• domukun367 (unregistered)

    First ever post is a fist post!

    The _moment_ you enter an incorrect character, the error "Incorrect Password!" will be set, and the _moment_ you type the complete text into the password box, you are logged in.

    It seems that it would be much simpler to simply wait until the user presses enter / OK / whatever to submit the username / password, and then just compare the two strings... I know C# is a silly language, but surely it has string comparisons built in!
     

  • anon (unregistered)

    please fix the "=3D" microcruft

  • J. (unregistered) in reply to anon

    Except the obvious please-guess-my-password code, what about comparing hashes maybe?

  • Why? (unregistered) in reply to J.

     

    <font face="Times New Roman" size="3">Doesn't SQL Server already have a perfectly good authentication system? Have a table which contains unhashed passwords which presumably anyone who has a tool like Query Analyser installed can query is pretty nasty...</font>

  • noname (unregistered)

    Unless I'm missing something about the way .Net works Chirs is one heck of a nice guy. 

    I would have just dropped all the tables, or at least changed his passwords to something questioning his parentage.

  • Ged (unregistered) in reply to domukun367
    Anonymous:

    First ever post is a fist post!

    The _moment_ you enter an incorrect character, the error "Incorrect Password!" will be set, and the _moment_ you type the complete text into the password box, you are logged in.

    It seems that it would be much simpler to simply wait until the user presses enter / OK / whatever to submit the username / password, and then just compare the two strings... I know C# is a silly language, but surely it has string comparisons built in!

    Well DUH!  Wonder why this ended up in the daily wtf in the first place...?

  • (cs)

    Tim Gallagher:

    sb.Append("SELECT Passwd FROM [Users] WHERE Username='");
    sb.Append(this.txtUsername.Text + "'");
    

    It's also vulnerable to SQL Injection Attacks!

  • Robert Watkins (unregistered)

    Ignoring the obvious problem of a system which makes it trivial to bust the password... WHY is it doing the SQL query to get the list of passwords on every keypress?

  • IMil (unregistered)

    My favourite username is " '; DROP DATABASE; -- "

  • (cs) in reply to Ged
    Anonymous:

    Well DUH!  Wonder why this ended up in the daily wtf in the first place...?

    Because it's possible to brute force the password in (n*26)/2 guesses as implemented instead of (n^26)/2 guesses using the normal way. (well, maybe not 26, but you get the idea.)

    For an 8 character password, that's 65 guesses vs 11881376 guesses.
     

  • (cs) in reply to ikegami

    This is pretty much what I would have expected from someone studying computer science anyway. Those retards(mostly) have no clue.

    This isn't a code snippet, it qualifies as a front page story.

  • (cs)

    Here's an even bigger WTF (appart from the =3D wtfs):

    (Relevant parts emphasized)

    Tim Gallagher:
    private void txtHostname_KeyPress(object sender, KeyPressEventArgs e)

    {

    StringBuilder sb = new StringBuilder();

    sb.Append("SELECT Passwd FROM [Users] WHERE Username='");

    sb.Append(this.txtUsername.Text + "'");



    String password = GetPassword(sb.ToString());



    for (int i = 0; i < (sender as TextBox).Text.Length; i++)

    {

    if (password[i] == (sender as TextBox).Text[i])

    {

    this.lblError.Text = "";

    }

    else

    {

    this.lblError.Text = "Incorrect Password!";

    }



    if (i == (sender as TextBox).Text.Length)

    {

    if (password[i] == (sender as TextBox).Text[i])

    {

    LogUserIn(this.txtUsername.Text);

    }

    }

    }

    }

    You will never successfully login (i can't be < length and == it at the same time).

    Also WTF: the "incorrect password" notice will only reflect the last character typed, since the coder forgot to break/return out of the loop...

    (edit: even if you got into that part, both password[i] and .Text[i] will barf on indexing a nonexistant character)

  • (cs) in reply to DaBookshah

    DaBookshah:
    This is pretty much what I would have expected from someone studying computer science anyway. Those retards(mostly) have no clue.

     I'm a CS Student myself but I really have to agree. Those that enter Computer Science without previous programming knowledge pretty much turn out to be the worst possible coders. I'm seriously glad to have learned C, x86 assembler, and several other things prior to enrolling.

  • nixen (unregistered)

    Apart from the 3D thingies, this is so completely moronic that I have to call BS on it... who could ever, possibly, get the idea to postback a page between every single keystroke? You'd have to wait a second or two between every key you press..

  • Jean Pierre (unregistered)

    This piece of code is a shame for everyone who has a BSc in CS. I *really* hope Christopher's friend failed in his CS tests when he writes such kind of code. I know that learning to write code is not easy and that you do not write perfect code in the first place (heck, I don't dare to look at the source codes of my first programmes I wrote years ago). But there are so many good books out there explaining the dos and don'ts...

    On the other hand: with this perfect knowledge of programming he still might become a consultant or a manager...

     

  • (cs) in reply to nixen

    Anonymous:
    who could ever, possibly, get the idea to postback a page between every single keystroke?

    Just a wild guess, but maybe someone with little, if any, programming experience.  Like say, maybe someone "who is attending an upstanding college to get his Bachelors of Science in Computer Science".

  • (cs) in reply to nixen
    Anonymous:
    Apart from the 3D thingies, this is so completely moronic that I have to call BS on it... who could ever, possibly, get the idea to postback a page between every single keystroke? You'd have to wait a second or two between every key you press..

    You're talking about a world where banks consider case-insensitive, fixed length passwords secure just because they make you include a number. And.... A system we use in our school uses passwords but no usernames... You can log in, go to the password change page and start changing your password until you get a "this password is already in use" error.

    I don't blame the guy in this WTF for writing it that way... Assuming he never got taught about security and why to not trust users.

  • (cs) in reply to tin

    Anonymous:
    This piece of code is a shame for everyone who has a BSc in CS

    Again, if he already had his BS, then the real WTF is that he's getting it again.

  • (cs) in reply to nixen
    Anonymous:
    Apart from the 3D thingies, this is so completely moronic that I have to call BS on it... who could ever, possibly, get the idea to postback a page between every single keystroke? You'd have to wait a second or two between every key you press..
    There is a hint in the article: "He wanted me to test out his new login system that he had written in C#, using SQL Server. I agreed and he sent me his app."
    I imagine then that this is a winforms app, not webforms (ie, doesn't require postback, doesn't have 'a page').  You wouldn't be likely to send a webforms app - just the url to it.
    B.
  • (cs) in reply to ikegami
    ikegami:

    Tim Gallagher:

    sb.Append("SELECT Passwd FROM [Users] WHERE Username='");
    sb.Append(this.txtUsername.Text + "'");

    It's also vulnerable to SQL Injection Attacks!

    No because it will throw a incorrect password message before you can type the sql :)

    Maybe copy paste will do the trick? 

  • Eam (unregistered)
    Tim Gallagher:
       sb.Append(this.txtUsername.Text + "'");

     Brings a tear to my eye

     

    --

    Captcha: Completely Automated Public Turing Test To Tell Computers And Humans Apart

  • anonymous (unregistered) in reply to nixen

    s/=3d/=/g; #Quote printable off

  • Conor (unregistered) in reply to aquanight
    aquanight:

    You will never successfully login (i can't be < length and == it at the same time).


    The comparison is not "less than" but "less than or equal to" so it can match "equal to" later  on.  

    There no other way to learn than to write dodgy code, this post might have just saved a programmer. The mission of CodeSOD is to create great programmers by poking them with a stick.
  • some moron (unregistered)

    I like this. It's good, tactile code that's quite obviously aimed at improving user experience. The trouble with password fields is that you can never actually see what you are typing, and this can lead to a lot of mistakes. I've always thought that if I could design a better password field, it would work something like this. Think of the time I would save on Monday mornings if it actually told me when my shaky hands were malfunctioning more than normal when I'm trying to login.

     

  • Dave (unregistered) in reply to Eam
    Anonymous:
    Tim Gallagher:
       sb.Append(this.txtUsername.Text + "'");

     Brings a tear to my eye

     

    --

    Captcha: Completely Automated Public Turing Test To Tell Computers And Humans Apart

     

    Love it, combine string concatenation with a StringBuilder in the same line of code :)

  • Dave (unregistered) in reply to Dave

    And why compare the password with the input string byte by byte - .NET has a plethora of string compare methods? A little knowledge is very dangerous

  • (cs)
    You've gotta love crap like this;
    • He's reinventing the wheel by rolling his own string comparison
    • Repeated casting of sender to TextBox via as - cast the object, test it and store it
    • As others have pointed out, it's also open to SQL injection attacks

    all in 28 lines of code. Genius!

     

  • Dave (unregistered) in reply to IceFreak2000
    IceFreak2000:
    You've gotta love crap like this;
    • He's reinventing the wheel by rolling his own string comparison

     

    I thin that's the "anti-pattern" known as "reinventing the square wheel" :)

  • (cs) in reply to zamies
    zamies:
    ikegami:

    Tim Gallagher:

    sb.Append("SELECT Passwd FROM [Users] WHERE Username='");
    sb.Append(this.txtUsername.Text + "'");

    It's also vulnerable to SQL Injection Attacks!

    No because it will throw a incorrect password message before you can type the sql :)

    Maybe copy paste will do the trick? 

    Certainly it'll show an incorrect password message, but there's nothing to stop you adding to the TextBox. 

  • c-hash (unregistered)

    StringBuilder sb =3D new StringBuilder();

    What on earth is a 3d  StringBuilder() ? does it build 3d strings?

    That Microsoft -- they certainly innovate! 

     

  • (cs)

    Oh dear lord, I've missed the most obvious WTF about this code;

    You only need to get the last character of the password correct for it to validate you; if the password is set to "password" and the user typed in "*******d" the code will validate. Yes, it'll display an incorrect password message, but it'll still log you in.

    if (i == (sender as TextBox).Text.Length)
    {
    if (password[i] == (sender as TextBox).Text[i])
    {
    LogUserIn(this.txtUsername.Text);
    }
    }
     

     

  • (cs)

    The real WTF is that this should have been implemented using AJAX techniques...

     

     

  • (cs) in reply to anon

    Anonymous:
    please fix the "=3D" microcruft

    Anonymous:

    StringBuilder sb =3D new StringBuilder();

    What on earth is a 3d  StringBuilder() ? does it build 3d strings?

    That Microsoft -- they certainly innovate! 

     

    You guys have never browsed usenet and/or mailing lists and seen what broken mail clients do to quoted printable mime encodings? It has nothing to do with Microsoft whatsoever. lol. ( = escapes a newline, enabling long-line support in standard email, check RFC 1521.) Always fun trying to read archives of a mailing list with half the posts randomly broken.

  • (cs) in reply to spacedman
    spacedman:

    The real WTF is that this should have been implemented using AJAX techniques...

     

     

    Since this is obviously a standard gui app, not a web app, that would double the fun instantly. Why do something as silly as open the database directly, when you can xmlify your sql injection with a random chunk of jscript.net plopped in the middle of your C# and dynamically executed. =D 

  • cyphax (unregistered)

    It is creative, gotta give him that. I guess it's good that he let someone else test it first.

    It reminds me a little of the login procedure of one of our products, where a user is in an account. Two different accounts can contain two users with the same name, no problem. It would be annoying tho, if those two users accidentally have the same password, of course. My boss thought out loud "we could of course give the user a notification: 'sorry, this combination of username and password is already taken'". We decided that wouldn't be a great idea, but we did get a good laugh out of the suggestion.

    Auto-suggest for login procedures is never a good idea. The less someone knows about existing accounts, the better.
     

  • Anon (unregistered) in reply to aquanight
    aquanight:

    You will never successfully login (i can't be < length and == it at the same time).

    Actually, doing:

     for( i=0; i<n; i++ ) blah();

     
    Will call blah n times and on exit i will == n, because the increment and test is done at the end of the loop, so after the loop where i==n-1, i is incremented, and because i now equals n, it drops out of the loop.

     

  • (cs) in reply to Anon

    Yeah, now what's the bet that that was pure luck on the coder's side. :P

  • (cs)

    I've learned to give the user immediately feedback if he is doing something wrong before he submits the data. This guy takes it to a new level! I wonder what went through his mind when he came up with this

  • alunharford (unregistered)

    What's wrong with all of you?

    The wtf is that this ended up on the daily wtf.

    Shock news: Somebody studying for a BSc, with (presumably) no security knowledge, or training, and little experience of coding generally, writes crap security code.

  • mustache (unregistered) in reply to arke
    arke:

    DaBookshah:
    This is pretty much what I would have expected from someone studying computer science anyway. Those retards(mostly) have no clue.

     I'm a CS Student myself but I really have to agree. Those that enter Computer Science without previous programming knowledge pretty much turn out to be the worst possible coders. I'm seriously glad to have learned C, x86 assembler, and several other things prior to enrolling.

     

    And as a computer science student, you'll know that computer science isn't really about programming.

  • captcha (unregistered) in reply to Jean Pierre
    Anonymous:
    This piece of code is a shame for everyone who has a BSc in CS. I *really* hope Christopher's friend failed in his CS tests when he writes such kind of code.

     Thing is, it takes students time to learn,  which is generally one reason they go to college.  If they already coded perfectly before they went, what would be the point?  The flashy certificate and the DVD of the graduation ceremony?

    I don't hope he fails.  I hope he learns from this and doesn't do it again. 

     

     

  • (cs) in reply to kiriran

    I hope some of the posters on this thread never become teachers.   He needs encouragement not insults.  Yes the guy got a lot of things wrong.  That's because he didn't know better.  Good on him for going out and trying to learn how to do it right.  Better yet, he went to his friend to get him to test the work. 

     Who would you rather have working for you - this guy, once he's got his degree, or Paula?

  • (cs) in reply to IceFreak2000
    IceFreak2000:
    zamies:
    ikegami:

    Tim Gallagher:

    sb.Append("SELECT Passwd FROM [Users] WHERE Username='");
    sb.Append(this.txtUsername.Text + "'");

    It's also vulnerable to SQL Injection Attacks!

    No because it will throw a incorrect password message before you can type the sql :)

    Maybe copy paste will do the trick? 

    Certainly it'll show an incorrect password message, but there's nothing to stop you adding to the TextBox. 

     

    I'm totally screwed here the SQL injection is possible in the username, which has no checking whatsoever...

     

     

  • (cs) in reply to Anon
    Anonymous:
    aquanight:

    You will never successfully login (i can't be < length and == it at the same time).

    Actually, doing:

     for( i=0; i<n; i++ ) blah();

     
    Will call blah n times and on exit i will == n, because the increment and test is done at the end of the loop, so after the loop where i==n-1, i is incremented, and because i now equals n, it drops out of the loop.

     

    yesz but count the brackets it's inside the for loop! Possibly this is an obfuscation error.

    If the last check is outside the for loop it is true, and you only have to have the last char right to login!

    The login method is yet another WTF. 

     

     

  • Mr. Sparkle (unregistered)

    What is the deal with the =3D things?

    If this was a WebApp (And he was using ASP.NET 2.0), it'd be pretty foolish anyway to build such a thing yourself when there's a perfectly good membership provider for that sort of thing.

    But as stated above, I doubt this is a webapp anyway. The many postbacks would have been a clue even to the guy writing it. This must be a winforms app. Which still makes it foolish, from a security standpoint, to let the user know exactly when he's on the right path towards guessing the password.

     CAPTCHA: clueless.

  • (cs) in reply to some moron
    Anonymous:

    I like this. It's good, tactile code that's quite obviously aimed at improving user experience. The trouble with password fields is that you can never actually see what you are typing, and this can lead to a lot of mistakes. I've always thought that if I could design a better password field, it would work something like this. Think of the time I would save on Monday mornings if it actually told me when my shaky hands were malfunctioning more than normal when I'm trying to login.

     

    I know you were joking, but Windows Mobile 5.0 appears to have done this. Each character you type into a password field is briefly displayed before it changes to a masked character. Handy with those tiny little keyboards. 

  • Mr. Sparkle (unregistered) in reply to Mr. Sparkle

    Never mind about the =3D things. Thanks, foxy. I knew that wasn't a C# operator, but I was wondering what sort of encoding error would cause it.

    The real WTFs here are the people badmouthing a student for not knowing the things he's going to school for, and the people who just don't know any better badmouthing Microsoft for writing a language that supposedly uses the =3D operator.

  • (cs) in reply to alunharford
    Anonymous:

    What's wrong with all of you?

    The wtf is that this ended up on the daily wtf.

    Shock news: Somebody studying for a BSc, with (presumably) no security knowledge, or training, and little experience of coding generally, writes crap security code.

    If only he had Symantec's Enterprise Security software : )
     

  • Gareth Martin (unregistered)

    This reminds me of my high-school's old "Personal Review" database. The name might not be right, but basically the idea was that the students and teachers both comment on the student's progress over the year. The school used to print out templates and write on them, but someone decided to computerise the lot. Unfortunately the school had one of the world's worst IT people do it, so they ended up with the following:

    It was built in some database software that I forget the name of, that allowed multiple simultaneous network logins to the same database. There were only a few passwords (no usernames), two of which were "student" and "staff" (guess which one we were given and which one we guessed). The different users defined the permissions for viewing or editing different database fields and different forms. So the students could see but not edit the teacher's comments, etc.

    The clever part was the way they made it so you could only open your own report (considering all the students loggen in to the database with the same "student" login): After passing through the real database login you were presented with the "login" form, which was a standard MS-Access-style for with a pair of text boxes (for username and password). IIRC these matched our computer logins. Unfortunately, this "login" form only worked because it automatically entered SEARCH(exact) mode when it was opened. Pressing login performed the search and redirected you to the form where you could edit your record. If you used the menu to cancel the search you could browse the entire database at will, getting anyone's username and password, and editing their personal review...

    Couple that with the "staff" db login, you could tell the other students what the teacher really thought about them. (insert evil grin smile here)

  • (cs) in reply to mustache
    Anonymous:
    arke:

    DaBookshah:
    This is pretty much what I would have expected from someone studying computer science anyway. Those retards(mostly) have no clue.

     I'm a CS Student myself but I really have to agree. Those that enter Computer Science without previous programming knowledge pretty much turn out to be the worst possible coders. I'm seriously glad to have learned C, x86 assembler, and several other things prior to enrolling.

     

    And as a computer science student, you'll know that computer science isn't really about programming.

     

    Exactly - that's why they have Software Engineering, though I imagine they have changed quite a bit since my day. 

Leave a comment on “Passwords! Get Your Free Passwords Here!”

Log In or post as a guest

Replying to comment #103927:

« Return to Article