You must log in or # to comment.
… and apostrophes to your plurals?
Use EICAR test strings as passwords so when the password is stored as plain text the antivirus software will delete the file.
unfortunately, nearly all AV abides by the “cannot be larger than 68 bytes” rule
According to EICAR’s specification the antivirus detects the test file only if it starts with the 68-byte test string and is not more than 128 bytes long.
Unless you’re the only one in the dump, no :c
Unfortunately there is significant overlap between plain-text-password-servers and servers that can’t be bothered to use antivirus. Also, the string may not work if it’s not at the start of the file. AV often doesn’t process the whole file for efficiency purposes.
It’s not about the password on the server where you want to log in, it’s about CSV files stored on the machine of the cybercrook who wants to use the passwords to steal people’s identities.
Dude makes a whole binary of a virus his password.
01001000 01100101 01101100 01101100 01101111 00101100 00100000 01110100 01101000 01101001 01110011 00100000 01101001 01110011 00100000 01101110 01101111 01110100 00100000 01100001 00100000 01110011 01110100 01110010 01101001 01101110 01100111 00100000 01101111 01100110 00100000 01100010 01101001 01101110 01100001 01110010 01111001 00100000 01110100 01101000 01100001 01110100 00100000 01110100 01101111 01110100 01100001 01101100 01101100 01111001 00100000 01110111 01101111 01101110 00100111 01110100 00100000 01101001 01101110 01100110 01100101 01100011 01110100 00100000 01111001 01101111 01110101 01110010 00100000 01110000 01101000 01101111 01101110 01100101 00100000 01101111 01110010 00100000 01100011 01101111 01101101 01110000 01110101 01110100 01100101 01110010 00100000 01110111 01101001 01110100 01101000 00100000 01100110 01110101 01110010 01110010 01111001 00100000 01110000 01101111 01110010 01101110 00101110 00100000 01010100 01101000 01100001 01110100 00100000 01101001 01110011 00100000 01100001 01101100 01101100 00101110 00101110 00101110 00100000 01000100 01101111 01101110 00100111 01110100 00100000 01100011 01101000 01100101 01100011 01101011 00100000 01101001 01101110 01110100 01100101 01110010 01101110 01100001 01101100 00100000 01110011 01110100 01101111 01110010 01100001 01100111 01100101 00101110 00100000 01010100 01101000 01100001 01101110 01101011 00100000 01111001 01101111 01110101 00100000 01111000 01101111 01111000 01101111
Doesn’t have to be a binary file, toss the string in a txt file and the AV still throws a fit.
According to wikipedia it has to be at the beginning of the test file or it won’t work.
What is an EICAR test string?
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
a computer file that was developed by the European Institute for Computer Antivirus Research (EICAR) and Computer Antivirus Research Organization to test the response of computer antivirus programs. Instead of using real malware, which could cause real damage, this test file allows people to test anti-virus software without having to use real malware.
This sounds like a step towards computer vaccines, and I’m not about to let my computer get autism, thank you.
Joke’s on you, all computers are autistic.
This is cs101 smh
Sir this is a cs101
I am really liking this place.
A specific string of text that you can use to test your AV without actually grabbing a virus.
Sadly it wouldn’t work if found in a CSV file with other records:
According to EICAR’s specification the antivirus detects the test file only if it starts with the 68-byte test string and is not more than 128 bytes long. As a result, antiviruses are not expected to raise an alarm on some other document containing the test string
They actually thought it through, huh?
For some reason that surprises me from the AV vendors
Guys calm the fuck down. The point of this joke is not that you’ll be bulletproof a few in sort of a few commas and passwords every now and then. The point is that a lot of these guys use terrible scripts that do not parse data correctly and they dump all of this shit into large CSV files. One or two people put an errand, in there that it doesn’t expect and it fucks the whole thing sideways for the entire set everything after the asshole with the comma password gets fucked. People that know what they’re doing will be just fine with it, but scammers generally don’t know what the fuck they’re doing and they pass this data along over and over and over again it change his hands frequently. So there’s more chances for it to get fucked along the way.
Use a long series of spaces as your password. At least that way they’ll have to do a double take when they crack the hash.
From personal experience, whenever I’ve put a space in, I am told that spaces are not allowed. I tend to resort to using the minus sign " - " or the underscore sign " _ " in its place.
OP thinks security researchers don’t understand how to properly serialize data for correct deserialization. OP also thinks they largely use CSV.
OP is uninformed and just found it funny and worth sharing. Good day
Little bobby tables is a joke for a good reason
Security researchers are releasing password dumps? 🤔
Cybercrime isn’t “research”?
That’s a good point.
It makes me reevaluate how to categorize crime…
Does this mean burglary technically contributes to the GDP?It’s a form of wealth sharing.
Money changing hands
OP has never touched a PC in their life.
Sadly, no. CSV files can deal with embedded commas via quoting or escaping. Given that most of the dumps are going to be put together and consumed via common libraries (e.g.python’s csv module), that’s all going to happen automagically.
\"?Once in a while you come across fools like me who write it all from scratch cause it’s fun. Live and learn
Can be != will be
You’re looping over 50M records, extracting into your csv. Did you bother using the appropriate library, or did your little perl script just do
split(/,/,$line)What about quotes (single/double) and \s mixed with commas?
Everything you can use for a password can be escaped out of a csv. Partially because csvs have to be interoperable with databases for a bunch of different reasons, and databases are where your passwords are stored (though ideally not in plaintext). There’s no way that I can think of to poison your password for a data breach that wouldn’t also poison the password database for the service you’re trying to log into.
Gotcha, that’s what I was thinking as well. I haven’t done any software development in a long time (I have a degree in it, but professional career sent me down another path in tech), so my memory on input sanitization is very rusty. Thanks for the response!
Interesting… I wrote a gag comment about using an SQL injection as my password and crashed the Lemmy API. Using connect if that makes any difference.
Crazy
Bobby’, –
Like the Bobby tables? Can u put it in a coffee?
noice! Did the ‘; DROP TABLE USERS;’ respond?
Almost line for line. A wall of XML popped up when I hit submit. Looks like yours went through.
Can you make a pastebin of the text? I’m curious.
Trying. Can’t seem to replicate the string. Maybe if it happens again.
SQL injection in the big 2025…
Friend, we’re still seeing publicly exposed plaintext credentials in 2025…
I haven’t kept up with the cybersecurity world recently. Ever since I graduated I’ve just been completely fed up with IT. Is there a story behind this? Has a major service done this lately?
add apostrophes to your meme to reduce clarity
That’s why I use “” to escape the commas.
csv’s are a horrible format. Tabs are superior in almost all use cases except that 0.00001% use case where someone has put a tab in their name.
Never heard of a tsv
Get the…
Get the HELL outta here
Get OUTTA HERE NOWI don’t get the joke… ?
I am assuming there really is a standardized format that uses tabs? Or do you just see it as intuitive to replace the commas with tabs? I’m really curious. I haven’t typically worked with huge datasets but when I’ve worked with exported/transitional data stored in files it is normally either a json or a csv (or a mysql export).
Bit of a joke related to bringing “what is TSV” to an “intense” TSV vs CSV debate.
As for TSV itself, it’s a widely used standard from 32 years ago, and is often a default record delimiter when used with GNU/POSIX tools.
It mostly exists as legacy at this point, as people now prefer quoted values like those given in CSV (ver2) and JSON formats.
Also most of (continental) Europe uses semi-colon delimiter, because comma is decimal separator.
I hate this so much, decimal localisation should be visually represented and saved with decimal points.
It’s only decimal “point” in English though.
Ah, ok. Thanks for this response!
Wow an actual unpopular opinion. They’re always in the comments.
wink!
ASCII values 0x1C through 0x1F: are we a joke to you?
I use 9 from this, and that’s all I need! Though I am curious as to what a vertical tab looks like
Momentary flashback to when I put the bell in the command prompt format. Every time you pressed enter or a command finished, beep.
Couldn’t get it to work on Linux though.
Needs the Taco Bell bong
I still hear the damn chime when working on a Windows 11 PC terminal. Every damn time.
I cannot even imagine how that is useful on a terminal in the eighties
It’ll just get escaped by quotes.
Little Bobby Passwords
Correct me if I’m wrong, but doesn’t text with commas in it get put in double quotes in acsv file to avoid this exact thing?
Like if I had cells (1A: this contains no comma), (2B: this contains a, comma), and (3C: end of line), the csv file would store (this contains no comma,“this contains a, comma”, end of line)
Only if it’s actually using a standard like rfc 4180 https://www.ietf.org/rfc/rfc4180.txt
Also just noticed it specifies CRLF as the line ending, not LF, which is kind of weird.
Also 4180 is not a standard (it says on the first page)
Yes and no. Like yes, that can be true. But a lot of tools don’t handle commas correctly no matter how you escape them.
A CSV is just a long string of text with a few control characters tossed in for end lines. There are practically no rules enforced by the file type itself. You can dump that unsanitized and poorly awk’d data into whatever awful mess you want. Nobody’s stopping you. Sure, excel will force it’s CSV formatting rules on you when you export like a child’s training wheels. But that’s not relevant here.
Pass",“words”,“Are”,“fun”,"\n
Fuck that cav All the way up.
intermix the , and the ; as well, in case the CSV uses a different separator.
A perspective from someone who red teams for a living:
If I encounter a password like that, I’m probably going to pay special attention to your account among the millions. Commas dont stop most people from being weak to password permutations either.
Yup. Tis a joke.
If you’re manually checking the 12 million username password pairs in the leaked database you aren’t really going to breach many accounts before people update their passwords, are you?
I’m referring to when it breaks my tooling and I’m forced to dig into the problem.
What if it’s exported as a tsv?
Then I’m f’d because it’s really hard to enter tabs in most password text fields.
I must say some websites fail when you do that, you can change the password and later it fails to login
