How does HN automatically remove your password if you type it as a comment?
This comment [1] suggests that if you type your password HN will remove it automatically. It appears this is correct, because in some places this person's comment is "-- removed --" while in others it contains "(removed automatically)".
How does this work? I'm assuming HN uses a hashed and salted password. Does this mean that HN compares every word you submit in a comment against your password to make sure you haven't typed it in your comment? It seems like that would be enormously computationally intensive.
Or, is this just a silly joke comment?
[1] https://news.ycombinator.com/reply?id=13066958&goto=item%3Fid%3D13065670%2313066958
11 comments
[ 3.0 ms ] story [ 35.8 ms ] threadhttp://bash.org/?244321
As you can see &u5Tjlo6@K76 passwords are displayed correctly (that password was changed within 1 sec after this comment was posted).
Yep all asterisks here! ;)
I remember someone from Runescape posting here. I would love to know how that worked.
"@$gsdg2$1sF" is definitely a password, so hide it
"horse" is dictionary so don't hide it
"my password is horse" is dictionary but in a pwd context, so hide it. Maybe look at phrases beforehand, like "what is pwd" .. "horse".
Actually I have no idea, seems like a hard but interesting problem.
----
Maybe they have password requirements (min chars/captials/numbers/special signs) that they can look at, that way they could easily identify all written passwords based on their regex and just hide it based on that. This would also remove all dictionary word passwords or context stuff I mentioned above.
This seems like an easy solution, hopefully there are no contexts where e.g. "Red$#123!" would be a word that is used apart from in a password one.
That seems unlikely.
If this were actually implemented, you could censor a word or phrase site wide simply by making it your password.
HN definitely doesn't, and no service should.
"I'm just a code [automatically removed]."