Cracking My Own Reddit Password
haseebq.comClickbait title much? This basically has nothing at all to do with reddit. You could replace the word reddit with Facebook in this article and it would be exactly the same.
That being said, it was pretty clever to take advantage of an enumeration attack on another service that wasn't protecting against enumeration attacks on the feature because frankly, why would they?
> click bait title
No. I went in expecting it to be about a guy who lost his own password to Reddit and had to crack it.
Spoiler: That's what the article was about.
Your expectations were low then. I expected an article about a guy who lost his reddit password and used the features of the reddit website to crack it.
This article, while interesting, is really just about general password cracking.
I didn't expect it to be a great article, it was ok, just pretty reasonable title on a scale from 1-HuffPo it was a 4 for ckickbait
He hardly cracked his password. He played Hangman. I would hope there's no service out there that lets you guess passwords like this.
"Is there an F in your password? Yes, you have one F, now guess again..."
> I would hope there's no service out there that lets you guess passwords like this.
Technically he didn't guess the password to any specific service, he just happened to have stored his own Reddit password in plaintext as the body of a draft email. The email service allows you to search within the body even if your message is "hidden" from their interface. At worst, he MacGyvered a feature of their service to recover a string he couldn't remember.
This was a coding exercise, nothing more. If he had stored his Reddit password in some obfuscated/encrypted format behind another password-protected service, he likely would not have pulled off this stunt.
It was a "recovery" and not a crack if you store your password somewhere and lose direct access to it it's not really cracking when you guess.
But to get on topic: This was one of my favorite ways of recovering passwords when I had a blind SQL injection somewhere. I wrote a nice perl script that brute forced (yes the guy in the article also brute forced) the field through the SQL substr command. Happy, simpler times :)
Uh. No.
The article is a subversive ad for http://lettermelater.com and little more.
This sort of challenge comes up in CTFs quite often. Here's a writeup of one from PicoCTF 2017 (not mine): https://github.com/Caesurus/PicoCTF2017/tree/master/l3_noeye...
Perhaps because I'm new to this stuff, I enjoyed the writeup. I wonder if I'm out of place expecting a single run through of a-z 0-9 to determine the range of chars present in the password?
It turns out (due to repeated chars) to only have 14 unique chars. This single run through would have reduced the alphabet size (A, in the article) from 36 to 14. The 432 iterations becomes 168.
I'm sure there are other optimisations I'm missing!
It seems like an interesting complication here comes from the subject line. I idly wonder how to handle the case where the subject line had been much larger and had much overlap with the password.
Considering how much effort this took, I'm wondering if learning to be more patient might also be an option?
mfw already posted like two weeks ago
You're too optimistic:
https://news.ycombinator.com/item?id=14108223 (17 days)
https://news.ycombinator.com/item?id=14076918 (20 days)
https://news.ycombinator.com/item?id=14071188 (21 days)
https://news.ycombinator.com/item?id=14054289 (23 days)
https://news.ycombinator.com/item?id=14051671 (24 days)
None have any comments, very few upvotes, so maybe it's worth another chance. Personally, I found it unreadable. I'm sure others will find it fascinating and be able to get past the IN YOUR FACE style and flashing graphics.
Oh, and FWIW, I didn't downvote you.
And it has NOTHING TO DO WITH REDDIT.
This literally is fucking awesome.