You must log in or # to comment.
That’s why I use “” to escape the commas.
Pass",“words”,“Are”,“fun”,"\n
Fuck that csv All the way up.
A perspective from someone who red teams for a living:
If I encounter a password like that, I’m probably going to pay special attention to your account among the millions. Commas dont stop most people from being weak to password permutations either.
What if it’s exported as a tsv?
Depending on the Interface, its gonna be CSV or more likely txt for burp or cred tools.
OP thinks security researchers don’t understand how to properly serialize data for correct deserialization. OP also thinks they largely use CSV.
Little bobby tables is a joke for a good reason
OP is uninformed and just found it funny and worth sharing. Good day
Security researchers are releasing password dumps? 🤔
Cybercrime isn’t “research”?
That’s a good point.
It makes me reevaluate how to categorize crime…
Does this mean burglary technically contributes to the GDP?
OP has never touched a PC in their life.
Add apostrophes to “commas” to mess with me
deleted by creator
Guys calm the fuck down. The point of this joke is not that you’ll be bulletproof a few in sort of a few commas and passwords every now and then. The point is that a lot of these guys use terrible scripts that do not parse data correctly and they dump all of this shit into large CSV files. One or two people put an errand, in there that it doesn’t expect and it fucks the whole thing sideways for the entire set everything after the asshole with the comma password gets fucked. People that know what they’re doing will be just fine with it, but scammers generally don’t know what the fuck they’re doing and they pass this data along over and over and over again it change his hands frequently. So there’s more chances for it to get fucked along the way.
It’ll just get escaped by quotes.
Thanks to my password manager, commas are among the more tame characters that occur in my passwords.
Hm, now you’re making me wonder how feasible it would be to use Emojis in my passwords…
Should work alright if the server handles Unicode correctly, and isn’t one of those ass sites that put restrictions on the password’s length and composition. Hashing functions don’t even care if you’re feeding them raw binary.
Real passwords contain ASCII 0.
Correct me if I’m wrong, but doesn’t text with commas in it get put in double quotes in acsv file to avoid this exact thing?
Like if I had cells (1A: this contains no comma), (2B: this, contains a comma), and (3C: end of line), the csv file would store (this contains no comma,“this, contains a comma”,end of line)
A CSV is just a long string of text with a few control characters tossed in for end lines. There are practically no rules enforced by the file type itself. You can dump that unsanitized and poorly awk’d data into whatever awful mess you want. Nobody’s stopping you. Sure, excel will force it’s CSV formatting rules on you when you export like a child’s training wheels. But that’s not relevant here.
Yes and no. Like yes, that can be true. But a lot of tools don’t handle commas correctly no matter how you escape them.
Only if it’s actually using a standard like rfc 4180 https://www.ietf.org/rfc/rfc4180.txt
Also just noticed it specifies CRLF as the line ending, not LF, which is kind of weird.
Also 4180 is not a standard (it says on the first page)
Don’t add apostrophes to make words plural, that’s not how it works.
Until next time
It works like that in Dutch though. For example in Dutch the plural form for “baby” is “baby’s“
So the person who made this meme probably speaks Dutch.
How* it works
Until next time
SHIT
Hey everyone! Look at @Fridgeratr@lemmy.dbzer0.com! They’re human after all!
(We all have made basic and advanced mistakes. It happens. =))
I think they just forgot a few words. “Add a comma’s beautiful presence to your passwords…”
Hey there ya go, that works!
They had to put a comma in there somewhere. Even of it was in the wrong place and upside down.
Shouldn’t that be https://en.wikipedia.org/wiki/Modifier_letter_turned_comma?
I think it’s actually to protect the words from the evil S’s.
CSV has standard escape sequences. This is pointless
See RFC-4180:
That standard won’t stop me because I can’t read!
CSV existed for over 30 years before RFC 4180. Excel, and countless other tools, have their own incompatible variants. Excel in particular is infamous for mangling separators when exporting to CSV.
Fuck Excel’s CSV handing. It differs by locale, silently. Imagine the thousands of people every year who patiently wait to import a multi-megabyte CSV from some instrument only to see garbage because their language uses the decimal comma and semicolon separator.
I think semicolon separated files should be named SSV
You would be surprised how many people are simply splitting the string on commas instead of using an actual ascii parser. Especially for one off scripts, like churning through a csv full of passwords.
yeah unless you’re dealing with some steaming pile of vibe-coded shit this is a dumb as fuck idea.
(have seen people who don’t know how to appropriately use an LLM just let it wholly reimplement standards, read it over, and then say “oh wow that works great!” smh…)
There was terrible code to long before LLMs, where do you think they got theirs from?
of course there’s always been terrible code. people used to and still do reinvent the wheel all the time, even without the help of a robot.
trust me i’m one of the last people to shit on LLMs unnecessarily. the tools coming out nowadays are the bees knees. i think vibe coding is fucking awesome and most people’s premonitions against it are things that, similar to the premise, have just always been true - most of the “evil” of vibe coding can be dealt with easily by being a not shit engineer in the first place.
plus, not every problem needs to be a software development problem through and through. sometimes you just need a webui or an api to browse a dataset, for example - it’s not opsec critical and you need it now. that’s okay. the moral police won’t come to your house and arrest you for vibe coding.
Then add escape sequence to your password!
Might as well just make a working regex and call it a password
I must say some websites fail when you do that, you can change the password and later it fails to login
fun fact, “commas” does not require an apostrophe
Single quotes are another great way to mess with unsanitized data input though
I’m watching the collective knowledge of my civilization crumble and I’m powerless to stop it
Grok, is this true?
If you have to ask Grok … : /
I have a urge to create a lemmy equivalent of grok now
Instead of Mecha Hitler, will it call itself Mecha Lenin?
I will investigate an mvp
I can help. DM me
Commas might be the comma’s property. Step off.
But then add comma’s what?
add apostrophes to your meme to reduce clarity
add apostrophes to your meme to increase engagemeot
Use EICAR test strings as passwords so when the password is stored as plain text the antivirus software will delete the file.
Sadly it wouldn’t work if found in a CSV file with other records:
According to EICAR’s specification the antivirus detects the test file only if it starts with the 68-byte test string and is not more than 128 bytes long. As a result, antiviruses are not expected to raise an alarm on some other document containing the test string
They actually thought it through, huh?
For some reason that surprises me from the AV vendors
Dude makes a whole binary of a virus his password.
Doesn’t have to be a binary file, toss the string in a txt file and the AV still throws a fit.
According to wikipedia it has to be at the beginning of the test file or it won’t work.
01001000 01100101 01101100 01101100 01101111 00101100 00100000 01110100 01101000 01101001 01110011 00100000 01101001 01110011 00100000 01101110 01101111 01110100 00100000 01100001 00100000 01110011 01110100 01110010 01101001 01101110 01100111 00100000 01101111 01100110 00100000 01100010 01101001 01101110 01100001 01110010 01111001 00100000 01110100 01101000 01100001 01110100 00100000 01110100 01101111 01110100 01100001 01101100 01101100 01111001 00100000 01110111 01101111 01101110 00100111 01110100 00100000 01101001 01101110 01100110 01100101 01100011 01110100 00100000 01111001 01101111 01110101 01110010 00100000 01110000 01101000 01101111 01101110 01100101 00100000 01101111 01110010 00100000 01100011 01101111 01101101 01110000 01110101 01110100 01100101 01110010 00100000 01110111 01101001 01110100 01101000 00100000 01100110 01110101 01110010 01110010 01111001 00100000 01110000 01101111 01110010 01101110 00101110 00100000 01010100 01101000 01100001 01110100 00100000 01101001 01110011 00100000 01100001 01101100 01101100 00101110 00101110 00101110 00100000 01000100 01101111 01101110 00100111 01110100 00100000 01100011 01101000 01100101 01100011 01101011 00100000 01101001 01101110 01110100 01100101 01110010 01101110 01100001 01101100 00100000 01110011 01110100 01101111 01110010 01100001 01100111 01100101 00101110 00100000 01010100 01101000 01100001 01101110 01101011 00100000 01111001 01101111 01110101 00100000 01111000 01101111 01111000 01101111
What is an EICAR test string?
a computer file that was developed by the European Institute for Computer Antivirus Research (EICAR) and Computer Antivirus Research Organization to test the response of computer antivirus programs. Instead of using real malware, which could cause real damage, this test file allows people to test anti-virus software without having to use real malware.
This sounds like a step towards computer vaccines, and I’m not about to let my computer get autism, thank you.
Joke’s on you, all computers are autistic.
This is cs101 smh
Sir this is a cs101
deleted by creator
I am really liking this place.
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
A specific string of text that you can use to test your AV without actually grabbing a virus.
deleted by creator
Unfortunately there is significant overlap between plain-text-password-servers and servers that can’t be bothered to use antivirus. Also, the string may not work if it’s not at the start of the file. AV often doesn’t process the whole file for efficiency purposes.
It’s not about the password on the server where you want to log in, it’s about CSV files stored on the machine of the cybercrook who wants to use the passwords to steal people’s identities.
According to EICAR’s specification the antivirus detects the test file only if it starts with the 68-byte test string and is not more than 128 bytes long.
Unless you’re the only one in the dump, no :c
unfortunately, nearly all AV abides by the “cannot be larger than 68 bytes” rule
