Hacking (Old) Hacker News: Fun with Weak Passwords and Arc

When I was conducting my cloud password security research, I also looked at Hacker News. It's not a cloud application, but it does have pretty common password security qualities. It's also interesting because it's written in Arc (a Lisp dialect) and the code is available (for the old version from 2009).

When you create a Hacker News account you can create passwords which are 4 characters long without any restrictions on the password complexity. This mean that you can have a password that looks like 0000 or 1111. Sure, not everybody will use passwords like that, but there's a good chance that quite a few users will have pretty simple passwords. Even technical people are still people; people choose the easiest possible passwords (when they can), making it easy to conduct online password attacks.

What's interesting is that when you change your password, you are required to have at least 8 characters (still without any complexity requirements). The Arc source code shows that the length requirement used to be 4 characters. Time to look at the code to see what else might be there...

Here's the login code from app.arc:

(def good-login (user pw ip)
		  (let record (list (seconds)