faul_sname comments on Open thread, Feb. 9 - Feb. 15, 2015 - Less Wrong

6 Post author: MrMind 09 February 2015 09:12AM

You are viewing a comment permalink. View the original post to see all comments and the full post content.

Article Navigation

Comments (321)
Tags: open_thread

Comments (321)

You are viewing a single comment's thread. Show more comments above.

Comment author: faul_sname 14 February 2015 02:20:34AM 2 points [-]

The worrying questions have somewhat less worrying answers. Here is the cause of the length limit of 20 (in r2/r2/templates/login/html):

 <input id="passwd_${op}"
name="passwd_${op}" type="password" maxlength="20"/>

Removing the maxlength="20" restriction on password fields allows longer passwords without a problem (I'm actually unsure why that's there in the first place -- it doesn't actually prevent a malicious actor from sending a 1 GB password, as it's a client-side check).

Comment author: CBHacking 14 February 2015 11:37:32AM 0 points [-]

Good to know. I hadn't actually bothered to check; I just used a unique password and email address as a matter of course - but I'm glad anyhow. Of course, that doesn't guarantee they're storing the password verifier, but I certainly could go read the source myself and find out.

Of course, if I was actually concerned about the security of my account here, I wouldn't use the site at all because it's only available unencrypted. Given how easy and cheap (even free) it is to enable TLS these days, I'm honestly surprised this site not only defaults to plaintext but doesn't support encryption at all. Intercepting network traffic is easy (promiscuous mode on open WiFi, run your own hotspot with an expected SSID, ARP spoofing, etc.)

Powered by Reddit Powered by Reddit