Always have a comma in your password, if part of a leak it will break the CSV
74 points by edward 2 days ago | 46 comments
  • emedchill 2 days ago |
    Having special characters is a good idea but having a comma just to break a CSV is dumb. This would only happen if the hacker used a bad exporter or created their own (very poorly).
    • freedomben 2 days ago |
      Yeah, this is silly. Pretty much every serializer in existence is going to handle this case. If the attacker wrote their own, then you might get lucky
      • aeonik a day ago |
        AFAIU CSV is fundamentally ambiguous and can't actually be parsed in a fully deterministic way.

        Edge cases get hard when dealing with nested commas, and there's no standard escape sequence.

        Probably matters less with a two column arrangement, but things get really hairy really fast when you start adding types or BLOBs in the CSV.

        • gruez a day ago |
          AFAIK it's only "ambiguous" in the sense that if you get a csv file you can't determine the exact parsing behavior to use, but if you know what program created the csv (or what encoder options were used), it's not ambiguous to parse.

          >but things get really hairy really fast when you start adding types or BLOBs in the CSV.

          AFAIK BLOBs are hex encoded, which make them a non issue.

          • lazide a day ago |
            Hah! Half the time people will even do silly things like cat together multiple CSVs from different sources.

            If blobs got consistently hex encoded, that would also be nice. Base64 is common, and there are multiple types of base64 encoding people use too.

            Personally, I tend to think of CSV imports as something you can expect to have a ‘yield’ - and it’s never 100%.

            • amy-petrik-214 13 hours ago |
              yea so just do BSV or bell separated file. We already have "\n" newline separated files. We just need a cel seperator, '\b'. Problem solved.
              • lazide 7 hours ago |
                On the plus side, accidentally cat’ng it to your terminal will be pleasantly musical.
  • transfire 2 days ago |
    Use quotes too then!
    • fsckboy 2 days ago |
      ","

      break it, but not in a way that throws a parse error

      • qrios a day ago |
        What about \""\t\n"?
    • hackeraccount 21 hours ago |
      Have you ever used quotes in a password. I did. IOS was constantly changing quotes into smart quotes. Super annoying for those times when I had to actually type in my password.
  • Asraelite 2 days ago |
    On the other hand, if you go out of your way to pollute the data and the hacker debugs the resulting errors and finds you as the culprit, they may target you as a form of petty revenge.
    • teruakohatu a day ago |
      In R, libraries will often tell you when there is a parsing anomaly and which line it occurs with. The first thing I do is examine those lines closely!
  • accra4rx 2 days ago |
    comma being a very common and probably common when many organization are enforcing special character policy . For those big exports , they are probably not dumping out as csv , it would be light weight db file . I assume sqllite
    • c22 a day ago |
      This is why all my passwords have '); drop table passwords; somewhere in there.
    • itscrush a day ago |
      Yea good assumption, SQLMap for instance, defaults --dump to .csv with sqlite as an option if you're just looking for a simpler test point. Plenty of other tooling options out there too. Tooling providing your encoding during dump will overcome the ',' concern though, no?

      []https://highon.coffee/blog/sqlmap-cheat-sheet/#sqlmap-dump-d...

  • AStonesThrow 2 days ago |
    I alternate between infrared and ultraviolet salts to foil rainbow tables
  • naikrovek a day ago |
    Any competent CSV parser will see straight through that.
    • eps a day ago |
      It's to force simplistic dumpers produce invalid CSVs.
  • more_corn a day ago |
    But can’t the hacker just write a small function to fix that? If I found a comma in the third position in a hash crack I might assume it’s part of the password and not a column separator.
  • kibibu a day ago |
    Alternatively, include mojibake in your passwords so attackers think they have a unicode encoding bug
  • iknowstuff a day ago |
    i’m surprised a link to a toot which is just an incorrect meme no longer than the title of the submission itself would get upvoted here
    • amatecha a day ago |
      The HN title is 77 chars, the linked post is 98 chars. If you're going to criticize something about the post at least be correct in your assertions :P
      • kotaKat a day ago |
        77, 98 - what's the difference when you write 135 complaining about it? ;)
      • iknowstuff 17 hours ago |
        how dare you
  • bitbasher a day ago |
    I prefer to use zero-width joiners in my passwords and usernames to really give db dumpers a fun time.
    • kmoser a day ago |
      Include a few control characters for good measure.
      • lazide a day ago |
        In my experience, nothing says fun times in a data dump like null ‘characters’!
    • jb1991 a day ago |
      Hackers will often dox someone they are very annoyed with, and it sounds like this is a good bait for that.
  • pavo-etc a day ago |
    Seeing posts linked to my little mastodon instance is feels so strange, in a good way
  • kazinator a day ago |
    The reason you might want to put such character in a password is not in case it might leak, but in order to break the idiotic system which stores and handles those passwords in plain text. I would use a double quote and a single quote. That will break things if passwords are wrapped in quotes without escaping.
    • AStonesThrow a day ago |
      PRO TIP: You can also use % to punish incorrect use of printf(3), $ to punish use of "eval" in Perl and bash, <> to break HTML parsing, * to punish overzealous filename globbing, & to set off forkbombs on the unsuspecting victims, +++ATH0 to make their modems hang up, and ! to prevent transmission via UUCP.
      • kazinator a day ago |
        And then back into a corner, splash a can of paint in every direction, put your head between your knees, and wait for WWIII. (If it doesn't start by the time the paint dries, do it all over again tomorrow.)
  • rufus_foreman a day ago |
    Always drive a stick shift, no young person will be able to steal your car.
    • jamesfinlayson a day ago |
      True - a friend of mine worked in a dangerous part of the world and was car-jacked in a manual car. As soon as the car-jacker was behind the wheel they realised they couldn't drive the car and gave up.
      • DowsingSpoon a day ago |
        My brother had a stick shift. Kids broke into his car and proceeded to drive it 15 feet into a pole and abandon it. Whole thing was caught on camera too.
    • syndicatedjelly a day ago |
      Always pull the fuel pump fuse before leaving your car, then no one can ever even drive your car.
      • doubled112 a day ago |
        I had a friend who's clutch switch failed. Like most cars, it wouldn't start because it couldn't detect that you'd depressed the clutch.

        He added a toggle switch under the dash instead of fixing the clutch switch. He figured it'd be some poor man's anti theft.

        I think it would have worked. It was pretty fun having friends try to move his car for a while.

  • mariusor a day ago |
    I always use both a comma and a semicolon. Just to cover more bases.
  • boffinAudio a day ago |
    I like to have some variation of ":(){ :|:& };:" in most of my metadata somewhere ..
  • jpl56 a day ago |
    HN and Toot look robust, considering all the comments with separator examples. Perhaps some comments were detected and rejected.
  • solarkraft 20 hours ago |
    These people will be shocked to learn about escaping