Cracking My Own Reddit Password (opens in new tab)

(haseebq.com)

72 points_gjav8y ago17 comments

17 comments

Clickbait title much? This basically has nothing at all to do with reddit. You could replace the word reddit with Facebook in this article and it would be exactly the same.

That being said, it was pretty clever to take advantage of an enumeration attack on another service that wasn't protecting against enumeration attacks on the feature because frankly, why would they?

wand3r8y ago

> click bait title

No. I went in expecting it to be about a guy who lost his own password to Reddit and had to crack it.

Spoiler: That's what the article was about.

jedberg8y ago

Your expectations were low then. I expected an article about a guy who lost his reddit password and used the features of the reddit website to crack it.

This article, while interesting, is really just about general password cracking.

2 more replies

et-al8y ago

He hardly cracked his password. He played Hangman. I would hope there's no service out there that lets you guess passwords like this.

"Is there an F in your password? Yes, you have one F, now guess again..."

1 more reply

BlackLotus898y ago

It was a "recovery" and not a crack if you store your password somewhere and lose direct access to it it's not really cracking when you guess.

But to get on topic: This was one of my favorite ways of recovering passwords when I had a blind SQL injection somewhere. I wrote a nice perl script that brute forced (yes the guy in the article also brute forced) the field through the SQL substr command. Happy, simpler times :)

letter_me_later8y ago

Uh. No.

The article is a subversive ad for http://lettermelater.com and little more.

Retr0spectrum8y ago

This sort of challenge comes up in CTFs quite often. Here's a writeup of one from PicoCTF 2017 (not mine): https://github.com/Caesurus/PicoCTF2017/tree/master/l3_noeye...

stu-harvey8y ago

Working link: https://medium.freecodecamp.com/the-time-i-had-to-crack-my-o...

hiisukun8y ago

Perhaps because I'm new to this stuff, I enjoyed the writeup. I wonder if I'm out of place expecting a single run through of a-z 0-9 to determine the range of chars present in the password?

It turns out (due to repeated chars) to only have 14 unique chars. This single run through would have reduced the alphabet size (A, in the article) from 36 to 14. The 432 iterations becomes 168.

I'm sure there are other optimisations I'm missing!

rocqua8y ago

It seems like an interesting complication here comes from the subject line. I idly wonder how to handle the case where the subject line had been much larger and had much overlap with the password.

kordless8y ago

Considering how much effort this took, I'm wondering if learning to be more patient might also be an option?

snek8y ago

mfw already posted like two weeks ago

ColinWright8y ago

You're too optimistic:

https://news.ycombinator.com/item?id=14108223 (17 days)

https://news.ycombinator.com/item?id=14076918 (20 days)

https://news.ycombinator.com/item?id=14071188 (21 days)

https://news.ycombinator.com/item?id=14054289 (23 days)

https://news.ycombinator.com/item?id=14051671 (24 days)

None have any comments, very few upvotes, so maybe it's worth another chance. Personally, I found it unreadable. I'm sure others will find it fascinating and be able to get past the IN YOUR FACE style and flashing graphics.

Oh, and FWIW, I didn't downvote you.

glubGlub8y ago

And it has NOTHING TO DO WITH REDDIT.

m0atz8y ago

This literally is fucking awesome.

j / k navigate · click thread line to collapse

17 comments

jedberg8y ago

Clickbait title much? This basically has nothing at all to do with reddit. You could replace the word reddit with Facebook in this article and it would be exactly the same.

That being said, it was pretty clever to take advantage of an enumeration attack on another service that wasn't protecting against enumeration attacks on the feature because frankly, why would they?

wand3r8y ago

> click bait title

No. I went in expecting it to be about a guy who lost his own password to Reddit and had to crack it.

Spoiler: That's what the article was about.

jedberg8y ago

Your expectations were low then. I expected an article about a guy who lost his reddit password and used the features of the reddit website to crack it.

This article, while interesting, is really just about general password cracking.

2 more replies

et-al8y ago

He hardly cracked his password. He played Hangman. I would hope there's no service out there that lets you guess passwords like this.

"Is there an F in your password? Yes, you have one F, now guess again..."

1 more reply

BlackLotus898y ago

It was a "recovery" and not a crack if you store your password somewhere and lose direct access to it it's not really cracking when you guess.

letter_me_later8y ago

Uh. No.

The article is a subversive ad for http://lettermelater.com and little more.

Retr0spectrum8y ago

This sort of challenge comes up in CTFs quite often. Here's a writeup of one from PicoCTF 2017 (not mine): https://github.com/Caesurus/PicoCTF2017/tree/master/l3_noeye...

stu-harvey8y ago

Working link: https://medium.freecodecamp.com/the-time-i-had-to-crack-my-o...

hiisukun8y ago

Perhaps because I'm new to this stuff, I enjoyed the writeup. I wonder if I'm out of place expecting a single run through of a-z 0-9 to determine the range of chars present in the password?

It turns out (due to repeated chars) to only have 14 unique chars. This single run through would have reduced the alphabet size (A, in the article) from 36 to 14. The 432 iterations becomes 168.

I'm sure there are other optimisations I'm missing!

rocqua8y ago

It seems like an interesting complication here comes from the subject line. I idly wonder how to handle the case where the subject line had been much larger and had much overlap with the password.

kordless8y ago

Considering how much effort this took, I'm wondering if learning to be more patient might also be an option?

snek8y ago

mfw already posted like two weeks ago

ColinWright8y ago

You're too optimistic:

https://news.ycombinator.com/item?id=14108223 (17 days)

https://news.ycombinator.com/item?id=14076918 (20 days)

https://news.ycombinator.com/item?id=14071188 (21 days)

https://news.ycombinator.com/item?id=14054289 (23 days)

https://news.ycombinator.com/item?id=14051671 (24 days)

Oh, and FWIW, I didn't downvote you.

glubGlub8y ago

And it has NOTHING TO DO WITH REDDIT.

m0atz8y ago

This literally is fucking awesome.

j / k navigate · click thread line to collapse