Cracking My Own Reddit Password (opens in new tab)

(haseebq.com)

72 points_gjav9y ago17 comments

17 comments

Clickbait title much? This basically has nothing at all to do with reddit. You could replace the word reddit with Facebook in this article and it would be exactly the same.

That being said, it was pretty clever to take advantage of an enumeration attack on another service that wasn't protecting against enumeration attacks on the feature because frankly, why would they?

wand3r9y ago

> click bait title

No. I went in expecting it to be about a guy who lost his own password to Reddit and had to crack it.

Spoiler: That's what the article was about.

jedberg9y ago

Your expectations were low then. I expected an article about a guy who lost his reddit password and used the features of the reddit website to crack it.

This article, while interesting, is really just about general password cracking.

wand3r9y ago

I didn't expect it to be a great article, it was ok, just pretty reasonable title on a scale from 1-HuffPo it was a 4 for ckickbait

et-al9y ago

He hardly cracked his password. He played Hangman. I would hope there's no service out there that lets you guess passwords like this.

"Is there an F in your password? Yes, you have one F, now guess again..."

morganvachon9y ago

> I would hope there's no service out there that lets you guess passwords like this.

Technically he didn't guess the password to any specific service, he just happened to have stored his own Reddit password in plaintext as the body of a draft email. The email service allows you to search within the body even if your message is "hidden" from their interface. At worst, he MacGyvered a feature of their service to recover a string he couldn't remember.

This was a coding exercise, nothing more. If he had stored his Reddit password in some obfuscated/encrypted format behind another password-protected service, he likely would not have pulled off this stunt.

BlackLotus899y ago

It was a "recovery" and not a crack if you store your password somewhere and lose direct access to it it's not really cracking when you guess.

But to get on topic: This was one of my favorite ways of recovering passwords when I had a blind SQL injection somewhere. I wrote a nice perl script that brute forced (yes the guy in the article also brute forced) the field through the SQL substr command. Happy, simpler times :)

letter_me_later9y ago

Uh. No.

The article is a subversive ad for http://lettermelater.com and little more.

Retr0spectrum9y ago

This sort of challenge comes up in CTFs quite often. Here's a writeup of one from PicoCTF 2017 (not mine): https://github.com/Caesurus/PicoCTF2017/tree/master/l3_noeye...

stu-harvey9y ago

Working link: https://medium.freecodecamp.com/the-time-i-had-to-crack-my-o...

hiisukun9y ago

Perhaps because I'm new to this stuff, I enjoyed the writeup. I wonder if I'm out of place expecting a single run through of a-z 0-9 to determine the range of chars present in the password?

It turns out (due to repeated chars) to only have 14 unique chars. This single run through would have reduced the alphabet size (A, in the article) from 36 to 14. The 432 iterations becomes 168.

I'm sure there are other optimisations I'm missing!

rocqua9y ago

It seems like an interesting complication here comes from the subject line. I idly wonder how to handle the case where the subject line had been much larger and had much overlap with the password.

kordless9y ago

Considering how much effort this took, I'm wondering if learning to be more patient might also be an option?

snek9y ago

mfw already posted like two weeks ago

ColinWright9y ago

You're too optimistic:

https://news.ycombinator.com/item?id=14108223 (17 days)

https://news.ycombinator.com/item?id=14076918 (20 days)

https://news.ycombinator.com/item?id=14071188 (21 days)

https://news.ycombinator.com/item?id=14054289 (23 days)

https://news.ycombinator.com/item?id=14051671 (24 days)

None have any comments, very few upvotes, so maybe it's worth another chance. Personally, I found it unreadable. I'm sure others will find it fascinating and be able to get past the IN YOUR FACE style and flashing graphics.

Oh, and FWIW, I didn't downvote you.

glubGlub9y ago

And it has NOTHING TO DO WITH REDDIT.

m0atz9y ago

This literally is fucking awesome.

j / k navigate · click thread line to collapse

17 comments

jedberg9y ago

Clickbait title much? This basically has nothing at all to do with reddit. You could replace the word reddit with Facebook in this article and it would be exactly the same.

That being said, it was pretty clever to take advantage of an enumeration attack on another service that wasn't protecting against enumeration attacks on the feature because frankly, why would they?

wand3r9y ago

> click bait title

No. I went in expecting it to be about a guy who lost his own password to Reddit and had to crack it.

Spoiler: That's what the article was about.

jedberg9y ago

Your expectations were low then. I expected an article about a guy who lost his reddit password and used the features of the reddit website to crack it.

This article, while interesting, is really just about general password cracking.

wand3r9y ago

I didn't expect it to be a great article, it was ok, just pretty reasonable title on a scale from 1-HuffPo it was a 4 for ckickbait

et-al9y ago

He hardly cracked his password. He played Hangman. I would hope there's no service out there that lets you guess passwords like this.

"Is there an F in your password? Yes, you have one F, now guess again..."

morganvachon9y ago

> I would hope there's no service out there that lets you guess passwords like this.

BlackLotus899y ago

It was a "recovery" and not a crack if you store your password somewhere and lose direct access to it it's not really cracking when you guess.

letter_me_later9y ago

Uh. No.

The article is a subversive ad for http://lettermelater.com and little more.

Retr0spectrum9y ago

This sort of challenge comes up in CTFs quite often. Here's a writeup of one from PicoCTF 2017 (not mine): https://github.com/Caesurus/PicoCTF2017/tree/master/l3_noeye...

stu-harvey9y ago

Working link: https://medium.freecodecamp.com/the-time-i-had-to-crack-my-o...

hiisukun9y ago

Perhaps because I'm new to this stuff, I enjoyed the writeup. I wonder if I'm out of place expecting a single run through of a-z 0-9 to determine the range of chars present in the password?

It turns out (due to repeated chars) to only have 14 unique chars. This single run through would have reduced the alphabet size (A, in the article) from 36 to 14. The 432 iterations becomes 168.

I'm sure there are other optimisations I'm missing!

rocqua9y ago

It seems like an interesting complication here comes from the subject line. I idly wonder how to handle the case where the subject line had been much larger and had much overlap with the password.

kordless9y ago

Considering how much effort this took, I'm wondering if learning to be more patient might also be an option?

snek9y ago

mfw already posted like two weeks ago

ColinWright9y ago

You're too optimistic:

https://news.ycombinator.com/item?id=14108223 (17 days)

https://news.ycombinator.com/item?id=14076918 (20 days)

https://news.ycombinator.com/item?id=14071188 (21 days)

https://news.ycombinator.com/item?id=14054289 (23 days)

https://news.ycombinator.com/item?id=14051671 (24 days)

Oh, and FWIW, I didn't downvote you.

glubGlub9y ago

And it has NOTHING TO DO WITH REDDIT.

m0atz9y ago

This literally is fucking awesome.

j / k navigate · click thread line to collapse