
How does HN automatically remove your password if you type it as a comment? - YPCrumble
This comment [1] suggests that if you type your password HN will remove it automatically. It appears this is correct, because in some places this person&#x27;s comment is &quot;-- removed --&quot; while in others it contains &quot;(removed automatically)&quot;.<p>How does this work? I&#x27;m assuming HN uses a hashed and salted password. Does this mean that HN compares every word you submit in a comment against your password to make sure you haven&#x27;t typed it in your comment? It seems like that would be enormously computationally intensive.<p>Or, is this just a silly joke comment?<p>[1] https:&#x2F;&#x2F;news.ycombinator.com&#x2F;reply?id=13066958&amp;goto=item%3Fid%3D13065670%2313066958
======
Someone1234
Joke comment. It is related to the hunter2 IRC conversation from back in the
day:

[http://bash.org/?244321](http://bash.org/?244321)

As you can see &u5Tjlo6@K76 passwords are displayed correctly (that password
was changed within 1 sec after this comment was posted).

~~~
bbcbasic
1 second ... enough time to swear out loud too.

------
FT_intern
People used this trick so much in Runescape that passwords were actually
censored.

I remember someone from Runescape posting here. I would love to know how that
worked.

~~~
wingerlang
Maybe look at the hash of pwd against what is written, if it match then remove
it. Perhaps don't do it if it is a dictionary word, and/or look at context
like.

"@$gsdg2$1sF" is definitely a password, so hide it

"horse" is dictionary so don't hide it

"my password is horse" is dictionary but in a pwd context, so hide it. Maybe
look at phrases beforehand, like "what is pwd" .. "horse".

Actually I have no idea, seems like a hard but interesting problem.

\----

Maybe they have password requirements (min chars/captials/numbers/special
signs) that they can look at, that way they could easily identify all written
passwords based on their regex and just hide it based on that. This would also
remove all dictionary word passwords or context stuff I mentioned above.

This seems like an easy solution, hopefully there are no contexts where e.g.
"Red$#123!" would be a word that is used apart from in a password one.

~~~
pc86
> they could easily identify all written passwords based on their regex

That seems unlikely.

~~~
wingerlang
How come?

------
nkurz
I think your reasoning is correct: there is no efficient way to do this while
storing only a hashed password. Also, it would be out-of-character for the
minimalism of the site. I'd go with "joke", although I'm not sure whether it's
intended to be "silly" or "cruel".

------
kogir
I'd be willing to guess a fair number of users have dictionary words as
passwords. Some people don't care, or have throwaways, etc.

If this were actually implemented, you could censor a word or phrase site wide
simply by making it your password.

HN definitely doesn't, and no service should.

~~~
borplk
Yeah imagine how that would turn out.

"I'm just a code [automatically removed]."

