand said 12 days ago:

I don't understand. Please help.

pcnix said 12 days ago:

The poster was making a pun, replacing pwnd with pawnd, with pawn as the chess piece.

mygo said 12 days ago:

what’s even cooler, he removed the chess punctuation!

said 12 days ago:
[deleted]
govg said 11 days ago:

It has pawn in it.

eyeundersand said 11 days ago:

I used to dabble in Chess when I was younger so I feel extra dumb now. Thanks!

oblio said 12 days ago:

haveibeenpawnd -> pawn, as in chess pawn.

_emacsomancer_ said 12 days ago:

Chess. Pawn.

ddalex said 12 days ago:

should be there in a couple of hours though

mncolinlee said 11 days ago:

That's what you get for a game where king white hat tries to capture king black hat by keeping him in check.

elandrum said 12 days ago:

That's actually pretty surprising.

0xJRS said 12 days ago:

yet!

lolc said 12 days ago:

This bothers me because I prefer to use slightly embarrassing passphrases. I do that because it creates a secondary incentive not to disclose them.

RandallBrown said 12 days ago:

In college my roommate and I made our wifi password something like a fart joke. Perfectly fine to tell to our close friends, but kinda embarrassing.

One day, at the end of the semester, our female neighbor knocked on our door and asked if she could use our wifi since she was moving out the next day and had already canceled her Internet.

I would have been happy to share with her, but I couldn't bring myself to tell her the password. Instead I just said my roommate was "really weird about sharing our wifi" and apologized.

I don't think that incident ever actually made me change the password though.

said 12 days ago:
[deleted]
fluidcruft said 12 days ago:

It's probably actually easier to learn vulgar passwords. Well vulgar anything really, it's a memorization trick we were taught in school to find a way to relate boring things to sex. Probably anything that has strong emotional valence works.

oneeyedpigeon said 11 days ago:

Yup, Moonwalking with Einstein explains this phenomenon well. I know I'll never forget 'Sex On Hard Concrete Always Hurts The Orgasmic Areas', which my Maths teacher passed on ~30 years ago.

anon73044 said 11 days ago:

we always preferred the "Some Old Hippy Caught At Home Tripping On Acid"

I won't repeat the one we were told to remember Resistor color codes.

mrtcve said 12 days ago:

I would avoid doing that, invariably they end up in dumps with your name and email next to them.

One of the more interesting things about reused "unique" passwords is they can serve as a fingerprint to link accounts you may not otherwise be able to attribute to the same account/individual.

lolc said 11 days ago:

You missed the "slightly" part of the embarrassing. You can find other more embarrassing things I wrote when you search for my email-address. Re-use of slightly embarrassing passwords is not worse than re-use of any other unique password.

Also https://www.xkcd.com/137/

elisto said 12 days ago:

Does that mean that it is embarrassing and can be tied to you or that it is just embarrassing to say? If the first, then wouldn't you risk being pwned and having that used against you?

lolc said 12 days ago:

Oh no not that embarrassing. I don't record private secrets into my passwords. They're more like "I never told Cindy I loved her." with Cindy being a now-dead cat. My embarrassment threshold is low :-)

mjlee said 12 days ago:

I worked with someone who had to share a password to solve a major outage. (Yes, I know...)

It was a rude comment about a colleague.

lolc said 12 days ago:

Want better password hygiene in the workplace? Encourage rude passwords!

a3n said 12 days ago:

Password rule N+1: "A password must contain at least one word from our list of banned URLs."

At a former job I could not go to one of global corp Tata sites, because tata.

philpem said 11 days ago:

Good luck finding out where Penistone or Scunthorpe are...

xnyan said 12 days ago:

I’m guessing the latter. Not saying my password is 8o0b7fOr2060+9

elahieh said 12 days ago:

ZghOT0eRm4U9s is actually the newer one, the older one is from 2.9BSD, through to 4.3BSD

https://www.openwall.com/presentations/Passwords12-The-Futur...

sq5UDrPlKj1nA

Seeing this news, I guessed this one on my second guess (after trying p/q2-q4!) - no brute forcing required!

p/k2-k4!

elahieh said 12 days ago:

Oops - I have it the wrong way around. 2.9BSD came out after 3BSD.

Zanneth said 12 days ago:

Did anyone bother to ask Ken’s permission first before publishing his password on the public internet? Based on his reaction he clearly didn’t mind, but still!

bakul said 12 days ago:

The /etc/passwd file from which this password was unearthed has a date of Jan 5 1980 (from a 3BSD tar file). Presumably ken has updated his password since then.

bonestamp2 said 12 days ago:

One would hope, but it still seems like common courtesy to give him a heads up.

bakul said 12 days ago:

ken replied to the thread about this on TUHS 4-5 days prior to the actual crack. But you are right. No one actually said "hey ken, better change your password if you haven't because I am going to crack the password you used in 1980".

blub said 12 days ago:

In my opinion this was a pretty crappy thing to do. Password could contain personal and potentially embarrassing information, even if that wasn't the case here.

pbhjpbhj said 12 days ago:

Revealing people's internet pawn habits shouldn't be done lightly ... /dadjoke

PacketPaul said 12 days ago:

Now I know his chess move.

zamadatix said 12 days ago:

This was a crappy thing to do even though the reason it is crappy wasn't the case here?

ben509 said 12 days ago:

Pike was piqued, too.

emmelaich said 12 days ago:

Here's his message. Says he knew it already by sitting near Ken.

https://inbox.vuxu.org/tuhs/CAKzdPgw0Vz8UFbK7c_Jr+RHGMssSxN=...

iblaine said 12 days ago:

This brings back memories of a common exploit w/tftp, such that you could download an unshodowed /etc/passwd file from a remote machine, decrypt it, log into that remote system, collect new hosts from /etc/hosts, then rinse and repeat. Hash rate were pretty slow back then, but the fact that people used passwds straight out of dictionaries helped, so I'm told...

wjp3 said 12 days ago:

Better yet, open the /etc/passwd and see the root user's password wasn't set...

Back in college I ran ToneLoc overnight and would try ftp on the successful hits. One server didn't have root set, so I telnet'ed, <Enter> when prompted for the password, and I was in.

I ran 'who', saw a user logged in. Decided to wall them a message of "You should really set your root password." and logged out.

A couple of days later, I got an email on the trash email account I would use for ftp logins - dude was super nice but freaked out and wanted to know how I found his server. I didn't reply.

nguoi said 11 days ago:

Do you know the train biscuits story?

https://www.youtube.com/watch?v=SF2fZ2iOXhk

Imagine the anecdote coming from the person you wall'd.

dekhn said 12 days ago:

i deduced my dad's password when I was a middle-schooler. The uni micro had a teletype and although it did not echo password characters, if you mistyped your password, it would print the mistyped password, and knowing a bit about my dad, I could figure out what the correct password was. I logged in and sent himself an email reminding him to use a better password.

tsbinz said 12 days ago:

Our high school's library computer (in the 90s) logged failed log-ins in a file readable by anyone. Just the username, not the attempted passwords, but the return key on that computer was not reliable and a very common error was that the return key didn't register leading to "usernamepassword" being in the log.

lostlogin said 12 days ago:

I watched a variation on this in a lecture hall, when the head of school attempted to log into the system and types UsernamePassword into the username field with a big projector running.

Gunax said 12 days ago:

That's just a bad system design, not your dad's fault really:

"You're password 'huntet2' is invalid"

unless the password is just random characters, anyone can guess how it was mistyped.

Hell, even if it was just random characters, one could just assume that it's one character-off from the real password, and try shifting each character around.

jerf said 12 days ago:

To be precise, in the case of a patterned password (i.e., dictionary word or something a human can recognize), it leaks all but about 2-3 bits, assuming the human can work out the most likely mistake as in your example, and we assume it's a simple error like a nearby key or simple character flip.

If it's a random password, it may still leave 2-3 bits per character as it becomes much harder to know where the error is (e.g., if "j9^vl4JO" is wrong, what is the correct password?), but if you have your hands on two independent errors, which is reasonably likely, that pretty much collapses to 1-2 bits tops even in the random case (e.g., if you also have "k9^vl4JP" that pretty much nails it down to either the first and last being "j P" or "k O").

It is a truly terrible idea!

xoa said 12 days ago:

>e.g., if "j9^vl4JO" is wrong, what is the correct password?

Shouldn't that remain utterly trivial to brute though? If we're assuming all the standard face keys+shifted, I think that's 94 characters. If it's fully unknown then search space is 94^8 or about 6E15, not good but if it's an adaptive hash sizable. But if it's only a one character error, wouldn't you just brute through each of the 8 one by one with only 94 each? That'd reduce it to just 752 possibilities at worst which is so low someone determined could even do it by hand, even ignoring any obvious psychology like the likelihood that the special character isn't the mistake and probably the only special character too.

Certainly not quibbling that it's an awful idea. I don't even like "password hints" so many systems still seem to have, they should be random!

jerf said 12 days ago:

Yes. I'm just demonstrating with an example that a less structured password is less damaged. It is still something I'd consider "burned" in real life, though.

perl4ever said 12 days ago:

You don't think the special character could be a mistake?

Seems plausible the correct password might be j(6vl4JO...

xoa said 12 days ago:

>You don't think the special character could be a mistake?

Not that it makes any real difference here with such a small search space, but in this scenario (known typo, information revealed) it's less likely. Remember, we're considering a human typing something out on a keyboard, so the probabilities aren't fully random. If we're trying to use probabilities to cut down the search space further, a caret character requires shifting well away from the home row (shift-6 US standard qwerty) so it's more likely to represent active intent. Perhaps it could be % or & (shift-5/shift-7), but if you know someone is trying to type a password out and has made a typo then a left/right neighbor with shifting preserved is an easy place to start guessing.

Obviously, this whole thing is such an awful idea and breaks everything so badly that it's all kind of theoretical anyway, hopefully no software has had behavior like this for a long time. And any actual brute force program today has far more sophisticated pattern attacks based on the enormous corpus of password leaks and knowledge there now is, which is why it's foolish to try to try to be clever with passwords rather then just generating something fully randomized.

dekhn said 12 days ago:

My dad's fault was to bring the printout home and leave it in a public location.

CrazyStat said 12 days ago:

Even better if you can find it mistyped two different ways.

taborj said 12 days ago:

>if you mistyped your password, it would print the mistyped password,

That's incredibly useful. Stand next to someone, casually chatting, while they enter their password. Just before they hit [ENTER], stab a key -- say, a 'z'. Boom, it prints their password with an extra 'z' at the end.

Sure, they'd be aware of it and likely change their password. But still. A more common use case would be to hang around and wait for them to inevitably typo the password. If you see that enough, you'll get a really good idea about what it's supposed to be, or at least give you enough of the password to make figuring out the missing part trivial.

blotter_paper said 12 days ago:

I've never done anything malicious with the knowledge, but I've totally learned people's passwords just by watching their fingers type. I make an effort to have passwords that would be difficult for a human to nail down while watching them typed quickly in real time. The ubiquity of cameras has me reconsidering input and/or authentication mechanisms, though.

psb said 12 days ago:

One good thing about using dvorak I guess

war1025 said 12 days ago:

At one point I considered learning Dvorak and then having a password that was using the Dvorak key layout but on a Qwerty keyboard.

But I only made it maybe a month into my Dvorak-learning efforts. Just not enough benefit for the added hassle.

blotter_paper said 12 days ago:

Especially with blank caps; securing keys through obscuring keys.

wy35 said 12 days ago:

I remember guessing the admin password of the router back in high school so I could port forward a Minecraft server

andai said 12 days ago:

It makes me happy to read this. I cracked the admin pass at my school for a really trivial reason, I think I wanted to adjust the audio panning. By default it was set 80% left to compensate for the school's cheap headsets.

Possibly, I also wanted to disable the spyware / remote access they had on all the computers. There no experience quite like having your control of the mouse cursor taken away by an invisible, omnipotent sysadmin. Hilariously, they wouldn't even run a logout command remotely, but actually go to the start menu to do it, I think to make a point.

jonnycomputer said 12 days ago:

the most amusing thing is the exclamation mark on such a banal opening move.

arnsholt said 12 days ago:

At least in modern usage, giving the exclam to signal "I prefer this opening move" isn't uncommon, so it's not a stretch to think that it was done in the seventies too. Also it rounds the whole thing out nicely to eight characters.

Waterluvian said 12 days ago:

It's been decades. That means "Check!" right?

thom said 12 days ago:

Exclam! Generally a good move, perhaps even unexpectedly so. Double exclam, !!, being a brilliant move, especially one with flair like a sacrifice. Triple exclam is reserved for the games of Emory Tate. ;)

mongol said 12 days ago:

Emory Tate must have been extraordinary..?

mywittyname said 12 days ago:

More like Extraordinary!!!

andrepd said 12 days ago:

Nope, it means "good move". Check is +

paulddraper said 12 days ago:

It's similar to English actually. It's commentary, rather than semantics.

! is good move.

? is dubious move.

If you want to carried away double/triple those.

said 12 days ago:
[deleted]
politelemon said 12 days ago:

> (those familiar know the hash-rate fluctuates and slows down towards the end)

Could someone explain this to me, why does it slow down towards the end?

jodrellblank said 12 days ago:

For some context of how hashcat works with GPUs:

https://hashcat.net/wiki/doku.php?id=frequently_asked_questi...

Then:

https://hashcat.net/wiki/doku.php?id=frequently_asked_questi...

It isn’t running a single thread at 100% GPU use until the end, it has to partition up the search space and balance how it creates possible passwords on the CPU, on the GPU, and based on the kind of attack patterns you asked for - and when it’s getting to the end of the search space, some of the search space partitions are done and the remaining ones aren’t enough to load the GPU fully, so hash throughout drops.

parsimo2010 said 12 days ago:

I don't know for sure, but these Radeon GPUs are power hungry and hot. It could be just that after multiple days the entire computer is heat soaked and goes through more thermal throttling than even the "steady state" GPU tests that most gamers do (a few hours).

It might also be cruft building up over time with small memory leaks or imperfect memory management.

nexuist said 12 days ago:

This is what I thought too, the heat simply becomes overwhelming and the unit has to underclock to prevent melting.

close04 said 12 days ago:

I think the "towards the end" part is the misleading one. The software has no idea where the end is or it would just jump there. Since the run took 4 days slowing down due to throttling would happen pretty fast as the card reaches a thermal equilibrium. Certainly wouldn't take days to do it.

It's more likely the explanation above of something (not heat) accumulating over time and slowing down the processing.

floatboth said 12 days ago:
alex_duf said 12 days ago:

I'm curious too, could it be due to the way the search space is explored in parallel?

qot said 12 days ago:

I suspect it's because the farther down the rule list you go, the more complicated the rules get.

Password cracking often uses rule lists to modify known passwords lists in some way (adding 123 to the end, for example). These get more complicated towards the end so they take more operations.

said 12 days ago:
[deleted]
Isamu said 12 days ago:

Queen's pawn game:

https://en.wikipedia.org/wiki/Queen%27s_Pawn_Game

[edit] See also "Ken, Unix and Games" by Dennis Ritchie:

https://www.bell-labs.com/usr/dmr/www/ken-games.html

annoyingnoob said 12 days ago:

I'm feeling like it is not appropriate to publicly post passwords, even when they are old.

lonelappde said 12 days ago:

This is Vader is Luke's father old.

abalone said 12 days ago:

How did they crack it in 4 days if ”a 7-bit exhaustive search would still take over 2 years on a modern GPU”? Is that overstating it?

maccard said 12 days ago:

They got lucky/narrowed the search space. Just because it will take me 2 years to evaluate all the possibilities, doesn't mean I won't immediately hit aaaaaaaa

semi-extrinsic said 12 days ago:

Specifically, we can conjecture they narrowed the search space to "lowercase+numbers+a few symbols", excluding uppercase letters.

MayeulC said 12 days ago:

I guess that cracking this specific password could be said to have been parallelized over multiple individuals over the years, and it wouldn't surprise me if it had burnt multiple years of processor time. In the end, someone had to get lucky when picking their search space/exploration parameters :-)

said 12 days ago:
[deleted]
ectospheno said 12 days ago:

I once anonymously emailed administrators of a multiuser unix system that perhaps they should handle the numerous users that had home directories and .bashrc files that were both writable by everyone. After a week I had the users themselves email when they logged in. It was fixed that day.

trustissue said 12 days ago:

Speaking of passwords, I just discovered that HN will ban your IP address from creating an account if you have a question mark in your password. I assume this is to help against SQL injection? (Not a security person here.) Pretty extreme result, but luckily I can post from another IP. I wonder how many users have hit this and not known why?

grzm said 12 days ago:

While possible, it seems unlikely that this is the case. I'd contact the mods via the Contact link in the footer to resolve the issue.

tracker1 said 12 days ago:

Interresting. :-)

When I create hashes for systems, I actually, now create a "version" prefix for hashes... this way I can on-run upgrade to a newer hash at login (if/when needed).

Have upgraded a older systems this way... after 30 days, dumped any that hadn't changed and sent emails notifying that they'd have to use the "forgot password" option the next time they wanted to login.

Currently using pbkdf2/hmacsha512*100000 for password hashing. 16-byte salt, 32byte result... varying too far from NIST guidelines would have been a hard sell.

output base64 values: v#.SALT.HASH

cantrevealname said 12 days ago:

Since this password list appears to come from one of the original systems on which UNIX and C were developed, it would be fun to see the names and original passwords of all the luminaries. I merged together the author's work, the original /etc/passwd, and the comments from the mailing list:

  root:OVCPatZ8RFmFY:Ernie Co-vax --> cowperso
  daemon:*:The devil himself --> (login not allowed)
  bill:.2xvLVqGHJm8M:Bill Joy --> (password still unknown)
  ozalp:m5syt3.lB5LAE:Ozalp Babaoglu --> 12ucdort
  sklower:8PYh/dUBQT9Ss:Keith Sklower --> theik!!!
  kridle:4BkcEieEtjWXI:Bob Kridle --> jilland1
  kurt:olqH1vDqH38aw:Kurt Shoens --> sacristy
  schmidt:FH83PFo4z55cU:Eric Schmidt --> wendy!!!
  hpk:9ycwM8mmmcp4Q:Howard Katseff --> graduat;
  tbl:cBWEbG59spEmM:Tom London --> ..pnn521
  jfr:X.ZNnZrciWauE:John Reiser --> 5%ghj
  mark:Pb1AmSpsVPG0Y:Mark Horton --> uio
  dmr:gfVwhuAMF0Trw:Dennis Ritchie --> dmac
  ken:ZghOT0eRm4U9s:Ken Thompson --> p/q2-q4!
  sif:IIVxQSvq1V9R2:Stuart Feldman --> axolotl
  scj:IL2bmGECQJgbk:Steve Johnson --> pdq;dq
  pjw:N33.MCNcTh5Qw:Peter J. Weinberger --> uucpuucp
  bwk:ymVglQZjbWYDE:Brian W. Kernighan --> /.,/.,
  uucp:P0CHBwE/mB51k:UNIX-to-UNIX Copy --> whatnot
  srb:c8UdIntIZCUIA:Steve Bourne --> bourne
  finger::The Finger Program --> (no pw but runs a program, not a login shell)
  who::The Who Program --> (no password but runs a program, not a login shell)
  w::The W Program --> (no password but runs a program, not a login shell)
  mckusick:AAZk9Aj5/Ue0E:Kirk McKusick --> foobar
  peter:Nc3IkFJyW2u7E:Peter Kessler -- ...hello
  henry:lj1vXnxTAPnDc:Robert Henry --> sn74193n
  jkf:9ULn5cWTc0b9E:John Foderaro --> sherril.
  fateman:E9i8fWghn1p/I:Richard Fateman --> apr1744
  fabry:d9B17PTU2RTlM:Bob Fabry --> 561cml..
  network:9EZLtSYjeEABE:(no name listed) --> network (runs a program, not a login shell)
  tty:: --> (no password but runs a program, not a login shell)
It's amusing to see that even very smart people picked passwords just like people do today:

- spouses' names (jilland1, wendy!!!, sherril.)

- birth dates (apr1744 might be April 17, 1944)

- the first word that came to your mind (whatnot, foobar, ...hello)

- though a few were thoughtful (sn74193n is a synchronous binary counter from the 7400-series chip family and likely immune to dictionary attack in that era)

- easy to type patterns on a keyboard (/.,/., or 5%ghj)

- obscure words (axolotl is a Mexican walking fish)

- different languages (12ucdort is 1,2,3,4 in Turkish)

- and some people didn't care (Steve Bourne, inventor of the Bourne shell, picked "bourne")

royce said 12 days ago:

The superset of all of the original CSRG-shipped cracking-eligible descrypt hashes is actually about 1400 hashes, drawn from a slightly smaller number of overlapping accounts among releases. Many of them appear to have been temp/test/throwaway with generic usernames and short, simple passwords.

said 12 days ago:
[deleted]
tejisanti_ said 11 days ago:

Dear stargrave, I am very grateful for sharing this knowledge. It was a delight reading.With this, I realized I am almost achieving a old dream of mine since my teenager years: I understood almost everything. And came in the proper time, just as I am finishing my masters in informatics and computer engineering this year. You have my gratitude.

1123581321 said 12 days ago:

I don’t understand why the author thought it would take years to find this password, as opposed to something closer to the four days it actually took.

sp332 said 12 days ago:

They said an exhaustive 7-bit search would take that long.

Edit: That would be 128^8 =~ 72 quadrillion DES hashes.

aidenn0 said 12 days ago:

Which works out to 2.2 years at the rate that the actual password was cracked (1GH/s).

Aissen said 12 days ago:

That's the probabilistic aspect of password cracking :-). In addition, I'm not sure if it's 2 years with 2014 GPUs (when he did the initial cracking), or today's GPUs.

ganitarashid said 12 days ago:

I guess he’s lucky that the password wasn’t anything embarrassing. What if the password had been “I love sex” or something?

said 12 days ago:
[deleted]
Kiro said 12 days ago:

> Did he really use uppercase letters or even special chars?

Why would he not? I'm obviously missing something here.

rwmj said 12 days ago:

Typing on a teletype is painful at the best of times. One reason why common Unix commands are so short.

Edit: Yes I have used a teletype, connected to an Elliott computer, I believe it was a 903 or at least it looked very much like this: http://www.computinghistory.org.uk/det/32480/Elliott-903

Kiro said 11 days ago:

Stupid question but how do you actually type on that thing? I don't see anything resembling a keyboard.

rwmj said 11 days ago:

There was a room full of teletypes connected over serial ports. They aren't shown in the photo. I can't find a picture resembling any of the teletypes that we had, but the general idea is shown here: https://en.wikipedia.org/wiki/Teleprinter#/media/File:Telesc... (The ones we actually had were a bit smaller and flatter)

windsurfer said 12 days ago:

The early days of mainframes had some groups of individuals who advocated for no passwords or just your username again as a password: https://www.oreilly.com/openbook/freedom/ch07.html

dekhn said 12 days ago:

you're confusing mainframes with UNIX microcomputers, and 1983 wasn't early.

Also, I rememebr when FSF hosted UNIX machines at MIT that you could telnet into without a password. It was a total mess.

taborj said 12 days ago:

Cliff Stoll's The Cuckoo's Egg grapples with this a bit. The fine line between open systems that anyone can use, and closed systems that protect your privacy and data.

It's obviously a settled question these days, but back in the 70s and 80s, this was a bit of a hot topic.

sfink said 12 days ago:

I disagree. I don't think this is at all settled, and in fact is a bit topic right now. The debate has just moved on past personal passwords.

For example, chat systems. Do you want an open one where anyone can get on with a minimum of fuss and participate? Or do you want an open one, with controls to manage spam and harassment so that people are able to be open while using it?

(I work at Mozilla, where we are moving off of IRC because, while it encourages participation from any rando who comes by, it is inaccessible to a number of people because they will be attacked if they log in. Many have moved over to Slack, which is very much closed (but open). Not to mention the channels that have been abandoned because they are overrun with spam, which makes them inaccessible or at least useless to everyone. As someone who does not get harassed, I don't really like either of those points on the spectrum even though IRC works great for me if I don't think about the people who are no longer there.)

lonelappde said 12 days ago:

Why not make an anti-spam/harassment ITC bot, and Take Back The Web from Slack?

It's really hard for me to understand what Mozilla's mission is these days.

windsurfer said 12 days ago:

You're right, my mistake!

elwell said 12 days ago:

In the future, there won't be any need for passwords.

anonymfus said 12 days ago:

In the future there will be no identity theft because we all will have one identity. Resistance is futile...

empath75 said 12 days ago:

In the early days of unix, people didn't take passwords that seriously and often shared them.

adossi said 12 days ago:

I would have borrowed "/.,/.," a long time ago had I heard about it sooner. That is just way too convenient.

nkrisc said 12 days ago:

My brother used to use asdfghjkl;' as a password so he could just drag his finger across the keyboard from the a key to the enter key. The original swipe to unlock!

asdfman123 said 12 days ago:

My first password ever was qazwsx and I used it until I learned that it's included in "known" password text files and thus instantly crackable.

However, I wonder how safe it is to take an "easy" password like /.,/.,/., and then add a bunch of exclamation points to the end, so that it's both long and not part of a dictionary.

I'm sure password crackers are advanced enough to first try taking common passwords and then adding human modifications to make them more secure.

But something like MyDogRules###########! seems like it could be very secure, actually.

bitofhope said 12 days ago:

I remember reading a blog post about how something like "aaaaaaaaaaaaaaaaaaaa…" with sufficient 'a's was actually perfectly secure since it wasn't included in any of the common cracklists or hash leaks. I think the number of 'a's was somewhere in the 30s. Obviously bruteforcing it would take absurdly long, too.*

The problem is, after I've committed a long passphrase into muscle memory, it probably takes me less time to type a 40-character phrase than count 40 individual keypresses of a button hoping I don't miscount.

* Assuming nobody is stupid enough to make a depth-first password cracking program. "I'm down to a billion 'a's now. I should be ready to try a 'b' any minute now!"

dmurray said 12 days ago:

This article from 2013 shows some impressive password-generating techniques that cracked secure-looking passwords like momof3g8kids. It doesn't specifically give an example like MyDogRules###########!, but it seems reasonable they could get it by similar methods of concatenating multiple password fragments.

[0]https://arstechnica.com/information-technology/2013/05/how-c... (OK, the passwords were hashed only with MD5)

asdfman123 said 12 days ago:

So I guess what they're saying is if they just use older password technology and they get hacked, you're screwed.

magashna said 12 days ago:

best practices have changed from using a complex password with lots of upper/lower and symbols to use something longer but easier to remember. More strength from misspellings and a few symbols

My Fav0riT Pas%werd

is actually pretty solid compared to

df22@$Fasdf

because the latter is more crackable

saturn_vk said 12 days ago:

I really like the logic behind this one: https://www.xkcd.com/936/

It also doesn't require any special characters and its quite easy to remember.

twodave said 12 days ago:

The only knock on this strategy is that the more people adopt it the less effective it becomes (crackers will just start trying combinations of common words). The up-side is there are more 4-word combinations in English using only the 10,000 most common words than in any 8-character password, so even if crackers targeted the strategy specifically it's more costly to crack.

magashna said 12 days ago:

Misspelling and using a few character replacements makes a dictionary attack much more difficult. You don't have to make it too hard on yourself, just a few changes to make a really secure password.

giancarlostoro said 12 days ago:

Is your username an ode to this somehow? :)

Mr. Asdf sir

asdfman123 said 12 days ago:

Nope, but by an old internet meme: https://knowyourmeme.com/memes/asdfmovie

giancarlostoro said 12 days ago:

I forgot all about asdfmovie! That's an oldie for sure.

bluGill said 12 days ago:

You often had to share your password in the real world. I've worked on systems where you were only allowed to login at one terminal at a time. If you are back and forth from your desk to the lab it is nice to know another password when you forget to logout in one location.

said 12 days ago:
[deleted]
ulucs said 12 days ago:

I guess, to enter the Unix password you need physical access to a machine. If they have access to a machine and can crack a lowercase password, a harder password will not necessarily save you. So at least you can make it easier for you to type.

vesinisa said 12 days ago:

In fact, the system where the password originates from (3BSD) was released in 1979 and had commands like net(1) for "execute a command on a remote machine" - given a password was provided. Since quite the early days Unix has been designated as a multi-user time-sharing OS for large expensive computers.

bobwaycott said 12 days ago:

I’m slightly confused by the part where the author states a 7-bit search would take 2 years on a modern GPU, and the answer was found in 4 days on a Vega64. Isn’t that a modern GPU? Have I misunderstood here, or was the author’s math incorrect?

stevewodil said 12 days ago:

It would take two years to generate every hash, but this one happened to be generated earlier than that. It would also be technically possible to guess a Bitcoin address private key on the first guess, but there are 2^160 total possibilities

bryanrasmussen said 12 days ago:

That password was pretty long - could be a complete windowing system written in J.

soohyung said 12 days ago:

The password is only the last 8 characters, everything before the colon is the password's hash.

bryanrasmussen said 12 days ago:

I'm certainly not going to let reality get in the way of a joke about the compact expressiveness of J.

dataminded said 12 days ago:

Reminds me of when I cracked the domain admin account at work so that I could install software that I needed to do my job. IT was slow and unresponsive so I figured that I would help them.

mikorym said 11 days ago:

Surely this was a perhaps modified dictionary attack that solved it in the end?

I don't understand the comments that describe (presumably random) 10+ char passwords as "crackable".

qrbLPHiKpiux said 12 days ago:

Dave MacArt, computer science teacher, high school Username Mac Passwd Cam

Easy brute force in 1989 I got in big trouble for it because I messed up the server.

rcpt said 12 days ago:
frou_dh said 12 days ago:

He would have had to expend quite some calories to type that out every time on an ancient keyboard with chunky keys and massive travel.

floatingatoll said 12 days ago:

Uphill! Both ways!

How many fewer calories do I burn when typing on a low-travel keyboard rather than an old mainframe keyboard?

aasasd said 12 days ago:

I can just say that attempting to even begin learning to play bass guitar had me exercising the fingers for two–three hours before they stopped feeling like wooden sticks on the strings. Almost every day. I.e. mashing the keyboard is no workout at all.

This means, however, that a typewriter would likely noticeably exhaust a modern keyboard jockey, though not in eight characters (hopefully). But dunno about teletypes.

CDSlice said 12 days ago:

Probably not very many. According to XKCD What If? [1] a modern keyboard takes around 2 millijoules to press a key. Typing a full novel would take a few kilojoules. Even if an old mainframe keyboard took 10x more power to press the keys you would save less than a AA battery worth of energy over writing a full novel.

[1] https://what-if.xkcd.com/102/

floatingatoll said 12 days ago:

Using some conversions from an internet site, one AA battery is 1.3e4 Joules and a human requires 8.4e6 Joules per day, so about 133 seconds of energy saved per 6 months of novel, or two lost seconds of calorie burning exercise every three days.

(Lots of sketchy napkin math here)

tempodox said 11 days ago:

Digital archaeology has always been an interest of mine. Must be fascinating to investigate such antique artifacts.

rpmisms said 12 days ago:

I'm disappointed that it followed a pattern like that, since that's supposed to make it easier to brute-force guess.

lucb1e said 12 days ago:

Yes, any sort of logic is weaker than random characters. But this was a long long time ago, hence the weak passwords. Computers couldn't crack things that fast. Today, recommendations are still based on what we expect computers will be able to crack in the foreseeable future.

I remember a teacher used the password "music". We had every user's password in plaintext. This was useful when installing a new Windows domain controller and setting all the passwords (about 30 employees in the school) instead or copying hashes or letting them set their own passwords. In hindsight, I find it batshit crazy that some stupid intern (me) walked around the school with a sheet of paper with literally everyone's password on it, logging into people's systems where necessary or potentially forgetting the sheet somewhere. I'm not saying this never happens anywhere in the world anymore, but I do think security mindset changed in the last decades.

tom_mellior said 12 days ago:

On the other hand, being admin on a system is not that different. Sure, you don't have users' passwords, but you can still do arbitrary stuff in their name. Very large organizations will have some sort of system that logs this stuff and that you can't tamper with, but in a lot of places you could easily cover your tracks.

lucb1e said 12 days ago:

I would argue that having passwords made up by users and having access to a user's work account is a little different. In the former case, I see what kind of password they use and can guess that they reuse the password (or a variant) elsewhere. I can also take knowledge if I get fired, but my admin permissions are revoked.

UI_at_80x24 said 12 days ago:

Edward Snowden would agree.

sonofgod said 12 days ago:

circa 1995:

Teacher had password written on the BACK of the clipboard they carried around everywhere.

Said teacher's password was 'qwerty'.

(Yes, it worked)

floatingatoll said 12 days ago:

It seems likely that someone will write an archaic chess notation pattern engine into the crackers now that this has been discovered and shared widely.

henrik_w said 12 days ago:

I agree, but didn't seem to help in this case though :-)

reubensutton said 12 days ago:

I wonder how long it was between this password crypt approach and the first practical cracker for them

octosphere said 12 days ago:

I use a diceware[0] passphrase for my Keepass database. I was inspired heavily by XKCD comic 936[1]. My only issue with password managers is that they are a single point of failure and are juicy targets for hackers, so I usually vet them and audit them thoroughly before I use them. I am one of those rare people that actually looks at the source code of password managers to look for flaws in the implementation (I sometimes spot flaws and duly report them to the maintainers).

One caveat to diceware I never liked is how it wears out the keyboard over time as you have to type the same passphrase each time to open the vault (You would be surprised how many times I need to do this each day). I sometimes have to lock my database to avoid evil maid attacks when in a hotel for example. Of course I go through about three keyboards a year because of this, but I don't mind the cost if it gives me a crispy fresh keyboard each time. And did I mention I don't own merely one encrypted database, but many depending on different contexts and different devices?

[0] https://en.wikipedia.org/wiki/Diceware

[1] https://www.xkcd.com/936/

sfink said 12 days ago:

So you're saying that if I get access to your current keyboard or any of your former ones, I can get all of the keys used in typing your master password just by looking at the wear pattern? Hey, thanks for the tip!

Twixes said 12 days ago:

Your switches/keycaps must be kind of crappy if there's that much wear on them from typing the same thing often

MayeulC said 12 days ago:

I guess you could switch keycaps at a much lower cost, depending on your keyboard model. If those are blank, randomly shuffling them around might be enough as well (if you can do without the new keyboard, and don't think that an attacker would look at the keyswitches wear.

This is also something I see quite often on mobile phones with a pin/pattern unlock: you can often infer the pin from the wear pattern, or the grease marks on the screen if the phone was used recently.

My keycap wear pattern more or less mirrors the letter frequency in the languages I write.

wibble10 said 12 days ago:

I’m sort of curious what dmr’s was now (his hash is gfVwhuAMF0Trw) from the same dump...

toolslive said 12 days ago:

disappointed he didn't use algebraic notation. Could have been: e4e5f4ef

phonebucket said 12 days ago:

Thompson is a person of class, hence opening with the queen's pawn. The Kings Gambit accepted is too brutish.

CrazyStat said 12 days ago:

Algebraic notation wasn't in common use in the US until the 80s. 3BSD was released in 1979.

inetsee said 12 days ago:

Wouldn't that be easier to crack, since it doesn't have any special characters?

sergers said 12 days ago:

But then he would have a more easily crackable password

floatingatoll said 12 days ago:

If you can find a good link about why algebraic notation is better, it would make an excellent HN post of its own today.

abjKT26nO8 said 12 days ago:

And it would be easier to crack this way.

MadWombat said 12 days ago:

Queen's pawn, so d4d5e4de

toolslive said 9 days ago:

real men play the King's gambit ;)

buboard said 12 days ago:

Seems hard to remember. Could it be a collision?

CJKinni said 12 days ago:

It's a chess opening, in an older notation. But for someone into chess in the 70s, it wouldn't be hard to remember.

gfiorav said 12 days ago:

It's a chess move

buboard said 12 days ago:

oh! I thought the whole thing was the password, apparently the first part is the hash

jfengel said 12 days ago:

And an extremely common one.

said 12 days ago:
[deleted]
quickthrower2 said 12 days ago:

Serious question: Was this illegal to crack?

quickthrower2 said 12 days ago:

Troy, please add this breach to https://haveibeenpwned.com/Passwords

AdamN said 12 days ago:

Seems like an annoying password to type.

zymhan said 12 days ago:

I still have 0 idea what's interesting about this. How is this a chess move?

mark212 said 12 days ago:

the password is the last part: p/q2-q4!

it's a notational way in the chess program (written by Ken Thompson) to describe a chess move, "pawn from Queen's 2 to Queen's 4."

A very common opening move that "puts a pawn in the center, controlling the important e5-square, and opens the line for the Bc1."[1]

The notation is old. Modern notation would just write it as "d4" because there's only one piece (a pawn) who can move to that square as the first move and only one spot from which it can move (d2).

[1] https://www.chess.com/openings/A40-Queens-Pawn-Opening

zymhan said 10 days ago:

> the chess program (written by Ken Thompson)

AHHHH thank you this makes much more sense now

mmm3322 said 11 days ago:

p/q2-q4!

theemathas said 12 days ago:

https://en.wikipedia.org/wiki/Chess_notation

See the "chess notation examples" table. The password doesn't match any chess notation, but it's close enough that it's obviously (to me) intended to be a chess move. In particular, it moves the pawn in front of the queen (in the initial position) forwards two spaces.

tiep said 12 days ago:

i'm interesting with this, have an copy for it

said 12 days ago:
[deleted]
fao_ said 12 days ago:

Wow, I didn't expect the thread to go this far

usebunsby said 12 days ago:

Hmm. That's interesting.

thiagoc said 12 days ago:

"Now I need to change my password on all websites that I use >:/"

mseepgood said 12 days ago:

So he moved on from chess to Go?

caseyw said 12 days ago:

I laughed here. Thank you kind human!

jedberg said 12 days ago:

Back when I worked in IT many years ago, one of the things I did each week was run JohnTheRipper on our password file. If it cracked your password, it sent you an email saying your password was weak and you had to change it.

If you were in the next week's batch, it emailed you and told you "your password is foobar, which we discovered by cracking the password file, and it is weak. You must change it". Yes, I emailed them their password in plain text using our internal email system. Jury's still out on whether that was a good idea. :)

The next week we just disabled your account and you had to come to IT to fix it.

One guy actually got fired for his password. He was already being super creepy and making the girl who sat across from him uncomfortable, but she never told anyone. Then we cracked his password, which was a very naughty phrase about the girl who sat across from him. I reported it to HR, who asked the girl, who then said he was creepy, and so they acted swiftly on the reports and got him out of there.

parliament32 said 12 days ago:

I'm conflicted about this. I know I'd be pretty upset if an employer starting talking to me about a plaintext password that's supposed to be hashed. The problem is that they brute forced it and then sent it directly off to HR? Yes, as a sysadmin it's perfectly acceptable to be searching for weak passwords, but reading the plaintext yourself for fun then scurrying to HR is kinda a slimy thing to do. As an admin you have an obligation to your users to not be nosy, and if you find out something you shouldn't, keep it under your hat. Just because you have the ability to peek into the CFO's mailbox and see what everyone's salary is, doesn't mean you print out the spreadsheet and take it to your boss demanding a raise.

It's kinda like if you got in trouble for playing Farmville or whatever while sitting on the toilet at work, which they found out about by installing cameras in the stalls. Yes, I shouldn't have been doing that, but how you found out is also a huge issue and I'd feel pretty violated.

You should probably re-read the sudo warning:

    We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things:
    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.
jedberg said 12 days ago:

I wasn't reading the cracked passwords for fun, I was verifying the output. And it was well known that we cracked the passwords, and he had already gotten the first warning that it was cracked, so he knew we knew it.

That's why I didn't feel bad taking it to HR. I already had a sense that he was doing bad stuff, and the password just solidified it for me.

kelnos said 12 days ago:

I think this is analogous to the philosophy behind "duty to report" type laws. If you discover -- even through a completely unrelated activity -- harm being done to someone, it is your ethical responsibility to report it to someone who can help. Obviously some amount of discretion is necessary, as some things are sensitive enough that reporting in the wrong way, or to the wrong person, could cause the situation to be worse, but as a general rule, if you see something bad going on, you should try to make the situation better if you're able.

I think OP acted entirely appropriately.

To address a couple specific points:

> As an admin you have an obligation to your users to not be nosy

In the free-wheeling academic sense where your users are more of a community, sure, I think that's the accepted social contract. In the workplace, not at all. While I'm not a fan of employers spying on what their employees do on the employer's network and hardware, I fully appreciate that it is their right to do so, and in some situations, for some purposes, I might even agree with its necessity.

> reading the plaintext yourself for fun then scurrying to HR is kinda a slimy thing to do

I don't think "fun" had anything to do with it, and reporting a likely case of sexual harassment, regardless of how the information was obtained, is never "slimy". Quite the opposite.

> Just because you have the ability to peek into the CFO's mailbox and see what everyone's salary is, doesn't mean you print out the spreadsheet and take it to your boss demanding a raise.

That is indeed slimy, unethical, and likely a violation of company policy, but that is not even remotely the same as what the OP did.

> if you got in trouble for playing Farmville or whatever while sitting on the toilet at work, which they found out about by installing cameras in the stalls

Also not even remotely the same. Any reasonable person would agree that cameras in bathroom stalls would be a gross violation of privacy (and probably illegal).

adrianmonk said 12 days ago:

Former sysadmin here. I think there's a careful balance that needs to be struck, both by admins and users.

As a user, you should realize that when you're on company equipment, privacy is more of a courtesy than a right. It's their equipment you're using. It's reasonable to expect them to use it in a way that furthers the company's interests. So act accordingly.

As an admin, you don't ever go digging through stuff for no reason, for curiosity, voyeurism, or for personal reasons. But again, watching out for the company's interests is part of your job, so if you run across something or have a concrete need to actively look for something (not just a fishing expedition), then lifting the veil of privacy might be the right choice or even the only right choice.

Basically, in a corporate computing environment, privacy is not guaranteed, but crossing lines should have a proper justification. In your CFO example, the sysadmin is using official powers but acting in their own interest, so that's definitely not an OK justification.

feanaro said 12 days ago:

> It's their equipment you're using.

I don't find this a very good argument. Sourcing inspiration from a sibling comment, it's also the employer's bathroom stall. I might be convinced it's okay to snoop when it comes to their network usage, but this is not the argument to do so.

adrianmonk said 6 days ago:

Responding late, but yeah, you raise a valid point.

The difference to me is in the purpose of the two facilities. A toilet is there for the employees' physical needs and more or less no other purpose. A computer is there primarily to do business work on. The company has a clear need to be involved in how that computer is used in several ways, such as maintaining its security, monitoring its performance, making sure it isn't misused, etc. They can afford you some privacy, but only on a best-effort basis because it's not reasonable to be entirely hands off.

wil421 said 12 days ago:

How is that slimy? You have no expectation of privacy at work. The company owns everything. They not only own it but they monitor everything that’s done on their devices.

If you don’t want something read by your employer don’t do it with company property or on their WiFi. It’s a rule I live by and I never connect any personal device to my company’s guest WiFi.

crtlaltdel said 12 days ago:

and to think of all the times i used passwords that were a some variation of “thisCompanySucks@$$!” or “B1llis@d!ck”...

bcit-cst said 12 days ago:

Yeah that is some NSA shit.

jedberg said 12 days ago:

Not really. It was well known that passwords were being cracked, and the guy in question was even warned already that his password had been cracked the week before.

program_whiz said 12 days ago:

Wait, how is it a common / weak password if it has some oddly sexual phrase regarding a specific person? Sounds like its literally just brute-forcing, in which case you're just going to hit random user's passwords.

jedberg said 12 days ago:

A string of dictionary words and a very common name. And yeah, JohnTheRipper was a brute forcing dictionary attack that was very common. If anyone had access to the password file they could run the same cracker. The idea was to crack the passwords before an advisary could using the same tools.

1000units said 11 days ago:

Next time you can push for explicit password quality requirements and something like 2FA instead of violating people's privacy and weakening their security at the same time. (Can you imagine anyone reused personal passwords?) This eagerness to apply fun tools in the workplace is in large part what built the heinous surveillance apparatus that's probably going to kill a lot of people as soon as a sufficiently strong-willed fascist takes control again. Richard Stallman has called this "Stalin's dream", but ironically he was also recently Cancelled for ridiculous allegations of sexual misconduct and wrong-think, so perhaps this allusion is not sufficiently powerful for this audience anymore. A shame if so.

1000units said 12 days ago:

Much "NSA shit" is also well known.

The questionable behavior in this case is getting a guy fired for selecting a politically-incorrect secret passphrase. This is merely one step removed from reading his brain and figuring out he fantasizes about spanking coworkers while having sex with them. (I've done this, and yet we are good friends!)

We don't know all the details, maybe that guy actually harassed people, but scrutinizing someone's private thoughts without prior suspicion for offensive-but-noncriminal behavior that can be pivoted into larger accusations is how police states work.

In the best case, this encourages people to filter their private thoughts and actions by the standards of what is acceptable to advertise publicly, which is incredibly unhealthy and oppressive.

kelnos said 12 days ago:

> The questionable behavior in this case is getting a guy fired for selecting a politically-incorrect secret passphrase.

I think you're being disingenuous. The guy got fired for sexual harassment. The password merely tipped people off as to what was going on. Don't use a weasel word like "politically incorrect" to re-frame the discussion in a way that's both incorrect and more favorable to an emotional reaction in your favor.

1000units said 12 days ago:

It's stated that he was fired for "being creepy", which is a highly underspecified complaint that can be used against someone you find disagreeable for any reason, only some of which warrant termination-of-livelihood. I was being charitable assuming that the real accusation involved actually harassing someone.

jedberg said 12 days ago:

I said "being creepy" because I was being vague. He was doing much worse than that.

1000units said 12 days ago:

Like what? I have an ex-girlfriend whom I dumped when she (among other things) called my family and lied about me getting into a horrible accident because we were arguing about her [several hard street drugs] addiction. I cared about her enough to stick around until after the drug problems started. She tells people I'm a "creep" when she explains why we didn't work out, because we had been together for a while and I seemed like a decent guy. I literally moved to a different state because she'd show up at my home and work frenzied, and I knew a restraining order would land her in jail (and cause her to lose her surprisingly good job, which I was sure was the last remaining foothold of stability in her life; at this point I was literally worried about indirectly killing her by protecting myself). She still doesn't know where I live, some of my throwaway accounts have the phrase "FUCK [her name]" in their password, and (old, because I can't share contact anymore) mutual friends have told me she tells everyone that I developed hardcore schizophrenia and generally behaved like Satan. The shorthand for this is "creep".

laughinghan said 12 days ago:

I'm sorry that happened, that sounds like a terrible situation.

Do you see how I took you at your word and extended sympathy, rather than questioning whether you're misrepresenting the situation? Is there something you know about the facts of jedberg's situation that lead you not to do the same?

1000units said 12 days ago:

He has not presented any facts that are under contention, only normative estimations that rely on facts that are deliberately unspecified.

The politically and economically safe option in the workplace is always to discard people who fall under scrutiny that exposes an employer to liability. This raises the reasonable standard of complaint for these types of issues beyond "his password, which I cracked despite design and goal to remain private to one human soul ever, was weirdly suggestive, and none of the people ostensibly involved have voiced any concerns but I must Report This to The Authorities and Start the Hammer Falling."

Suspicion and doubt are very powerful weapons, and sometimes they're used against good people in the name of heroism, saying nothing of bad motives. They also have the feature of being incredibly hard to dispel entirely once raised, regardless of the quality or scale of the evidence. If someone looked at my F-word password with the wrong prior or coaching, I'd have to break out volumes of psychotic voicemails, videos, pictures, testimony by family and close former friends, etc, to prove I shouldn't be Cancelled.

Can you think of a crackable-length passphrase that would make a normal, level-headed person suspicious enough to make efforts that almost guarantee someone is going to get fired in the worst way possible?

said 12 days ago:
[deleted]
laughinghan said 12 days ago:

> The politically and economically safe option in the workplace is always to discard people who fall under scrutiny that exposes an employer to liability.

What leads you to believe this? You are aware, I assume, of the existence of "wrongful termination" lawsuits, many of which have cost companies millions of dollars?

> Can you think of a crackable-length passphrase that would make a normal, level-headed person suspicious

"rape Karen fun"

> fired in the worst way possible

What about this sounds to you like the worst way possible to get fired? Here are some ways to get fired that sound way worse to me:

"several frightening, anonymous calls that came into his work phone. One caller told him that [...] he wouldn’t live to see the weekend. Another said that the “fancy blue tie” he was wearing that day might wind up turning red. [...] an effort by the [company's] attorney to discredit him by falsely claiming he’d had a romantic relationship with [coworker he was standing up for]. Shortly afterward, [his employer] fired him."

"only two weeks after her hire, while she was in the passenger’s seat of [male employee]'s car returning from a business meeting, he exited the 101 freeway, stopped his car on a side street, and pulled his erect penis from his trousers. With the doors and windows locked from the driver’s side, he reached over “and pushed her head on his erect penis in an attempt to force her to orally copulate with him,” according to her complaint. He then ejaculated.

[her] horrifying depiction of sexual assault went on for pages. There was the ride back to the office after a client visit two days later, when [male employee] again tried to force her to touch his penis and “almost careened into a commercial eighteen-wheel vehicle.” Another time in the car, this time in standstill traffic, he took his erect penis out of his trousers and shoved her left hand back and forth on it, again ejaculating. In the complaint, she says she tried to free her hand but “was unable to overcome his strength.” In another incident, he called her into his office, locked the door behind her, and tried to force her to have sex. That time, the complaint says, she “managed to escape his grasp.”

A month after that frightening incident, [she] was fired by [him], purportedly for “an attitude problem, aversion to directions, resistance and resentfulness.” She told the office supervisor about [his] assaults and suggested that the “attitude problem” [he] had referred to was her resistance to his assaults. The supervisor told her that sort of workplace conduct was considered “normal”"

https://theintercept.com/2019/10/07/metoo-wall-street-sexual...

1000units said 12 days ago:

Three responses in turn,

1. The courts are profoundly unfair. Are you comfortable forcing harassment victims to go through the courts for what are literally criminal allegations?

2. This example seems too contrived and implausible, as is anything else I could think of. The whole story just seems too magical. Maybe I'm just being hard-headed and arguing with a hero.

3. I will concede that is a more unpleasant series of events without care for semantics.

laughinghan said 11 days ago:

1. I have no idea what you're talking about. You suggested the liability risk for employers is extremely one-sided such that the "safe option ... is always to discard people". I asked if you were aware of the enormous, court-tested liability risk employers face when they discard people. What leads you to believe the liability risk is nevertheless extremely one-sided?

2. Someone sexually harassing his coworker and saying something sexual about her in his password seems magical and unlikely to you? You don't believe the hundreds of corroborated stories about men saying stuff like that openly? Or you think people are less likely to do that in something semi-private like a password than openly?

1000units said 11 days ago:

1. It's difficult to safely discard people on the basis of their belonging to a certain set of protected classes, which does not include those accused of sexual misconduct. As soon as you have someone willing to issue a complaint you can't disprove, you're prepared to safely remove your enemies. There's a reason savvy managers never have private meetings with women.

2. It's magical that some guy exposed a "creep" Doing Very Bad Things by looking at his password he cracked. No witnesses complained, the victim had never complained, just from a distant computer we catch this faint whiff of something wrong in the strangest (invasive, aside) way and turn out to be a hero. Or maybe we just sent a weird password to HR, and they did the default thing and fired the guy for nuisance and liability, and years later we remember the justification that he must have deserved it because he's gone. (Details? Sorry, can't!) It's easier on the conscience, too.

asveikau said 12 days ago:

Sorry to hear about an unpleasant situation. However, I think it's safe to assume this is unrelated to the story about the dude's password and HR issues.

1000units said 12 days ago:

My password says "FUCK [a woman whom I no longer have an intimate relationship with]". This doesn't concern you? Does it concern 'jedberg?

asveikau said 12 days ago:

Well it's none of my business and after the story you've shared I can't say I am very concerned. But in the story about HR, they looked into it and there was "other stuff", I guess they concluded something else about that situation.

We don't know what that "other stuff" is and if it's right or wrong, but it's also likely not the exact same situation as your very detailed and specific story, is my point.

1000units said 12 days ago:

There's at least another similarity, and that's that neither of us had been accused of misconduct in our workplace. If anything, he was looking sharp relative to my vindictive smear campaign.

perl4ever said 12 days ago:

"...hardcore schizophrenia..."

As opposed to the softcore kind, natch.

1000units said 12 days ago:

As I've learned the hard way, this kind of ignorance of abnormal psychology can lead you into big problems.

brosinante said 12 days ago:

Yes, creepy sexists need our protection and it's exactly the same thing as playing farmville on the bathroom.

Quekid5 said 12 days ago:

You know, it's quite possible for multiple people to be "wrong" in a given situation. It's possible both the employee and the sysop to be wrong.

yaseer said 12 days ago:

I agree, - but morality is sticky and complex.

It was obviously wrong to be the creepy sexist.

In the abstract sense, it is wrong to invade privacy.

But then, if in your invasion of privacy you uncover a wrongdoing, the right thing to do is report it.

It would be wrong to read the CFO's email inbox, and probably illegal. But then if you uncover they are committing fraud, you need to report it to police, as well as confess your own crime.

Unfortunately, there's never easy rules for these things.

WBrad said 12 days ago:

I get what you're saying here but:

>In the abstract sense, it is wrong to invade privacy.

You have no real expectation of privacy when using company owned equipment. This was almost certainly spelled out to the employee in question in the acceptable use policy he agreed to upon being hired. Companies have to operate this way so they can investigate computers if compelled to by court or law, and so they can recover important information off computers when the user exits the company.

If he was using a BYOD computer I'd have a different opinion on the matter.

Quekid5 said 11 days ago:

The definition of acceptable use (and expectations of privacy) differs a lot between different countries. For example, in the EU, I believe that any personal email received on a work account is actually considered "beyond reach" of your employer.

I don't know, but I imagine that such considerations could easily extend to your password.

Btw, how did the sysop know that what he recovered was the actual password? I mean, it's unlikely, but at least theoretically possible that it was a false positive. The password hashes in those days were pretty weak... Just a thought; I don't think it realistically was a false positive.

WBrad said 10 days ago:

That is true, there are stronger privacy protections in the EU in general. I don't consider the actions here morally justifiable, just legally.

As far as it being the actual password, a false positive AND the fact he had been creeping on a coworker at the same time seems extraordinarily unlikely to me.

Quekid5 said 4 days ago:

Agreed about the false positive, btw. It was just a hypothetical, but court cases ("beyond reasonable doubt") have a very high standard of proof.

yaseer said 12 days ago:

You make a compelling point. The key is 'acceptable use'.

Acceptable use is cracking passwords in an investigation with just cause.

Acceptable use is a script to automate the checking of weak passwords, and notify users.

Unacceptable use is an admin browsing cracked passwords, without just cause.

I personally think acting on the information obtained afterwards is acceptable, but some would disagree.

Remember even in some courts, evidence obtained by police illegally cannot be submitted for trial.

I maintain these moral problems are hard ones.

Quekid5 said 11 days ago:

You said "... but morality is ..." and just agreed with me, I think?

Ultimately, I think it's a case-by-case on this type of thing.

Btw, I find it very interesting that e.g. most EU courts will consider "tampered-with" evidence, but obviously take into account that it may have been tampered with and so accord it much less weight than "pristine" evidence. Whereas US courts will[0] absolutely throw out anything that's shown to be even mildly "tampered-with". I don't know what the right answer is, but it's an interesting question to ponder.

[0] Maybe this is wrong; I'm not a US-ian, so I may not have perfect insight into the court system :|.

yaseer said 10 days ago:

I agreed. I just wanted to take it a stage further and emphasise the definition of 'wrong' is always complex in moral discussions.

Quekid5 said 10 days ago:

Noice :). I apologize for the somewhat aggressive/sarcastic tone at the start of my reply. Reading it back, it sounded so much "more" (in every way) than I intended.

ben509 said 12 days ago:

> It was obviously wrong to be the creepy sexist.

It's not obvious as we haven't heard his side of the story.

lilyball said 12 days ago:

It is possible, but that's not what happened. sysop was in the right here. Stop defending someone's right to be extremely creepy on company equipment over the well-being of the creep's coworkers.

parliament32 said 12 days ago:

It's one of those "everyone sucks here" situations.

dang said 12 days ago:

"Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize. Assume good faith."

"Don't be snarky."

https://news.ycombinator.com/newsguidelines.html

coldtea said 12 days ago:

If people could read your thoughts (or private messages) I'm pretty sure they could find at least 5 things to fire you and/or publicly whip you at a pillory in the central square of your city.

So don't be so arrogant about someone being "creepy" when they are not mentioned as doing anything specific in public...

AlexTWithBeard said 12 days ago:

Yes, a person alleged to be a creepy sexist deserves some protection and due process.

sokoloff said 12 days ago:

> Yes, a person alleged to be a creepy sexist deserves some protection and due process.

I agree with this. Everyone deserves due process.

It sounds in this situation like they got their due process. (HR didn't fire them based on the password report, but rather used diligence and due process to investigate/corroborate and only then terminate them.)

behringer said 12 days ago:

Yep you got it right.

michannne said 12 days ago:

Cool, false equivalence seems to be the norm on HN nowadays

dang said 12 days ago:

Please don't reply to a bad comment with another bad comment. That only makes this place even worse.

https://news.ycombinator.com/newsguidelines.html

rukittenme said 12 days ago:

Please provide to me all of your personal details. Don't be alarmed. This is standard procedure. We just want to make sure you have the correct moral character to participate on this forum.

Browser and search history, email passwords, diaries, and a list of medical professionals that I can contact to vouch for your mental stability should suffice.

We will reach out in the next few days to conduct a character assessment review. Thank you for your cooperation!

If you have any questions, do not hesitate to fill out a form with the Health and Safety Commission offices. Our hours are 10 AM to 3 PM every other Tuesday of every other month.

Remember, your health and safety is important to us.

mongol said 12 days ago:

I don't know what to think about this. A password is supposed to be secret so I don't know what a naughty phrase in secret is a violation of? It is not very different from writing something naughty in a private diary, or even thinking a naughty thing.

CydeWeys said 12 days ago:

The guy wasn't fired for the password, he was fired for the sexual harassment of a coworker.

And nothing you do on a work computer is secret from your employer. It's not a "private diary" if you're using your employer's hardware.

astine said 12 days ago:

I think that it's the conjunction of the password and the harassment accusation together that make this a fairly straightforward case. If it were just a creepy password, well, that demonstrates a certain level of creepiness but doesn't mean that he made it a problem for anyone else. It's possible to have private fantasies that remain private. On the other hand, if it was just the coworker's accusation, it would be just that, an accusation without evidence.

The password as evidence of private creepiness lends credence to the accusations of harassment, and the accusation of harassment demonstrates the the creepiness was probably not just private. Together they create a case stronger than either alone.

reedwolf said 12 days ago:

>he was fired for the sexual harassment of a coworker

OP is vague on what this guy actually did. Note that they only went to the girl after cracking the password, and she said he was "creepy" towards her.

"Creepy" in this context might just mean FWU (flirting while ugly).

jedberg said 12 days ago:

I was being vague on purpose. He was doing more than FWU.

mywittyname said 12 days ago:

Creepy means they make another person feel threatened. It's certainly not a term most women would use lightly. For example, my sister's "creepy" neighbor would come out of his apartment anytime she came home by herself and would engage her in conversation while attempting to follow her into her apartment.

That's not "flirting" (even if said guy thought that's what he was doing), it's straight up threatening behavior.

munk-a said 12 days ago:

Just to note

> He was already being super creepy and making the girl who sat across from him uncomfortable, but she never told anyone.

The OP actually did mention that there was prior bad stuff that had gone unreported (quite possibly due to a power imbalance). In the end:

1. Nobody is getting fired over a password alone.

2. Traditionally it's been very balanced against women reporting such things.

said 12 days ago:
[deleted]
CydeWeys said 12 days ago:

If he got fired for it, it was probably bad.

And you shouldn't be flirting at work.

tbabb said 12 days ago:

I think it's very interesting how, despite knowing nearly nothing about the situation, everyone here is quick to doubt the victim, and make up scenarios (for which there is zero evidence) where the harasser is the victim.

bcatanzaro said 12 days ago:

For all its flaws, innocent until proven guilty is still the fairest justice system. Beyond a reasonable doubt is a high standard of proof.

Because we use this standard, it is natural for people to look for reasonable doubts when talking about accusations.

That is how western society works. And for very good reasons.

ScottBurson said 12 days ago:

I think there's more to it than that. If you have some time, give this a read: https://www.propublica.org/article/false-rape-accusations-an...

Since it's quite long, I'll summarize. An 18-year-old woman, "Marie", whose had been in foster homes since the age of 6 or 7, reported having been raped. Her two previous foster mothers, both of whom she was still friends with and whom she told about the rape, suspected she was fabricating the report and, after discussing the matter with each other, said so to the police. Despite the significant forensic evidence, the police persuaded her to recant and ultimately charged her with filing a false report. A couple of years later, a serial rapist with a penchant for photographing his victims was caught. Among his effects was a photograph of Marie.

What does this story tell us? First, that even someone who has just been raped may have difficulty relating the event in a coherent and consistent way, and may not seem to be feeling the emotions one would expect of someone to whom that had happened. (The implications for the Brett Kavanaugh affair are obvious.) Second, that even female friends of the victim might be led by such inconsistencies to doubt the veracity of the report — a sobering observation. And third, that the slogan "Believe Women", though it cannot be taken as an absolute, is still important to repeat, because it's still far more likely that a true report will be doubted than that a false one will be believed.

Falling3 said 12 days ago:

> innocent until proven guilty is still the fairest justice system

Justice system administered by a state where the repercussions include imprisonment and death - absolutely. But HR is not a judicial system and should not be viewed as one. I think I take your point to be just a descriptive observation of "our social discussion reflects a habit based on our exposure to judicial systems" and not a normative statement. Even if it's the former, I think it's naive and ignores a very real culture of doubt and victim-blaming exclusive to sexual violence.

kps said 12 days ago:

Given the US's employer-based health care system, HR can sentence some people to death.

Falling3 said 12 days ago:

That's a fair point. And we should rectify that by fixing our healthcare system, not by making it harder for assault survivors.

didibus said 12 days ago:

I agree with you, but there is no crime here, just bad work conduct, and as a professional, that makes you not as good at your job, and as an employer, it can justify letting you go.

Call it a bad cultural fit if you prefer. Someone who cannot navigate the social work environment, and makes others feel uneasy and lowers their moral is not as good an employee as someone who'd have no issue doing so, and makes everyone else motivated and confident.

As an employer, I'd probably quickly try and replace such an employee, with someone who's just as good technically, but also has better social work ethics and collaboration skills.

This is totally fair to me. Being good at your job also involves being good with coworkers and promoting a healthy work environment which boosts everyone's productivity. If you have deficiencies there, try working on it. It'll be good for your career.

Now I know what's going to happen... But what if someone totally fabricated a case against you and brought it up to your employer and now your employer falsely believes that you're a big bully and harasser and that you hurt the work environment and they fire you over that?

And I think that's a bit of a fallacy counter-argument honestly. Some kind of reification fallacy. Yes in the abstract hypothetical, this would be unjust, and you can deduce that it was in fact the accuser who was being unprofessional and fabricating an environment of blackmail. But give us any concrete case, and we can now observe the facts of that case and see if employers did an unreasonable assesement or not. For example, we might see in real cases, there is always more than one complaint made, or there are recorded behaviors like emails, chat logs, naughty passwords, etc. Or there's repeated offense, or there was prior knowledge, etc.

And again, no crime here. An employer for their business sake, might prefer to lean on better be careful rather than sorry. That makes total business sense to me.

tbabb said 12 days ago:

That is different from prioritizing imagined, hypothetical injustice over real, actual injustice.

Something obviously bad happens, and everyone falls over themselves to correct and defend not the bad thing that just happened, but a thing they just imagined might happen.

It's a very peculiar (and fairly revealing) thought pattern.

CathedralBorrow said 12 days ago:

> That is how western society works.

No, that's how justice systems in western society (and many others) work. Because guilty/not-guilty is a binary choice, there's no in-between option.

I don't have the same binary restrictions when I form an opinion based on the information available to me. As we all do.

barneygale said 12 days ago:

It's how the courts work, but not society in general. An individual can use whatever standard they wish to form an opinion. Would you insist that we all treat O.J. Simpson as innocent?

TimTheTinker said 12 days ago:

> Would you insist that we all treat O.J. Simpson as innocent?

The fair way is to withhold judgment (while presuming innocence) when there's a charge against someone but it hasn't been investigated. That's fair whether we're talking about courts or society. Society pronounced its judgment on O.J. after evidence was presented and witnesses testified.

The problem comes when people presume guilt based on a charge alone. Unfortunately, that's often what happens when high-emotion charges are leveled against someone.

cestith said 12 days ago:

We have a high standard for guilt in court because someone's freedom and perhaps life is on the line. You as a private citizen have a right to make decisions on less than a drawn-out court case and a sequestered jury.

So, in the eyes of the criminal courts, yes, OJ is still innocent. But would you have him babysit your kids based only on a reasonable doubt he's a multiple murderer?

TimTheTinker said 12 days ago:

> You as a private citizen have a right to make decisions on less than a drawn-out court case and a sequestered jury.

That's true, but it doesn't make my opinions morally justified.

But my point wasn’t about the verdict--the court’s, mine, or the public’s. It was that it is wrong to presume guilt anywhere—in court or in personal opinion—on the basis of a charge alone. (In OJ's case, we're all far past that, so I think bringing it up is a bit moot.)

cestith said 11 days ago:

I literally didn't bring up OJ. I was using the example already in use in the thread when I replied. The question, in a generic sense, is if you have two equally qualified candidates one of whom is acquitted and one of whom nobody's accused of wrongdoing, would you flip a coin or hire the one never accused?

TimTheTinker said 11 days ago:

> would you flip a coin or hire the one never accused?

I'd try to do neither. The reality is, no one is equally qualified because no one is identical to anyone else. There are always tradeoffs.

But I'd try to weigh those tradeoffs without being swayed either way by the fact that someone was once accused and later acquitted. Personally, I'm not even sure whether I'd be more or less likely to want to hire a person on the basis of that detail; I really think it's not evidence of anything.

It's like the influence of an independent variable Y in the logical formula "X implies Z", or like a "don't care" cell in a Karnaugh map -- it signifies nothing.

airstrike said 12 days ago:

> An individual can use whatever standard they wish to form an opinion.

I suppose we can all agree that any individual should at least first know the facts before forming their opinion.

cestith said 12 days ago:

But where's the innocent until proven guilty for the sysadmin and the woman accused of falsely accusing the guy who was fired?

HR doesn't fire on a whim. I'd default to saying this guy got due process.

kelnos said 12 days ago:

That's not how employment works, and (for better or worse) that's not how the court of public opinion works.

"Innocent until proven guilty" and "beyond a reasonable doubt" are critically important for a government-run judicial system, because they ultimately have control over your freedom, life, and death. While a job is certainly important, the loss of one job will not ruin your life unless you are particularly unlucky. So the burden of proof is much less.

Regardless of all that, it's just really saddening to me that the default seems to be that people assume that the victim is lying or overstating the harm done to them. This seems to be something very specific to sexual harassment cases that doesn't crop up as much or as universally with other accusations of wrongdoing. We clearly have a long way to go before we get rid of our knee-jerk biases about this sort of thing (and I'm no exception; I have them too).

apta said 12 days ago:

> That is how western society works. And for very good reasons.

Is the implication that non-Western societies don't work that way? Or that somehow it's only Western societies that came up and all of them practice this behavior?

kbutler said 12 days ago:

Actually, yes. (Hopefully you were asking rather than woke-scolding).

Presumption of innocence traces back to roman law (hence "occidental" from the latin, meaning the going down/setting of the sun, or "western", referring to European countries) . It has propagated at various rates through various cultures. Other cultures (including germanic, which could also be classified as "western") did not have the presumption of innocence centuries ago. China (latin "oriental", rising sun, or eastern) has been moving toward it in the last 50 years.

This doesn't say that no other culture has independently developed the presumption of innocence principle, but that the idea of it in modern judicial systems around the world traces back to the roman culture, and is generally associated with a body of ideas collectively called "western culture".

See https://en.wikipedia.org/wiki/Presumption_of_innocence

https://www.researchgate.net/publication/326070104_Understan...

kbutler said 12 days ago:

Always interesting when a statement is unpopular, but no counterarguments are presented.

A bit more clarification from the researchgate link above, talking about the movement toward presumption of innocence (POI) in China (emphasis added to the statements that Western societies came up with this behavior and that at least one non-Western society doesn't work that way):

"As POI is a legal principle originating in the West, its acceptance in the criminal justice context of China is a gradual and longstanding process. The CPL’s first revision, in 1996, adopts the clause ‘no person shall be found guilty without being judged as such by a People’s Court according to law’, but the protection guaranteed to criminal defendants under Article 12 of the CPL (2012) is different from the classic concept, which, according to the International Covenant on Civil and Political Rights (ICCPR), requires POI. Article 12 focuses on who has the power to issue a guilty verdict rather than on the presumption of the accused’s guilt or innocence during the investigation and trial."

harshreality said 12 days ago:

Because if people don't push back against it, what we get is yet another incarnation of the witch trials.

Some people evidently want that, because they're "not a witch" themselves.

It's really awful that in some/many cases, accusations of rape or sexual assault or sexual harassment or creepiness end up reducing to one person's word against another, when there's no good objective evidence either way.

You should doubt everyone. You should doubt the accuser. You should doubt the alleged harasser's claim of innocence. Without evidence, you can't adjudicate it, and unless it's a matter of rape or sexual assault, the compulsion to adjudicate it in the absence of evidence is unhealthy[1]. What you can do is try to engineer the environment or counsel the people so the alleged behavior by the accused or negative perception by the accuser is less likely to occur; most obviously, by separating them and ensuring they rarely/never have to interact.

If you can't keep the two people from communicating or interacting, and you have to fire one, and that one should be the accused, that is precisely a witch trial, but without a declaration of being a witch. The accused might not be a witch, but we're going to burn them anyway, because the social fabric depends on it!

And of course, criticizing witch trials can make you a witch, because there's evil in the world and therefore the witch trials must go forward! To do nothing is to enable witches, and who would want to do that except a witch? "Cui bono?"

[1] And in serious cases, you can try to take it to court, but it'll fairly likely end up unsatisfactorily for the accuser unless they're particularly persuasive or the defendant is obviously creepy or there's some other evidence. Even a string of accusers, although it means something, is not necessarily good evidence. Again, see the witch trials.

kelnos said 12 days ago:

I consider dealing with workplace accusations more like dealing with a lawsuit, rather than dealing with a criminal case.

Studies bear out that false accusations of sexual misconduct are exceedingly rare. If you go just by the odds, the likelihood is that when someone accuses someone of misconduct, it probably happened.

That doesn't mean you just accept an accusation at face value, but it does hopefully set the stage for you to be sympathetic, and committed to be thorough and to actually listen to what the accuser is saying. You of course do an investigation. You talk to the involved parties. You talk to witnesses, if there are any. Some of these witnesses may not have been present for any of the alleged offenses, but might speak to the involved parties' character. Does the accused act creepy around other people? Is the accuser constantly making up false stories about people?

If it does boil down to taking one person's word against the other, then I don't think the default should be to just separate the people and hope nothing happens again. Just as in a civil law case, part of the determination (both the direction of the judgment itself, as well as the magnitude of any penalties) is based on who is more persuasive about any available evidence, not strictly about whether the evidence alone is more or less damning.

It's not cut and dried. It's not clear. It's fuzzy and muddy. That's unfortunate, but happens to be the reality of dealing with humans.

deanCommie said 12 days ago:

First they came for the rapists, and I didn't say anything, because I wasn't a rapist.

Then they came for the sexual harassers, and I didn't say anything, because I wasn't a sexual harasser.

Then they came for the...

Wait, what? That's it? They just wanted to root out the rapist and sexual harassers, and that's it? I can still live my life without worry as long as I'm not one of those?

But okay, maybe your concern is being falsely accused of these things. The incidence rate of false accusations is low to the point of not being relevant to any discussion of social or cultural norms or policy.

Sexual assault is death from drunk driving. False sexual assault accusation is being hit in the head by a milkshake thrown from a moving vehicle.

hackerbrother said 12 days ago:

Yes, and if we don't push back against sexual harassment, what we get is yet another... now

homonculus1 said 12 days ago:

There are no facts in this case available to us, the internet commenters; only 100% framing. In a different framing, the victim is the one who was unfairly fired, perhaps due to fitting in poorly or even malicious claims of misconduct by the harasser. And in this framing you are not only blaming the victim, but also attacking everyone who doesn't.

See how this works? "Believe the victim" is circular reasoning, all it does is calcify your priors. Truth-seeking demands that one must keep an open mind and consider competing interpretations of an event.

passwordreset said 12 days ago:

There are several facts alleged in this case that were provided by the user jedberg.

1: "One guy actually got fired for his password." This is a statement of fact, which we can initially accept as true.

2. He was already being super creepy and making the girl who sat across from him uncomfortable This is a statement of opinion with the appearance of a fact. The phrase "super creepy" is quite vague, to the point of being meaningless without further specification. Also, how jedberg can know that she was feeling uncomfortable should be in question.

3. "but she never told anyone." This unsubstantiates claim #2. If she never told anyone, then there was no way to determine the truth of the claim that he was "making the girl across from him uncomfortable." Note that even this statement may be false, as she could have told many people already without informing jedberg, and if so, would help to substantiate the previous claim.

4. Then we cracked his password, which was a very naughty phrase about the girl who sat across from him. Note that "we cracked his password" is a statement of fact, mixed with opinion that the phrase was "very naughty". Whether the password was "naughty" or not, I don't think anyone is disputing that the password was cracked.

5. I reported it to HR This is a factual claim.

6. who asked the girl This is a factual claim, and most probably true, with the exception that it could be hearsay if jedberg wasn't in the room at the time when it happened, which has not been specified.

7. who then said he was creepy This is a statement of fact. Assuming that jedberg heard this directly from her, we can call this statement true. The important bit, however, is the word "then". She only said that he was creepy _after_ approached by HR. If HR's question was "Don't you think that guy across from you is creepy?", then that would be considered leading and deceptive. If HR's question was "what do you think about the guy across from you", then that question would be leading. If HR's question was "what do you think about your fellow employees", then that question would be neutral and acceptable. Since the manner in which the question was asked was not specified, there is no way to know how this question affected her response. It is not reasonable to assume the question was leading or not leading without further confirmations, and this unfortunately makes the claim moot.

8. so they acted swiftly on the reports and got him out of there. This statement appears to be a reiteration of claim #1, I don't see anything additional here that affects the previous claim.

Later, jedberg said this:

9. he got fired for sexual harassment. This is a statement of fact; however, this appear to directly contradict the first statement that jedberg made, which was that he "got fired for his password." So, if we can accept that he got fired for sexual harassment, then he didn't get fired for his password, and the original claim is untrue.

In summary, 1) a guy got fired for sexual harassment. 2) The accused also had a password that may have mentioned something "naughty". 3) That password was noticed by an IT group and may or may not have had some impact on the termination. 4) The interviewing of the alleged victim may or may not have influenced her testimony.

Those are the specific facts that we're dealing with in this case. Dismissing this with the idea that "there are no facts in this case" is incorrect. The fairness or unfairness of the case is framed around these facts, with opinions given on both sides throughout this thread.

ben509 said 12 days ago:

There's solid evidence he was fired.

GhettoMaestro said 12 days ago:

Because the evidence is extremely weak and the reason cited for him being axed was he was a "creep"? Pretty subjective in my eyes without other information provided.

There's a mile wide difference between being a weirdo mouth-breathing creep, and actually sexually harassing someone.

GhettoMaestro said 11 days ago:

Reply (can't edit now): I know my above post seems like an asshole. That isn't my aim. I'm simply posing a necessary question before we instinctually start up the crucifixion process. Ruining peoples lives with scant evidence scares me regardless of the who/where/what/when.

mongol said 12 days ago:

If he was fired for sexual harassment, that is one thing. But a naughty password on its own? That was maybe not the case here but that is what I have doubts about.

jedberg said 12 days ago:

He was fired for sexual harassment.

sterkekoffie said 12 days ago:

What if it was violent, bigoted, or suicidal? Passwords are secret but they aren't necessarily private. If you wouldn't want to verbally verify it with your administrator you probably shouldn't use it.

mongol said 12 days ago:

I have seen many password policies that says that you never should disclose your password. I have never seen a password policy say that it must not be naughty. As for violent or suicidal, I am less sure. I guess I would reason like a doctor, who has a patient's privacy to consider, but when certain lines are crossed he can contact the police if he think there is risk of crime.

sterkekoffie said 12 days ago:

Then I think our only difference in opinion is whether making sexually aggressive statements about your coworkers is crossing a line or just "naughty."

mongol said 12 days ago:

The difference is maybe that I don't see a password as a statement. There is no intent to let anyone know it. The only purpose it serves is to be difficult to guess / crack and easy to remember.

AlexTWithBeard said 12 days ago:

It depends on whether the statement is public or private.

Otherwise we're getting dangerously close to thoughtcrimes.

swampthinker said 12 days ago:

And people wonder why tech has a massive issue with sexism...

mongol said 12 days ago:

What does it have to do with tech? Everyone has passwords, and they are used all the time.

jedberg said 12 days ago:

He was doing a lot more than just the password. I was being vague on purpose. The password just exposed him.

deanCommie said 12 days ago:

A private diary that is the official property of your employer, and that they have the legal access to read at any time.

The system being managed here is a professional one. Keep your professional passwords professional.

It's no different than using your work email for naughty discussions.

jackcodes said 12 days ago:

<month><animal><current_year> every 90 days is the god pattern

austincheney said 12 days ago:

A better pattern is something long that will exceed the bounds of a rainbow table.

    I love JavaScript but I really wish it didn't have the ASI feature*
The example is 67 characters long written in a statement that is easy to remember with two non-alpha characters aside from the spaces. Imagine the size of rainbow table it would take to crack that.
OJFord said 12 days ago:

I'm not sure how easy that is to remember... Was it 'really love but wish' or 'love but really wish'? etc.

austincheney said 12 days ago:

I suspect you would word your password in a way that is most familiar for you. The idea is to achieve both cognitive comfort while destroying brute force efforts. A better example:

    Antidisestablishmentarianism is the longest English word I can think of##
73 characters.
saalweachter said 10 days ago:

I think you'd have more fun trying to imagine phrases no one would ever say.

"But thankfully I took Kim Kardashian's advice, and everything worked out for the best."

CydeWeys said 12 days ago:

I enter my password so many times each day (every time I step away from my computer and then come back to it, for example), so having such a long password would be quite the annoyance. Plus it's easy to make a typo and not realize it in a long sentence when you can't see what you're typing.

dlivingston said 12 days ago:

If I crack one of your passwords (or search your email on haveibeenpwned), and assuming you haven't changed your animal, then cracking any other password you have is trivial and takes at most 12 permutations.

josefx said 12 days ago:

I know at least one company that prohibits several ways to write any month or year like value in its password field. I think the animal might make it through as long as it doesn't have any shortened month name or repeating letters as sub string. I have found several creative ways to write new passwords for that login and am still annoyed when it randomly matches with "information from my profile".

jessaustin said 12 days ago:

Let me guess... animal is always "dragon"?

300bps said 12 days ago:

Not to mention "creepy" is a charge that is often impossible to defend yourself from. It's wholly dependent on the subjectivity of the accuser and their opinion of the accused.

Walk over and say good morning every day to a coworker and she finds you attractive? Charming and sweet. Walk over and say good morning every day to a coworker and she finds you unattractive? Creepy.

the_gastropod said 12 days ago:

Ugh. Please don't bring this redpill malarkey to hackernews

panopticon said 12 days ago:

I was sorta with you at first, but that second paragraph is straight-up nonsense.

S-E-P said 12 days ago:

I've seen it happen, though it sounds like someone is over exaggerating women's reaction to their ugly mug.

But yeah, I knew a woman that said anyone who smiled at her was creepy if she didn't like them they exist.

caymanjim said 12 days ago:

No one cares about a purist stance on creepiness. Being creepy is enough to justify removal from any social or professional situation. If you lack the social skills to avoid being perceived as creepy, that's a you problem. It doesn't really matter what your rationalization is. People aren't going to want you around.

malloreon said 12 days ago:

In this hypothetical example are you walking over and saying good morning to each of your male coworkers as well?

The point is, treat your coworkers the same, regardless of gender.

anchpop said 12 days ago:

I haven't been in the workforce very long, so I really don't know and am asking genuinely. Is it ever okay to flirt with a coworker?

DharmaPolice said 12 days ago:

Yes, but the problem is that in most of the scenarios that get discussed it's not flirting but one person making advances and not noticing (or caring) that the person is actively feeling uncomfortable.

The rule of thumb is sort of in line with telling a risque joke. Is that ever OK in a workplace? Sure, but if there's any doubt whatsoever how it will be received by the audience then you probably shouldn't be doing it.

CriticalCathed said 12 days ago:

It's basically thoughtcrime.

didibus said 12 days ago:

> It is not very different from writing something naughty in a private diary, or even thinking a naughty thing.

I don't know if I'm too normal or what, but my gut feeling is that yes it's really creepy. And all these things have different creepiness to them. Thinking a naughty thing is the least creepy. A private naughty diary is starting to be creepy. If it's just a passage in a normal diary, it's not too bad, if there's a whole book just about this one girl it would get super creepy. Making your work password a naughty phrase about the girl working in front of you, definitely super creepy.

Some of those I'd start to consider beginning signs of harassment honestly. The password one, it's like slowly trying to bring to the girls attention your thoughts. What's happening, are you hoping they see you typing it out one day? Everytime you type it do you stare at her and imagine whatever you typed? So ya, if there was all kinds of other similarly creepy small behaviors they'd add up to a pretty bad environment for that girl to be working in.

Just my opinion. Maybe I'm overreacting, but I wouldn't do that, and so I find it very surprising and creepy that someone else does. Are they harmless, innocent, didn't know better, just have a cute crush, nice guys, maybe, but doing something unexpected to me, that I'd never think of doing, is pretty much the defining characteristic of creepy, and it naturally puts me on my guard. It's just strange behavior, and that's scary.

Note: I'd like to hear some replies that are like... oh no, it's not creepy, way more people have naughty passwords or big naughty diaries of their coworkers than you think. I know I do. It's a totally normal behavior, you're the actual outlier here if you never did any of that. Otherwise I will continue to believe this is strange and creepy behavior which warrants suspicion, and possibly a good indicator that someone makes others feel uneasy and unsafe when around them.

mongol said 12 days ago:

I think there is a big difference between expressing your thoughts from having them. I am quite certain that more or less everyone harbors thoughts that would not be socially acceptable to state to someone in the workplace, but they are completely normal (as in common) thoughts. It is not creepy to have them. It is expressing them to someone that would cross the boundary.

didibus said 12 days ago:

I think we agree then, these things have varying degrees of creepiness, with thoughts being the least creepy. And comparing having a thought to having it be your password, as OP did, is a false equivalence fallacy, from my perspective. One is order of magnitude weirder than the other.

said 12 days ago:
[deleted]
kelnos said 12 days ago:

I think if it was really literally just the password, it would be pretty weak grounds to fire someone. But OP says he was being deliberately vague so as not to be specific about the situation, and there was a lot more going on. The guy got fired for his actions, not his password. The password was just a tipping point.

didibus said 12 days ago:

I'm not really talking about the firing, I had another comment elsewhere about that part. And I could excuse only the password, because one creepy behavior can be excused, a recurring number of them not so much. I still need to excuse the password though, because I think that's just creepy. If it was just normal behavior, it wouldn't need excusing, it just wouldn't even be an argument.

I'm more saying that having your work password be a naughty fantasy involving your coworker is just plain creepy. I've never heard of this. I mean, even having a naughty fantasy involving your partner as your work password is creepy. How can anyone think this is totally normal and appropriate behavior? I know my wife would find it real weird if that was my password.

If you do that, and are starting to feel like other people find you creepy or are suggesting you might be, and you're confused why they think that.. I just don't know what to say. If you were under the impression having such a password is common, I'm afraid you were mistaken.

But, like I said, I'm giving people an opening here.. maybe I'm the one that's mistaken, and naughty sexual fantasies with coworkers as work passwords is a very common and normal choice of password. Presented with such evidence, I'd reconsider.

TallGuyShort said 12 days ago:

I'm all for the effective strength enforcement and ejecting the creepy guy, but some people do have strong passwords that, a bad idea though it may be, embed something deeply personal to them. Just something to keep in mind before automating the sharing of cracked passwords for otherwise legitimate purposes. I consider my passwords my private information, even if they are no longer secure from a technical standpoint and shouldn't be in use. I hope people respect that if they come across them.

sangnoir said 12 days ago:

I wonder if that process was passed by legal first. Not only does it make private (in most user's minds) information public, it also makes it legally discoverable!

jedberg said 12 days ago:

Yes, it was passed by legal and everyone else. The first warning was automated and the password wasn't revealed. It was only on the second pass once you had ample warning.

But to be fair, I wouldn't do that today. I would just shut off the account on the second pass.

CydeWeys said 12 days ago:

You shouldn't be using deeply personal stuff like this for work passwords then.

It's very legitimate for a company to want to protect themselves from a massively damaging and costly security/privacy incident by policing against the use of weak passwords.

TallGuyShort said 12 days ago:

Just to be clear, I agree, and I think what the person I'm replying to did is totally kosher. But I just think the fact that my password is private should not just be within technical limitations. If you find my password is "hurtmedaddy" I have a reasonable expectation to privacy about that beyond what SHA can and can't protect me from, and I would hope it's not showing up in some weekly report to be shared with IT. A hacker might find it anyway, but certainly my boss certainly shouldn't have to.

edit: And back to technical concerns - someone knowing my password leaves a hard-to-audit window in which I am even less secure. Force-resetting the password in automation instead of revealing it would be better. Sharing it more widely before the problem is fixed increases the risk.

kelnos said 12 days ago:

I personally would not have any expectation that my work passwords are private. I would expect, say, Google to keep my password private, and have internal controls around not letting people see my password, or leak it to the outside. But I'd have no expectation that my boss or IT department didn't have the ability to find out what my password was if they wanted. For strength of security, I really hope they're hashing passwords, but it's well within their rights to try to crack that hash, or log my password as I send it to a webserver the company controls if they want/need to for any reason.

As an imperfect analogy, let's say I write something in a plaintext document, a big rant about how I'm pissed off at one of the executives, and in that rant I make a (not serious, but certainly worrisome) threat against the exec. I foolishly decide to store this document in my company-provided storage on their servers. (Or let's say I stick it in Google Docs in the company's GSuite account.)

Should I have a reasonable expectation of privacy there? I'd say no. I get that some might have the feeling that passwords are different because their entire function is to be private. From a security perspective, yes, I agree. But form a "what you do on company property/resources is visible to the company if they want it to be" perspective, I don't.

TallGuyShort said 12 days ago:

That's not unreasonable, but as you said the point is to be private - it's definitely not what people expect. If they were going to try crack my passwords and look at them when they're cracked, I'd want a memo, to say the least.

A4ET8a8uTh0 said 12 days ago:

I am of two minds about, if it helps security, it sounds somewhat reasonable,but I used questionable passwords in the past partly because they were easy to memorize along the lines of missslippyfist and some numbers/chars. I was forced to stop once company I used to work for started filtering for curses.

And running to HR over perceived creepyness sounds like a dick move.

AWildC182 said 12 days ago:

Given the frequency of online password db breaches, this seems like a really bad idea...

tom_mellior said 12 days ago:

Agreed. I would hope that the first email was automated and nobody actually looked at the results of cracking the passwords. In the second week, you arguably had less expectation of privacy.

jedberg said 12 days ago:

Correct, the first warning was automated and the password was not revealed.

said 12 days ago:
[deleted]
raldi said 12 days ago:

This is the best password policy there is. The only time I was lucky enough to live under it was for a couple years in college.

Who cares how many uppercase letters I used or the last time I changed it? What matters is how crackable it is. v#ja&zp is better than P@ssword1

ChuckMcM said 12 days ago:

Greg did that at Blekko as well. That is why you always crack the sysadmins password first, and use that. So when they crack it they know that you known that they know.

bakul said 12 days ago:

A proper policy would’ve been to not have any human look at a user’s password and just email them a warning about their weak password. A password should be considered a PPI (personal, private information) and off limits to others, no matter how creepy (exception being a legal warrant). These days you might gotten in trouble!

jedberg said 12 days ago:

Agreed. That's why if I were doing it today, I would just shut off the account after the second warning.

Although I don't think it's PII if it's all internal company data, especially if it is known that IT will crack your password.

ben509 said 12 days ago:

It shouldn't be personal identifiable information. But PII asks what that information is, not what it should be. Given that people reuse passwords or put things like DOB in their passwords, a conservative classification should treat passwords as PII.

If a company is cracking passwords, it should stop that to protect IT from liability. Example: someone reuses a password, and an IT employee sees that during a cracking operation, and that person's account by chance is hacked, now that person can accuse IT of misusing the password.

Maybe those disclaimers will protect them, but it's always smarter to avoid liability entirely than rely on fine print that a court can disregard.

bakul said 12 days ago:

A password is supposed to be very hard to guess by others but not so hard for you to remember so it can be said to be PII! And no, it is not assumed that IT will crack your password. Because how do you know how far IT would go to crack your password and how do you know they are not looking at your data as well? Employee/company officers' email may contain data that could be highly sensitive and something IT should not be looking at.

laughinghan said 12 days ago:

it is not assumed that IT will crack your password

At this company, it was public knowledge that IT will crack your password.

At the vast, vast majority of companies, it's public knowledge that they are looking at your data and email as well. If you are under the impression that your employer doesn't, you should double-check because you are almost certainly wrong.

unkulunkulu said 12 days ago:

What would be a weak creepy password? I feel those properties run opposite. Weak enough to be bruteforced and creepy enough to get fired. Good job on that fella’s part I would say!

jedberg said 12 days ago:

A string of dictionary words and a very common name.

maehwasu said 12 days ago:

I'm excited for your coming adventures, in which our intrepid hero breaks into people's diaries and then tells their friends about the naughty things they wrote.

Brave!

yoz-y said 12 days ago:

Tangential but sometimes it is interesting to use a passphrase that you are ashamed of, that way you are never tempted to reveal it.

throwGuardian said 12 days ago:

You essentially got someone fired for thought crime. While in this instance, that thought crime coincidentally had a real life corroboration, it was a just a lucky happenstance. You were not in the ethical right here!

It could have been that you reported to HR a romantic fling between two consenting adults, while they had no intention of their private lives spilling over into the public eye.

Disapprove of your actions, and further disapprove of your schadenfreude at someone's firing

kissgyorgy said 12 days ago:

Even if the guy was creepy, you are an asshole revealing something he thought nobody could ever know. That's the same thing like reading his personal letters or similar.

matharmin said 12 days ago:

Two considerations here: 1. Is the password private info that the employer shouldn't access? 2. If it is private but someone sees it anyway, should they act on it?

For (1): This is similar to any other private info stored on company equipment. The employer shouldn't actively access it in most cases, but it is generally expected that the employer will access if it has a good reason (in this case, detecting a weak password is a good reason).

For (2): This is similar to accidentally overhearing someone's private conversation. Normally the polite thing is to stop listening, but if you have reason to believe it indicates harmful behaviour (like in this case), the right thing to do is to report it.

dkonofalski said 12 days ago:

Ok, what about this scenario?

Jack sets his password to "ImgoingtokillyouKaren". Tyler is talking with Jack in his cube and sees Jack type in the password and goes to HR. Is that an asshole move, in your opinion? Is the violation the reveal of the password or something else?

In my opinion, he has an obligation and responsibility to say something if he thinks someone is in danger or being harassed.

perl4ever said 12 days ago:

What if his buddy John's password is "HiJack!"? Is it logical to treat that the same way as if he yelled it in an airport?

travisjungroth said 12 days ago:

Eh, he was typing that phrase at a work keyboard everyday.

avar said 12 days ago:

Would you be OK with your use of work bathrooms being made public? You can have an expectation of privacy while using other people's stuff.

anon73044 said 12 days ago:

Are you comparing a work computer to a restroom used by dozens, if not hundreds of people everyday?

Do the sales guys and C-level execs get an expectation of privacy to snort coke in the bathroom?

"Reasonable explanation of privacy" doesn't necessarily apply to "at will" employment.

Every company, large or small has some form of acceptable usage policy for their systems. Anything you type in can and will be used against you if necessary.

MisterTea said 12 days ago:

This isn't hard. Don't want your personal info on a work computer? Then don't put it there. Work computers, networks and other resources are not yours. They belong to your employer.

CydeWeys said 12 days ago:

This is a bad analogy.

keltor said 12 days ago:

Actually, it's a rather perfect analogy.

People have some expectations of privacy and it's not normally considered acceptable to violate this.

Sometimes this stuff is untried in court or falls into a definite legal grey area and usually the policy is to err on the side of caution and simply assume that if something is commonly expected to be private, then it's private and should be kept so.

If we were investigating a user for XYZ and came across a file named "Personal Diary 2019.txt" or whatever, I can assure you that HR would not want us to open that file. Possibly if HR found out they'd declare the investigation tainted and want to stop it right there.

kelnos said 12 days ago:

It's an absolutely terrible analogy.

First off, putting cameras in restrooms is illegal in most places.

Regardless of that, it boils down to a legitimate company need. Ensuring that users aren't using passwords definitely passes that test. Ensuring that employees aren't sexually harassing other employees also definitely passes that test. Yes, it's unusual that a password tipped people off to bad behavior, but if you see possible evidence of bad behavior, even if it comes from a strange source, you are ethically obligated to look into it. And for a company, not doing so could create legal liability.

Now, bathrooms? Well, for starters, you said "use of work bathrooms being made public". There was nothing "public" about this password case. The password was shared, privately, with HR and the guy's manager. The closest possible bathroom analogy I can think of might be someone reporting to HR that they see someone going into the bathroom multiple times a day, coming out with white powder residue under their nose, and subsequently acting very strangely, like they're on drugs. Which... seems like an entirely appropriate thing to notice and report.

CydeWeys said 10 days ago:

To expand on the company need angle, logging in to your work account on your work computer hardware is absolutely a part of your job. Work has a vested interest in securing their computer systems while allowing authorized employees only to use them to conduct their work.

On the other hand, going to the bathroom is completely ancillary to your job. It's not a work-related duty; it's just something that humans have to do because we're made out of meat.

laughinghan said 12 days ago:

I'm trying to understand what you're saying, but it just seems completely divorced from reality.

Do you believe it has not been tested in the courts that cameras in bathrooms are illegal? Do you believe that if you polled office workers about whether bathrooms are private and whether they expect cameras to be in there, you would get any result other than widespread belief that bathrooms are private and there cannot be cameras in there?

Do you believe it has not been tested in the courts that anything you write on a work computer is the property of the employer? Do you believe that if you polled office workers about whether they think what they do with their work computer is audited or private to them, you would get any result other than widespread understanding that employers own everything you do on your work computer?

dkonofalski said 12 days ago:

If HR found a file called "Personal Diary 2019.txt" on the computer that is owned by the company they work for, there is no expectation of privacy. This is not the user's personal computer that they hacked into or gained unauthorized access to. Courts have ruled on multiple occasions that you do not have an expectation of privacy on your employer's hardware.

travisjungroth said 12 days ago:

If I was writing down offensive stuff about a coworker in the bathroom, that seems fair.

dmix said 12 days ago:

Being offensive is the privacy line?

I prefer the don't trust anything on your work machines or work equipment to be private, especially if it's synced with a server or directly from a server.

If it was his individual laptop or something it might be slightly different but the etc directory was remotely accessible and his password clearly matters to the company's security. Like a rented apartment a heads up beforehand might be a good courtesy not a requirement though.

jessaustin said 12 days ago:

Most of what I do in the restroom is offensive. All the rest is more like an atrocity. I'd still prefer not to be filmed.

munk-a said 12 days ago:

Honestly, assume that everything on a work computer is being tracked - if the IT dude had managed to crack this fellow's personal email password then that's a different matter altogether.

jedberg said 12 days ago:

He had already been warned the week before that his password had been cracked, and it was well known that we were cracking passwords.

coldtea said 12 days ago:

>* One guy actually got fired for his password. He was already being super creepy and making the girl who sat across from him uncomfortable, but she never told anyone. Then we cracked his password, which was a very naughty phrase about the girl who sat across from him. I reported it to HR, who asked the girl, who then said he was creepy, and so they acted swiftly on the reports and got him out of there.*

So, he never did anything specific to call for, but just "was creepy" (which can often mean he was not very pretty and/or awkward socially / in expressing his feelings, as opposed to someone who would assault or anything close). And he had a password (in private) that was lewd or whatever, which he did not intend to share with anybody.

Yeah, let's fire the guy...

1000units said 11 days ago:

"Think of her comfort!" is the lonely childless Bay Area man's version of "Think of the children!"

giorgioz said 12 days ago:

>Did he really use uppercase letters or even special chars? (A 7-bit exhaustive search would still take over 2 years on a modern GPU.)

>took 4+ days on an AMD Radeon Vega64

I don't understand. The author first claims that it would take 2 years on a modern GPU to brute force a 7 bit password with special characters but then he is helped by Nigel Williams that cracked it on 4 days on an AMD Radeon Vega64

Did Nigel Williams used a better technique? Is AMD Radeon Vega64 much faster than a "modern GPU"? Did the author overstimated the difficulty?

pailander said 12 days ago:

"The password is not found in any known data breaches. It should be safe to use". Ok... https://imgur.com/a/TTWME6G

pailander said 12 days ago:
apetresc said 12 days ago:

A slight nitpick with the article - `p/q2-q4` (more commonly written as "1. d4" in modern times) is not the Closed Game, it's just the first move of it. There are many, many other lines after 1. d4 besides just 1. ..d5, most of them quite open!

CrazyStat said 12 days ago:

It is the beginning of the closed game, which is what the article says.

Seems like a vacuous nitpick.

EForEndeavour said 12 days ago:

Pedantry might as well be correct: calling q2-q4 "the beginning of a closed game" hides the fact that it's also the beginning of many other validated openings: https://en.wikibooks.org/wiki/Chess_Opening_Theory/1._d4

Advancing the queen's pawn 2 squares is a very common first move in chess at all levels. It's disingenuous to call this the beginning of any one of the specific possible openings in the above list.

CrazyStat said 12 days ago:

And calling "It was the best of times" the beginning of a famous Dickens quote hides the fact that it's also the beginning of many other valid English sentences, I suppose.

There is nothing incorrect about the article's statement.

EForEndeavour said 12 days ago:

Context is everything, and I think your example only highlights how unhelpful it is to specify that q2-q4 is the beginning of the closed game.

I think most English speakers would agree that Dickens' A Tale of Two Cities is a notable outlier of what is expected after "It was the best of times." That's the exact work of literature that popularized the phrase.

By contrast, mention q2-q4 to any "chess speaker" and they won't be specifically prompted to think of the closed game at all.

CrazyStat said 12 days ago:

Yeah that's bullshit. If you tell a chess player 1.d4 then d5 is going to be one of the first things that comes to mind. Even if they prefer a different response, like Nf6, d5 is certainly going to be prompted.

apetresc said 12 days ago:

Uh, okay, technically true, touché.

But it's "the beginning" of roughly 50% of all chess games ever played. It seems very strange to call out one particular line it _might_ end up being the beginning of.

It's also "the beginning" of game 2 of the 1929 Bogoljubov-Alekhine world championship match, among millions of others, after all.

floatingatoll said 12 days ago:

Using one potential endpoint as the point of reference to anchor to is a classically human thing to do. It doesn’t particularly matter that they chose Closed or Bogol-Alek. It just matters that they conveyed their thought to others with enough accuracy to get the point across.

Asking the question “why did they think of Closed first and not, for example, Bogol-Alek?” is to ask why someone sees a porcupine in a Rorschach blot. Everyone’s mind has different memory anchors, and they are not produced reliably or with regard for logic and reason.

It still worked, though :)

newen said 12 days ago:

Not if you play chess. 1. d4 is played probably more than half the time in professional games. It can lead to lots of different openings, closed and open (but not at the same time).

umanwizard said 12 days ago:

Really? I though 1. e4 was more common. TIL!

CrazyStat said 12 days ago:

e4 is more common. d4 is second.

bionsystem said 12 days ago:

> (but not at the same time)

Nice reference.

MadWombat said 12 days ago:

Closed game is 1. d4 d5. There are quite a few opening lines that start with 1. d4, but do not continue into the closed game.

CrazyStat said 12 days ago:

Which does not change the fact that 1. d4 is the beginning of the closed game.

MadWombat said 12 days ago:

Yes, and the history of American football starts at Big Bang :)

throw7 said 12 days ago:

Is it? I mean, I'm not a chess expert, but can we actually call a chess game open or closed from only the first move?

CrazyStat said 12 days ago:

1.d4 d5 is called the Closed Game. It's the name of the opening, just like the Ruy Lopez or the Benko Gambit.

throw7 said 12 days ago:

oh, today i learned there are opening moves called the "Open Game" and the "Closed Game" and there are also "open" and "closed" games in chess.

umanwizard said 12 days ago:

I am not a strong player, so I could be wrong, but my understanding is that 1. d4 d5 games tend to be more closed than 1. e4 e5 games, because it's less easy for the center pawns to get taken (because they are defended by the queens).

If any stronger player wants to comment, I'd be interested to know whether this is indeed the main reason 1. d4 d5 games tend to lead to more closed positions.

said 12 days ago:
[deleted]
mkoryak said 12 days ago:

I was able to log into his facebook and twitter accounts using that same password!

Edit: Ha ha, this is a bad joke!

snazz said 12 days ago:

Uh oh. No 2FA? Definitely send him an email about that.

mseepgood said 12 days ago:

Here's his Github account: https://github.com/ken

ru999gol said 12 days ago:

not a bad joke at all actually, but HN is just too far all up their own asses