Clickbait title much? This basically has nothing at all to do with reddit. You could replace the word reddit with Facebook in this article and it would be exactly the same.<p>That being said, it was pretty clever to take advantage of an enumeration attack on another service that wasn't protecting against enumeration attacks on the feature because frankly, why would they?
This sort of challenge comes up in CTFs quite often. Here's a writeup of one from PicoCTF 2017 (not mine): <a href="https://github.com/Caesurus/PicoCTF2017/tree/master/l3_noeyes" rel="nofollow">https://github.com/Caesurus/PicoCTF2017/tree/master/l3_noeye...</a>
Working link: <a href="https://medium.freecodecamp.com/the-time-i-had-to-crack-my-own-reddit-password-a6077c0a13b4" rel="nofollow">https://medium.freecodecamp.com/the-time-i-had-to-crack-my-o...</a>
Perhaps because I'm new to this stuff, I enjoyed the writeup. I wonder if I'm out of place expecting a single run through of a-z 0-9 to determine the range of chars present in the password?<p>It turns out (due to repeated chars) to only have 14 unique chars. This single run through would have reduced the alphabet size (A, in the article) from 36 to 14. The 432 iterations becomes 168.<p>I'm sure there are other optimisations I'm missing!
It seems like an interesting complication here comes from the subject line. I idly wonder how to handle the case where the subject line had been much larger and had much overlap with the password.