• Asghar Hospital (unregistered)

    Asghar Hospital Provides medical treament with state of art Operation Theather

  • (nodebb)

    That password regex one is pretty stunning for the number of things that are wrong with it, but the worst is that they're disallowing = symbols.

    Or maybe the worst is that they're showing the validation constraint regexp itself (and are using such a complex regexp for this task).

    Or that they're showing the password in the clear at all.

  • RegexBuddy (unregistered)

    Looks like the crazy regex is:

    A digit, a-z, A-Z, a special char from [!@#$%^&*;:,.<>-_] In that order, each preceded by 0 or more other non-line-break characters.

    Then 7 to 20 occurrences of: A digit OR a-z OR A-Z OR one of those special characters.

    So you can have "=" as long as it's followed by one of the special characters and at least 7 other characters.

  • (nodebb) in reply to dkf

    So you're saying that they had a problem, and they thought they'd use a regex to solve it, and now they have four problems?

  • Anonymous') OR 1=1; DROP TABLE wtf; -- (unregistered)

    They're called security questions because the questions are encrypted. What could be more secure?

  • (nodebb)

    I don't understand the problem with Andy's, Paul's, or Dima's submissions. Help?

  • jay (unregistered)

    My bank uses 2 factor authentication: When I log in they send a code to my cell phone and I have to type this code into the computer. But what happens if my cell phone number changes? No problem. Before they send the verification code, they ask me if my cell phone number is correct, and if not to enter my correct number. Think hard about the potential flaw to this scheme.

  • Loren Pechtel (unregistered)

    The first one actually isn't unreasonable.

    He's demonstrating that he has full access to the website in question. I've done something similar before--made an unimportant change to a piece of data to demonstrate that I had the permission to do so.

  • Worf (unregistered) in reply to jkshapiro

    Andy - is reporting that he's seeing someone else's account instead of the proper account he's supposed to be working with. He's trying to report this, and support is asking him to go into the other account's details to "authenticate". Imagine you were trying to report that you were seeing someone else's personal information and support said you have to present those credentials to verify yourself.

    Paul - Greek page for 112 (emergency number in Europe, like 911 in North America). However, in the background is a phone with Apple Music prominently shown. Not likely something you'd want to see when reading about what the emergency number is for. "911 what's your emergency" "Apple Music won't play music!".

    Dima - Supposedly the results of the PCR test are supposed to be private and encrypted as hinted by the subject, but they just want you to reply and they'll email you the results in the clear. No verification of your information either, so it might not even be YOUR results.

    The term for Anonymous' submission is actually "mojibake", not "Unicode Tofu". Though culturally similar in origin. And yes, "mojibake" is a real Japanese word. https://en.wikipedia.org/wiki/Mojibake

  • it works - check regex101 (unregistered) in reply to RegexBuddy

    Definitely cannot have '=' based on this regex. There's also no order requirement. The regex starts with non-consuming positive-lookahead's for the following anywhere in the string: digit, lowercase letter, uppercase letter, special symbol. Then it requires 7-20 of any combination of characters within those same categories. To allow '=' as a special character, include it in the two listings of special characters.

    Get rid of the outer hard brackets [ ] (and replace them with ^ and $, respectively to enforce full-string match) and test it on regex101.com for all flavors except the Golang one.

    Regular Expression: ((?=.\d)(?=.[a-z])(?=.[A-Z])(?=.[!@#$%^&;:,.<>-_])(\d|[a-z]|[A-Z]|[!@#$%^&;:,.<>-_]){7,20})

    Test String: ji=xFd4QJ$v

    Regular Expression, allowing '=': ((?=.\d)(?=.[a-z])(?=.[A-Z])(?=.[!@#$%^&;:,.<>-_=])(\d|[a-z]|[A-Z]|[!@#$%^&;:,.<>-_=]){7,20})

  • Wizofaus (unregistered)

    I'd take that password response over one that just says "password does not meet complexity requirements" (without telling you what they are) any day. But yes, using reg-exes, or indeed any rules around the exact sorts of characters your password must and mustn't have in what quantities should be the real WTF, a minimum length (ideally 12) and a dictionary check (after stripping non-letters) is far better from a security POV. Checking against databases of known-to-be- compromised passwords is probably sensible too (but very rarely done)

  • (nodebb) in reply to Worf

    I read Andy's one slightly differently - it's not that he's seeing the wrong account (he says he is the account owner's web designer), but he is seeing the full control panel and other stuff that only the account owner should have access to. And yes, support are telling him to go and look at the account owner's billing details so that they can register him as the account owner.

    I don't know that Dima's one is all that bad really. Consider that they could have just emailed him the results instead of sending the "do you want to get your results by email?" thing. I guess if you accidentally put someone else's email into their system instead of yours, then yes, they can see your results. But if you're in the habit of doing that then you have lots of other things to worry about as well.

    And who knows, maybe it is really encrypted! ... OK, yes, we all know it isn't going to be. Which I think is correct because users are not going to know with an encrypted file. Although it says encrypted by TLS, which I guess is technically true if they send him an https link rather than just a PDF or whatever.

    (For reference, the lab I normally use sends you an email with the link to your results, which expires after about five days, and an SMS with the passcode you need to access the link. I can't remember if they ever used to just send you the results in the clear.)

    Addendum 2021-09-13 05:34: know what to do with an encrypted file

  • (nodebb) in reply to Scarlet_Manuka

    Thank you both, that's helpful.

  • Shot Blasting Machine (unregistered)
    Comment held for moderation.

Leave a comment on “Swordfish”

Log In or post as a guest

Replying to comment #:

« Return to Article