[jedberg]

Clickbait title much? This basically has nothing at all to do with reddit. You could replace the word reddit with Facebook in this article and it would be exactly the same.

That being said, it was pretty clever to take advantage of an enumeration attack on another service that wasn't protecting against enumeration attacks on the feature because frankly, why would they?

[wand3r]

> click bait title

No. I went in expecting it to be about a guy who lost his own password to Reddit and had to crack it.

Spoiler: That's what the article was about.

[jedberg]

Your expectations were low then. I expected an article about a guy who lost his reddit password and used the features of the reddit website to crack it.

This article, while interesting, is really just about general password cracking.

[wand3r]

I didn't expect it to be a great article, it was ok, just pretty reasonable title on a scale from 1-HuffPo it was a 4 for ckickbait

[et-al]

He hardly cracked his password. He played Hangman. I would hope there's no service out there that lets you guess passwords like this.

"Is there an F in your password? Yes, you have one F, now guess again..."

[morganvachon]

> I would hope there's no service out there that lets you guess passwords like this.

Technically he didn't guess the password to any specific service, he just happened to have stored his own Reddit password in plaintext as the body of a draft email. The email service allows you to search within the body even if your message is "hidden" from their interface. At worst, he MacGyvered a feature of their service to recover a string he couldn't remember.

This was a coding exercise, nothing more. If he had stored his Reddit password in some obfuscated/encrypted format behind another password-protected service, he likely would not have pulled off this stunt.

[BlackLotus89]

It was a "recovery" and not a crack if you store your password somewhere and lose direct access to it it's not really cracking when you guess.

But to get on topic: This was one of my favorite ways of recovering passwords when I had a blind SQL injection somewhere. I wrote a nice perl script that brute forced (yes the guy in the article also brute forced) the field through the SQL substr command. Happy, simpler times :)

[letter_me_later]

Uh. No.

The article is a subversive ad for http://lettermelater.com and little more.