Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
How does HN automatically remove your password if you type it as a comment?
5 points by YPCrumble on Nov 29, 2016 | hide | past | favorite | 10 comments
This comment [1] suggests that if you type your password HN will remove it automatically. It appears this is correct, because in some places this person's comment is "-- removed --" while in others it contains "(removed automatically)".

How does this work? I'm assuming HN uses a hashed and salted password. Does this mean that HN compares every word you submit in a comment against your password to make sure you haven't typed it in your comment? It seems like that would be enormously computationally intensive.

Or, is this just a silly joke comment?

[1] https://news.ycombinator.com/reply?id=13066958&goto=item%3Fid%3D13065670%2313066958



Joke comment. It is related to the hunter2 IRC conversation from back in the day:

http://bash.org/?244321

As you can see &u5Tjlo6@K76 passwords are displayed correctly (that password was changed within 1 sec after this comment was posted).


1 second ... enough time to swear out loud too.


hunter2

Yep all asterisks here! ;)


People used this trick so much in Runescape that passwords were actually censored.

I remember someone from Runescape posting here. I would love to know how that worked.


Maybe look at the hash of pwd against what is written, if it match then remove it. Perhaps don't do it if it is a dictionary word, and/or look at context like.

"@$gsdg2$1sF" is definitely a password, so hide it

"horse" is dictionary so don't hide it

"my password is horse" is dictionary but in a pwd context, so hide it. Maybe look at phrases beforehand, like "what is pwd" .. "horse".

Actually I have no idea, seems like a hard but interesting problem.

----

Maybe they have password requirements (min chars/captials/numbers/special signs) that they can look at, that way they could easily identify all written passwords based on their regex and just hide it based on that. This would also remove all dictionary word passwords or context stuff I mentioned above.

This seems like an easy solution, hopefully there are no contexts where e.g. "Red$#123!" would be a word that is used apart from in a password one.


> they could easily identify all written passwords based on their regex

That seems unlikely.


How come?


I think your reasoning is correct: there is no efficient way to do this while storing only a hashed password. Also, it would be out-of-character for the minimalism of the site. I'd go with "joke", although I'm not sure whether it's intended to be "silly" or "cruel".


I'd be willing to guess a fair number of users have dictionary words as passwords. Some people don't care, or have throwaways, etc.

If this were actually implemented, you could censor a word or phrase site wide simply by making it your password.

HN definitely doesn't, and no service should.


Yeah imagine how that would turn out.

"I'm just a code [automatically removed]."




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: