Difference between revisions of "2700: Account Problems"

Explain xkcd: It's 'cause you're dumb.
Jump to: navigation, search
(Undo revision 299229 by 162.158.107.56 (talk))
(Redundant (I think))
Line 22: Line 22:
  
 
This has implications for security. If users are able to add or remove null terminators at will, then they can exploit C's string reading mechanisms in order to read data in a way not intended by the software programmers. If a malicious user is successful in doing this, they may be able to intentionally cause security problems on the computer, such as infecting it with malware.
 
This has implications for security. If users are able to add or remove null terminators at will, then they can exploit C's string reading mechanisms in order to read data in a way not intended by the software programmers. If a malicious user is successful in doing this, they may be able to intentionally cause security problems on the computer, such as infecting it with malware.
 
Based on Ponytail's reaction, this is not the first time Cueball has come to her with strange problems. Based on Cueball's reaction, it does not look like he was purposely trying to exploit a security vulnerability, but instead ended up in this situation through some mysterious, unexplained happenstance.
 
  
 
Cueball notes that his password contains a "special character", which is a typical requirement imposed on users. However, in most contexts, "special character" means an ordinary printable character, other than letters or numbers, that can be typed on a normal keyboard and seen on the screen. Cueball's use of "special" is technically true, as null terminals do have a specialized purpose; but his word usage is not in keeping with the way that phrase is normally understood.
 
Cueball notes that his password contains a "special character", which is a typical requirement imposed on users. However, in most contexts, "special character" means an ordinary printable character, other than letters or numbers, that can be typed on a normal keyboard and seen on the screen. Cueball's use of "special" is technically true, as null terminals do have a specialized purpose; but his word usage is not in keeping with the way that phrase is normally understood.

Revision as of 02:19, 19 November 2022

Account Problems
My password is just every Unicode codepoint concatenated into a single UTF-8 string.
Title text: My password is just every Unicode codepoint concatenated into a single UTF-8 string.

Explanation

Ambox notice.png This explanation may be incomplete or incorrect: Created by a VISIBLE ZERO WIDTH SPACE. Please change this comment when editing this page. Do NOT delete this tag too soon.
If you can address this issue, please edit the page! Thanks.
Cueball walks toward Ponytail carrying his laptop. Ponytail is sitting at her desk, and turns to face him. Having attempted to fix Cueball's computer problems before (e.g., 2083: Laptop Issues), she replies with dread. Cueball promises that "It's a normal problem this time", and Ponytail reluctantly agrees to look at it. Cueball then reveals that he has included a null string terminator character in one of his passwords, probably for a website. Ponytail responds in disbelief, and Cueball defends his actions by saying that the website told him to use special characters.

In computers, every "character" is a sequence of bytes. Every byte is a sequence of eight bits. A bit is always either a zero (0) or a one (1).

Every character is a sequence of bytes, but not every sequence of bytes is a valid character. For example, a JPEG image is also a sequence of bytes (much longer than a character). An MP3 audio file is also a sequence of bytes.

A null string terminator is a type of character called a control character. Unlike characters which are letters of the alphabet or numbers, control characters are not intended to be displayed on the screen, and are not intended to be typed on a keyboard; rather, they are used for internal purposes in the computer program. It is thus strange and hard to understand how Cueball was able to successfully insert such a character in his password, since there is no sequence of keys he could type that would result in a null terminator.

Null terminators are used in older, C-based languages to mark where a string ends. Every programming language has variables[citation needed], which are used to store data. In C, a primitive variable can store a small amount of data, such as an integer or boolean (true or false) value. Strings (which are a sequence of characters) often need to store much larger amounts of data; too much to fit in the memory space which is available for a primitive. To solve this, C uses a system called "pointers", in which the variable is an integer which refers to a memory location. When the string needs to be read or written, C looks up the memory location, and interprets the data as a series of characters. One problem is, because a string can be any length (big or small), C needs to know where to stop reading from memory. The null terminator is C's solution to this. When C encounters the null terminator, it knows it has reached the end of the string and stops reading. Therefore, it is important that the null terminator is not a normal character that can be typed on a keyboard.

This has implications for security. If users are able to add or remove null terminators at will, then they can exploit C's string reading mechanisms in order to read data in a way not intended by the software programmers. If a malicious user is successful in doing this, they may be able to intentionally cause security problems on the computer, such as infecting it with malware.

Cueball notes that his password contains a "special character", which is a typical requirement imposed on users. However, in most contexts, "special character" means an ordinary printable character, other than letters or numbers, that can be typed on a normal keyboard and seen on the screen. Cueball's use of "special" is technically true, as null terminals do have a specialized purpose; but his word usage is not in keeping with the way that phrase is normally understood.

Transcript

Ambox notice.png This transcript is incomplete. Please help editing it! Thanks.
[Cueball walks up to Ponytail.]
Cueball: Can you help me with my account?
Ponytail: Oh no.
Cueball: No no, I promise it's a normal problem this time.
Ponytail: Okay. Fine. What is it?
Cueball: I included a null string terminator as part of my password, and now I can't-
Ponytail: How?!
Cueball: They said to use special characters!


comment.png add a comment! ⋅ comment.png add a topic (use sparingly)! ⋅ Icons-mini-action refresh blue.gif refresh comments!

Discussion

What was going on with this page? Sarah the Pie(yes, the food) (talk) 00:58, 19 November 2022 (UTC)

Vandalism. I mentioned it on the Admin requests page. It's getting reverted back to normal pretty quickly when it happens, but it will probably keep happening until an admin bans the person doing it, or the person doing it gets bored and stops on their own. Equites (talk) 01:05, 19 November 2022 (UTC)

are two nazis actually in an edit war or is it just one person astroturfing --162.158.63.100 01:18, 19 November 2022 (UTC)

I'm trying to combat it, but I'll only be able to keep this up for around another 20 minutes or so. InfoManiac (talk) 01:21, 19 November 2022 (UTC)

Is TheusafBot ofline or something? Generally it handles this sort of stuff pretty well--Mapron01 (talk) 01:44, 19 November 2022 (UTC)
I'm pretty sure he is. Starstar (talk) 02:23, 19 November 2022 (UTC)

This reminds me of the time I used a character in my password that was the "stty kill" character for one workstation's default console terminal settings. I normally logged in via ssh, and occasionally logged in via xdm, but the time I tried logging in via the console, it really didn't like what was left of my password. 162.158.62.180 01:25, 19 November 2022 (UTC)

Ah, the good old days when ordinary printing characters were used for erase and kill. Barmar (talk) 01:43, 19 November 2022 (UTC)

Vandals are just looking for a fun time, generally. Solution: make it not a fun time for them. Revert their edits dryly, patiently, with no particular comment or anything. Eventually they will get bored and find something else to do. Or, perhaps they'll sit there vandalizing while we revert them, we dozens against probably just one vandal. But if you make your irritation clear, that's "fun" to them, and they'll keep at it with renewed vigour. 108.162.216.239 01:37, 19 November 2022 (UTC)

I accidentally used a backspace character in a username one time. It caused all sorts of problems with my account.

Also, I've never found the whole "The trolls will leave you alone if you don't move." thing to be effective. But I've never found anything else to be effective at universally adjusting behavior either. -Master Areth

I wrote most of the current page after the first paragraph. It's a fairly sloppy first draft that could probably use some editing. Anyone who can should feel free to clean it up. Especially since the page is now protected (I'm not complaining; it was necessary) and so I can't edit it any more. Equites (talk) 05:57, 19 November 2022 (UTC)

Hi Equites, I rewrote the explanation, hope that's okay. I removed the references to the security aspect because I didn't think it was relevant. (Also pinging FrankHightower.) --Hddqsb (talk) 07:59, 20 November 2022 (UTC)
The first paragraph seems a bit superfluous - it's basically just a description of the comic, so isn't really adding anything to the explanation. Also, I think the bit about Pascal could come out of the second para - it doesn't appear to be relevant to what's going on in the comic, so it could just skip to the bit about null terminators.172.70.91.54 16:46, 21 November 2022 (UTC)
I removed the most superfluous part from the first paragraph, and pared down the explanation of Pascal strings (diff). I didn't remove the first paragraph entirely because I think it provides important context and details which are implicit in the comic. And I think it's important to at least mention Pascal strings because that sets the scene for the explanation of C strings (which don't explicitly store the length). --Hddqsb (talk) 10:08, 22 November 2022 (UTC)

Seems to be another Tech issue comic, its a tech issue with Cueball talking to Megan and the tech issue is extremely cursed. Should we add this one?162.158.22.98 06:00, 19 November 2022 (UTC)

"since there is no sequence of keys he could type that would result in a null terminator" ... I can type a NULL (ASCII 00) just fine in my editor on Linux (ctrl-v ctrl-@, the latter I type as ctrl-shift-2). However, I am not quite sure how to phrase this in the explanation without sounding like "Áctually! ...." Henri

I am amused that both in the main text and in this comment something has converted the "at sign" into [email protected].

The title text is likely a reference to this reddit post. Pb (talk) 07:06, 19 November 2022 (UTC)

I don't think that's likely... --Hddqsb (talk) 08:50, 20 November 2022 (UTC)

The only thing is I'm pretty sure it's not terribly difficult to enter a null string character, you just have to know what it is. On a PC with a keyboard that has a number pad, you can press Alt-[Number] to enter special characters using their ASCII code (Alt-65 will get "A", Alt-8 is backspace or delete, I forget which but I think BS, etc. MIGHT need leading zeroes to be 3 digits). The 0 to 31 codes - 32 is space, starting the normal characters - tend to have all the special characters, I think null string is 0? NiceGuy1 (talk) 04:14, 20 November 2022 (UTC)

It is. And (with caveats, depending upon other issues and circumstances) Alt-numpad0 would give me the null-char wherever it's practical and not blocked (intentionally or just because it isn't specifically catered for).172.71.178.206 15:25, 20 November 2022 (UTC)
I know a sysadmin friend of mine had to help a user whose account name was "🦙" (The Llama unicode symbol) and he was on a computer where not all layers between the username field and the password authentication understood unicode. Examples like this will happen in real life. IIVQ (talk) 11:16, 21 November 2022 (UTC)
Were they Spanish, by any chance?172.70.90.173 16:49, 21 November 2022 (UTC)

As Cueball is showing and handing over his laptop, I don't think the issue is about a website account (where he could probably do a password reset), but his local account on the laptop, of which he is now locked out, and hopes Poneytail can break into it? ghen (talk) 18:28, 19 November 2022 (UTC)

Good point, updated to avoid referring to "website" specifically. (Another possibility is that it is the password for some installed application.) --Hddqsb (talk) 07:17, 20 November 2022 (UTC)

"Suppose a website's registration form allows the user's new password to have up to 20 characters, but due to a programmer error the login page only accepts passwords with up to 18 characters."
There are also cases where page or application is updated with the expectation that old user accounts will still be working, but updated page no longer accepts same characters (or number of characters) than the old one, locking some people out. -- Hkmaly (talk) 01:35, 20 November 2022 (UTC)

I know from experience that (at least one version of) Windows Server allows very long passwords and that the Windows Server installer will accept very long passwords when setting up the initial admin account, but that the installer silently truncates the password to a "normal" length when actually setting up said account. If you aren't aware of this (and you have a client that uses ridiculously long passwords), you can easily trick yourself into thinking you mistyped and locked yourself out, and have to reinstall. Once installed with a shorter password, it can be changed to whatever length you want.172.70.134.122 16:16, 21 November 2022 (UTC)

Concerning the password described in the title text. If the characters are used in the order they appear in the Unicode Table the password starts with the Null String Terminator and therefor you will essentially end up with an empty password if C or a programming language is used handling strings the same way. Kimmerin (talk) 12:51, 21 November 2022 (UTC)

Good point, added (snapshot). --Hddqsb (talk) 15:38, 21 November 2022 (UTC)

I've actually had this problem long ago; I used the @ sign as part of my password, and it didn't let me log in anymore. Some systems in the good old days (I think it was an FTP server) used the @ character to separate username and password when authenticating. Also, I am still running into this problem sometimes with usernames (emails) allowing "+" in the address on registration, but not when logging in. Pbb (talk)

The @-sign is used to separate authentication and hostname information in an URL, e.g. http://user:[email protected]:port/... Within an FTP-session it was commonly used in FTP-proxy scenarios, i.e. you've connected to an internal FTP-proxy-server providing username and hostname as username in the form [email protected] (similar to the syntax used for scp/sftp) and the password as is. An @-sign in the password in the latter shouldn't have any effect and within the URL an @-character would get URL-encoded not having an effect, either. URL-encoding might be the reason for the last problem, you've described leading to a space in the stored value on the server side. Kimmerin (talk) 15:50, 21 November 2022 (UTC)

A very similar situation happened when I was network manager at Moravian College back in the mid-‘90s. A user was unknowingly typing an ASCII 0 character as a “special” character for their password, and doing it as like the 4th character typed, so the rest of what they typed (which was about 8 more characters) was simply ignored, the system thought their password was just the first 3 characters, the user was none the wiser, until the day I implemented checks to require “strong” passwords that included a minimum length. The user came to me all huffy that their password *was* long enough, but they system was making them change it, but not accepting the change. I never ask users for their password, so diagnosing the problem took a few tries, I had to think to ask them to prepend 8 x’s to the front of their password, and when that worked then I understood the problem.

NULL was also a headache for me in the early 2000’s, working with Oracle web forms, and some weird interaction of software bugs between a particular version of Safari web browser, Apache web server, and Oracle somehow allowed the string “NULL” to get into the Oracle database, breaking the SQL Boolean function IS NULL. The kludge was to change the IF [string] IS NULL” test to be IF [string] IS NULL OR [string] = “NULL” (Unfortunately not the ugliest code I have ever written) John (talk) 12:40, 25 November 2022 (UTC)

Not with null-character, that I'm aware, but when our small company (with Novell-based networking, for fule-servers, printers and most asynchronous communications to the outside world via a somewhat proprietry email gateway over a dial-up) merged into a larger company (with NT servers, and the rest, and now tied directly into their worldwide-WAN by ISDN) there were various hiccoughs in making sure existing and extended infrastructure didn't have conflicting ideas of what was acceptible in the now unified logins. (Not to mention that our username system had been initial-based, but we were now needing formats based upon full names. We had to keep both continuity (for our own long term usage validation) and a migration (to integrate into theirs) and otherwise competent users who were big experts in their own field of data analysis often could not handle the technicalities of multiple/nested logins or the logistical fallout from having their initial login profiles 'remembering credentials'. The fuss it took, until we phased through a full migration (helped by some staff turnover) and relegated the much more competant Novell system to backup/archive servers only.
And then there was the printer that aperiodically 'broke' because the replacement Windows printserver was somehow unable to pass some particular control characters (not sure if null was ever amongst them) that were occasionally used as the daily-changing hashed output to 'sign' the printouts and thus prove their legacy/providence.
I got a great deal of experience with system migrations, from all that, but also a strong dislike of being pushed into them or things that aren't themselves 'broke' being 'fixed' by mandatory upgrades. 172.70.91.58 14:53, 25 November 2022 (UTC)