I received an email from from a forum member who claimed that he had been emailed an automatically generated password with a four-letter profanity in it. Yes, seriously.
Here is part of the email he forwarded me, edited to preserve personal info and to ensure that it passes any profanity filters:
Subject: New password at XXXX Forums
Reply-To: xxx
username,
Your password at XXXX Forums has been reset.
Your new password is: EdZwF*CK
*=U and was also an upper case letter.
Is this guy pulling my leg?
Is it possible that someone on the dev team thought this might be funny?
If this was random chance, which seems unlikely, particularly when all letters are in upper case, then is it worth checking these random strings for profanity?
MyBB Version 1.8.14
there is a rare possibility of getting such words
and they should not be taken seriously.
there can be many such words in our languages &
can't be eliminated easily from the random strings.
(2018-01-03, 04:53 AM).m. Wrote: [ -> ]there is a rare possibility of getting such words
and they should not be taken seriously.
there can be many such words in our languages &
can't be eliminated easily from the random strings.
Somebody check my math here. Given that both lower and upper case characters are included, each character has, at a minimum, a 1 in 52 chance of being generated. So for four such characters there are 7.3 million possibilities. This implies that there is a 1 in 7.3 million chance of generating any set of four characters. That is
rare indeed, but not impossible. If you generate one string every second, it would take, on average, 84 days to generate that specific string.
Therefore this is a real problem that should be addressed. Doing so would not be so difficult. It would only take a few minutes to write the code to check a string for a list of such words. If such a string was found, just ask for another random string.
(2018-01-03, 06:05 AM)skyhound Wrote: [ -> ]That is rare indeed, but not impossible.
Correct. It's not as though they thought it was funny and just said "ah. f*ck it."
(2018-01-03, 06:05 AM)skyhound Wrote: [ -> ]So for four such characters there are 7.3 million possibilities.
Times 5 to account for different positions in the string - ~36.6 M possibilities, or ~585 M if accepting mixed letter case, or finally ~1 182.4 M if also including numbers in the sample space (0.00054%).
Checking for all controversial sequences could shave off a significant part of the search space making these security-releated probabilities more ambiguous and possibly board-specific (if the software was to check the values against the word filter).
Confirmation codes should be tucked away in reset links (so not directly exposed) and passwords shouldn't be included in messages at all, which is likely the approach we'll see in future branches.
(2018-01-03, 02:49 PM)Devilshakerz Wrote: [ -> ] (2018-01-03, 06:05 AM)skyhound Wrote: [ -> ]So for four such characters there are 7.3 million possibilities.
Times 5 to account for different positions in the string - ~36.6 M possibilities, or ~585 M if accepting mixed letter case, or finally ~1 182.4 M if also including numbers in the sample space (0.00054%).
Checking for all controversial sequences could shave off a significant part of the search space making these security-releated probabilities more ambiguous and possibly board-specific (if the software was to check the values against the word filter).
Confirmation codes should be tucked away in reset links (so not directly exposed) and passwords shouldn't be included in messages at all, which is likely the approach we'll see in future branches.
This type of statistics isn't my forte but I don't think the factor of five is warranted when considering the possibility of any four characters. Also, I already considered mixed case. Adding numbers gets us to 62 characters, which leads to 1 in 15 million.
I doubt very much if checking a few strings would make a significant impact, given the long odds. I am not suggesting hundreds or even dozens of strings to check. Just a few or a half dozen at most.
Your final point is quite true, but unless it is going to be implemented soon, I believe the small investment in coding time to check the strings would be well worth it.
(2018-01-03, 05:42 PM)skyhound Wrote: [ -> ] (2018-01-03, 02:49 PM)Devilshakerz Wrote: [ -> ] (2018-01-03, 06:05 AM)skyhound Wrote: [ -> ]So for four such characters there are 7.3 million possibilities.
Times 5 to account for different positions in the string - ~36.6 M possibilities, or ~585 M if accepting mixed letter case, or finally ~1 182.4 M if also including numbers in the sample space (0.00054%).
Checking for all controversial sequences could shave off a significant part of the search space making these security-releated probabilities more ambiguous and possibly board-specific (if the software was to check the values against the word filter).
Confirmation codes should be tucked away in reset links (so not directly exposed) and passwords shouldn't be included in messages at all, which is likely the approach we'll see in future branches.
This type of statistics isn't my forte but I don't think the factor of five is warranted when considering the possibility of any four characters. Also, I already considered mixed case. Adding numbers gets us to 62 characters, which leads to 1 in 15 million.
See
https://math.stackexchange.com/questions...181#726181 - the expression for this particular problem would be
https://www.wolframalpha.com/input/?i=(5...%2F+62%5E8 (
5 is possible starting positions, 2^4 is the 4 upper or lower case letters from which the word can be composed,
62^4 is the remaining 4 random characters,
62^8 is sample space; for accurate computation
[1] we could also subtract
1 from the numerator).
62^4 would give the number of possible combinations in the
WORDxxxx form, while the word can appear anywhere.
(2018-01-03, 05:42 PM)skyhound Wrote: [ -> ]Your final point is quite true, but unless it is going to be implemented soon, I believe the small investment in coding time to check the strings would be well worth it.
Small investment? You really aren't thinking this through.
In order to filter like you are suggesting, we would have to create a black list for every offensive combination possible in EVERY language. This is just a little bit ridiculous.
(2018-01-04, 12:55 AM)Wildcard Wrote: [ -> ] (2018-01-03, 05:42 PM)skyhound Wrote: [ -> ]Your final point is quite true, but unless it is going to be implemented soon, I believe the small investment in coding time to check the strings would be well worth it.
Small investment? You really aren't thinking this through.
In order to filter like you are suggesting, we would have to create a black list for every offensive combination possible in EVERY language. This is just a little bit ridiculous.
I concur.
I further agree that Devilshakerz is correct in his assertion they should only be in links:
Quote:Confirmation codes should be tucked away in reset links (so not directly exposed) and passwords shouldn't be included in messages at all, which is likely the approach we'll see in future branches.
This is a far better line to go down; you do not need to create a blacklist.
All this is likely moot as there's bound to be a composer package.