this post was submitted on 20 Oct 2023
1525 points (98.9% liked)

Programmer Humor

32453 readers
1036 users here now

Post funny things about programming here! (Or just rant about your favourite programming language.)

Rules:

founded 5 years ago
MODERATORS
 
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 36 points 1 year ago (2 children)

lol at redacting that password

[–] [email protected] 40 points 1 year ago (3 children)
[–] [email protected] 19 points 1 year ago* (last edited 1 year ago)

It’s hunter2

For the uninitiated, this was a purported IRC conversation on bash.org (which apparently is down now, sadly):

https://web.archive.org/web/20040604194346/http://bash.org/?244321

  Cthon98: hey, if you type in your pw, it will show as stars
  Cthon98: ********* see!
  AzureDiamond: hunter2
  AzureDiamond: doesnt look like stars to me
  Cthon98: *******
  Cthon98: thats what I see
  AzureDiamond: oh, really?
  Cthon98: Absolutely
  AzureDiamond: you can go hunter2 my hunter2-ing hunter2
  AzureDiamond: haha, does that look funny to you?
  Cthon98: lol, yes. See, when YOU type hunter2, it shows to us as *******
  AzureDiamond: thats neat, I didnt know IRC did that
  Cthon98: yep, no matter how many times you type hunter2, it will show to us as *******
  AzureDiamond: awesome!
  AzureDiamond: wait, how do you know my pw?
  Cthon98: er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
  AzureDiamond: oh, ok.

I'll add that I'm a little suspicious that the event is apocryphal. Cliff Stoll's The Cuckoo's Egg described a (true) story of a West German hacker, Markus Hess, working for the KGB during the Cold War to try to break into US industrial systems (e.g. chip design, OS source code) and military systems (various military bases and defense projects). Hess had broken into a system at the University of California at Berkeley, where Stoll was studying astrophysics and working as a sysadmin. Stoll discovered the breakin, and decided to leave the hacker alone, to use the system as a honeypot, and try to figure out what systems the hacker was attacking so that he could warn them, so he had a pretty extensive writeup on what was going on. Stoll had been providing updates to the FBI, CIA, NSA, Army and Air Force computer security personnel, and a few others.

Stoll was trying to figure out who the hacker was, as the hacker was only touching his system via other systems that he'd broken into, like a US defense contractor; he didn't know that the hacker was German.

Hess used "hunter" or a variant, like "jaeger", German for "hunter", as a password on many of the systems that he broke into; this was one of several elements that led Stoll to guess that he might be German; that sounds very suspiciously similar to the password in the above conversation.

I'd add that the whole story is a pretty interesting read. Eventually, Stoll -- who was having trouble getting interest from various US security agencies, which were not really geared up to deal with network espionage at the time, made up a fake computer system at UC Berkeley that claimed it contained information related to Strategic Defense Initiative, part of a major US ballistic missile defense project, and indicated that a physical letter had to be sent to get access. Hess noticed it, handed the information off to his KGB handlers, and a bit later, a Bulgarian spy in Pittsburgh tried sending said letter to get access to the system. When Stoll handed that tidbit off, that got a lot of attention, because the FBI was definitely geared up for catching spies in the US trying to compromise US military systems, and exposing domestic spy rings was right up their alley. The FBI finally put a bunch of people on it, Stoll got to give a presentation at the CIA, etc.

[–] [email protected] 18 points 1 year ago (1 children)

What did you write? I can only see *******!

[–] [email protected] 4 points 1 year ago (1 children)

you can go hunter2 my hunter2-ing hunter2

[–] [email protected] 3 points 1 year ago

That's because I copied and pasted. This is what I see: *******

[–] [email protected] 4 points 1 year ago (1 children)

More than to protect a real password, this is done (in my experience) to prevent a bunch of unoriginal drones make that THEIR password, because they think is funny, which only means the string gets added to a "passwords to attempt" text list on some hacking website ....

Decreasing security all together

Case in point: Hunter2, correcthorsebatterystaple, solarwinds123 and Pa$$w0rd1

[–] [email protected] 5 points 1 year ago (1 children)

I mean, the philosophy behind correcthorsebatterystaple is good. I used that method for master passwords to password managers and it really does work well to help you remember a long complex password that can't be guessed easily.

But some people might have been missing the point of that xkcd using correcthorsebatterystaple itself.

[–] jasory 7 points 1 year ago (1 children)

It's okay. The thing is when running an attack are you going to permutate through every combination of characters, or are you going to use words from a dictionary first? correcthorsebatterystaple (not a dictionary word) is better than antidisestablishmentarianism (a dictionary word) but in a realistic attack concatenating dictionary words is going to be the next step.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago)

Because of the number of potential words in the dictionary, it's still fairly secure. I would recommend 5 or 6 words though