• adasd (unregistered)

    fist!

  • Joe (unregistered)

    Why doesnt anyone scream Second!!

  • (cs) in reply to adasd

    secondist!

  • (cs)

    They probably thought that it was more efficient than actually doing a select to check for existing passwords, adn then doing an update

    Oh, wait a minute, this means that you can't have the same password for two different users? I was expecting a message like "User XXXX is already using this password" :)

    Oh, and I was the one doing the "fist!" first reply today. I just saw "0 replies" and I had to do it.... I had no time to login. I just typed something on the name field so it wouldn't complain

  • (cs)

    Sweet , I know the password.  What's the username?

  • (cs)

    The real WTF is that the error message does not include the account name with the already existing password, so the user has no easy possibilty to verify the correctnes of the error message.


    ;-)

  • (cs) in reply to ammoQ
    ammoQ:
    The real WTF is that the error message does not include the account name with the already existing password, so the user has no easy possibilty to verify the correctnes of the error message.


    ;-)


    Ooops, I'm obviously too slow
  • only lamers claim first (unregistered) in reply to Enric Naval

    doing the whole fist thing is stupid.

  • JR (unregistered)
    Alex Papadimoulis:
    <FONT color=#000099>if</FONT> (errMsg.indexOf(<FONT color=#990000>"Violation of UNIQUE KEY constraint 'UQ__mbrs_pwd'"</FONT>) != -1)
      <FONT color=#000099>return</FONT> <FONT color=#990000>"The password entered is already in use. Please enter another."</FONT>;

    He should have said:

    <FONT color=#000099>if</FONT> (errMsg.Contains(<FONT color=#990000>"Violation of UNIQUE KEY constraint 'UQ__mbrs_pwd'"</FONT>))

      <FONT color=#000099>return</FONT> <FONT color=#990000>"The password entered is already in use by " + username + ". Please enter another, or have them change their password now."</FONT>;

    Some people...

     

  • (cs)

    Hmmmm boy doesn't that make a hackers life easier.

  • (cs)
    <font color="#000099">if</font> (errMsg.indexOf(<font color="#990000">"Violation of UNIQUE KEY constraint 'UQ__mbrs_pwd'"</font>) != -1)
      <font color="#000099">return</font> <font color="#990000">"The password entered is already in use. Please enter another."</font>;
    debug.writeLn("User " + user +
       " successfully set password to '" + password + "'.");
  • (cs) in reply to HatTrick
    HatTrick:
    Hmmmm boy doesn't that make a hackers life easier.


    It's not really an issue, because the hacker still doesn't know which user name goes with the password!


  • (cs) in reply to HatTrick

    Yeah, I mean obfuscation, DUH!
    "We won't tell you why we don't like that password, but we strongly suggest you choose another one."

  • (cs)

    Also, what about depending on the comparison of the error message to a hard-coded stirng? Of course, if the error message changed, thus breaking the function, everyone would be better off...

  • Paul (unregistered) in reply to Jojosh_the_Pi

    But now you have the private half of the puzzle, finding the more public half (the username) will be easier. In addition, the password may be a clue as to what the username is. This is a good WTF.

  • (cs)
    Alex Papadimoulis:

     ... while blindfolded with your feet



    WTF? ;-)
  • (cs) in reply to Enric Naval
    Enric Naval:

    Oh, and I was the one doing the "fist!" first reply today. I just saw "0 replies" and I had to do it.... I had no time to login. I just typed something on the name field so it wouldn't complain


    The real WTF here is that some ass-hat would actually fess up to that.  (And not just admit it, but want to claim it as an honor!)
  • (cs)

    A database vendor adds whitespace/colon/period to the format of an error message and the entire application goes down the toilet.  Brillant!


  • BtM (unregistered)

    Why is there a unique constraint on passwords?  Surely they're not being used as keys anywhere, are they?  If so, doesn't that cause problems when the user changes their password?  Never mind the security implications...

    I sense layers of WTFery beneath this snippet.

  • agent86 (unregistered) in reply to Paul
    Anonymous:
    But now you have the private half of the puzzle, finding the more public half (the username) will be easier. In addition, the password may be a clue as to what the username is. This is a good WTF.


    It seems to me that if the user is permitted to choose both the username AND the password, there is no guaranteed way to ensure uniqueness, without tipping the hand.

    I guess that's why Banks use account numbers, and my Hotmail account was something like JoeBlow753

    Captcha = image, random
  • (cs)
    Alex Papadimoulis:
    <font color="#000099">if</font> (errMsg.indexOf(<font color="#990000">"Violation of UNIQUE KEY constraint 'UQ__mbrs_pwd'"</font>) != -1)
      <font color="#000099">return</font> <font color="#990000">"The password entered is already in use. Please enter another."</font>;


    It's funny.. when I read this, I thought the wtf was the first line, determining what kind of error you have based on an error message rather than some kind of error code (what happens when they sell a customer running their database in German?).  I totally didn't catch the much bigger WTF of what the error message was saying.

    Aside from that, there's also the wtf that the password is stored in the database in plain-text, rather than using an md5 hash of the password or something like that at the least, and adding some salt characters would be even better.

    Three wtfs from two lines of code.  Not exactly a record here. :)
  • (cs) in reply to kipthegreat
    kipthegreat:
    Alex Papadimoulis:
    <font color="#000099">if</font> (errMsg.indexOf(<font color="#990000">"Violation of UNIQUE KEY constraint 'UQ__mbrs_pwd'"</font>) != -1)
      <font color="#000099">return</font> <font color="#990000">"The password entered is already in use. Please enter another."</font>;


    It's funny.. when I read this, I thought the wtf was the first line, determining what kind of error you have based on an error message rather than some kind of error code (what happens when they sell a customer running their database in German?).  I totally didn't catch the much bigger WTF of what the error message was saying.

    Aside from that, there's also the wtf that the password is stored in the database in plain-text, rather than using an md5 hash of the password or something like that at the least, and adding some salt characters would be even better.

    Three wtfs from two lines of code.  Not exactly a record here. :)


    Meant to say-   what happens when they sell to a customer running their database in German?
  • (cs)

    <FONT face=Tahoma size=2>checking for specific error messages are not good practice...
    they're easily misspelled...[:P]</FONT>

  • (cs) in reply to BtM
    Anonymous:

    Why is there a unique constraint on passwords?  Surely they're not being used as keys anywhere, are they?  If so, doesn't that cause problems when the user changes their password?  Never mind the security implications...

    I sense layers of WTFery beneath this snippet.

    As someone who has worked on (read: inherited) monstrously sized applications, I have, sadly, frequently seen this sort of thing. Apparently, the less experienced developers had no time to develop a comprehensive error handling paradigm (eg: exceptions), so everything just returns a String, and then its contents are strcmp'd to see if it contains some magic words, thus indicating an error. You fix stuff like this as you encounter it, but it's like trying to sweep the tide back out to sea. <cries>

  • (cs)

    I'm just trying to imagine the GMail (or other such service) sign-up process if THAT required a unique password:
    <sound of typing:>
    "secret", no.
    "password", no.
    "07-04-1776", no.
    "asdfasdfasdf", no.
    "wtf?", no.
    "Reginauld G. Cooper was here", no.
    "Reginauld G. Cooper was THERE", no.
    "are there any f---ing paswords left?", no.
    "spacemonkey", no.
    "deadbabyducks", no.
    "painfullrectalitch", no.
    "superbassamatic76", no.

  • (cs) in reply to kipthegreat

    Not to mention the fact that they are RETURNING the error message instead of throwing it.

  • (cs) in reply to marvin_rabbit
    marvin_rabbit:
    I'm just trying to imagine the GMail (or other such service) sign-up process if THAT required a unique password:
    <sound of="" typing="">
    "secret", no.
    "password", no.
    "07-04-1776", no.
    "asdfasdfasdf", no.
    "wtf?", no.
    "Reginauld G. Cooper was here", no.
    "Reginauld G. Cooper was THERE", no.
    "are there any f---ing paswords left?", no.
    "spacemonkey", no.
    "deadbabyducks", no.
    "painfullrectalitch", no.
    "superbassamatic76", no.

    Note to self: change GMail password

  • (cs) in reply to BtM
    Anonymous:

    Why is there a unique constraint on passwords?  Surely they're not being used as keys anywhere, are they?  If so, doesn't that cause problems when the user changes their password?  Never mind the security implications...

    I sense layers of WTFery beneath this snippet.



    They can have a cool 'forgot username?' feature.  You enter your password and it tells you your username.

    This WTF is truly an onion........

    1) questionable primary keys
    2) security issues
    3) error handling based on database vendor magic strings, as well as database key/index names


  • notEnoughInfo (unregistered) in reply to kipthegreat
    kipthegreat:
    Alex Papadimoulis:
    <font color="#000099">if</font> (errMsg.indexOf(<font color="#990000">"Violation of UNIQUE KEY constraint 'UQ__mbrs_pwd'"</font>) != -1)
      <font color="#000099">return</font> <font color="#990000">"The password entered is already in use. Please enter another."</font>;


    Aside from that, there's also the wtf that the password is stored in the database in plain-text, rather than using an md5 hash of the password or something like that at the least, and adding some salt characters would be even better.


    I don't know how you can infer anything about how the password is stored from that snippet of code.  It's just searching the text of an error message; the preceding lines could have included a check of a hashed or encrypted value against the one in the DB.
  • Matt (unregistered) in reply to shaggz

    I can see the query now:

     

    select * from users where username = @username or password = @password

     

    Thats why they can't allow duplicate usernames...

  • (cs) in reply to kipthegreat
    kipthegreat:

    Meant to say-   what happens when they sell to a customer running their database in German?

    If that was the only problem, I would say: so what, tell the customer to run their database in English. Who cares.
    I would rather worry that the error message ("The password entered...") is hardcoded in English.
  • (cs) in reply to jspenguin
    jspenguin:
    marvin_rabbit:
    I'm just trying to imagine the GMail (or other such service) sign-up process if THAT required a unique password:
    <sound of="" typing="">
    "secret", no.
    "password", no.
    "07-04-1776", no.
    "asdfasdfasdf", no.
    "wtf?", no.
    "Reginauld G. Cooper was here", no.
    "Reginauld G. Cooper was THERE", no.
    "are there any f---ing paswords left?", no.
    "spacemonkey", no.
    "deadbabyducks", no.
    "painfullrectalitch", no.
    "superbassamatic76", no.

    Note to self: change GMail password



    My GMail password is 12345.  I'm very proud of it.  No one would ever guess it.

  • (cs)

    Please tell me that once you've logged in with a "proper" password, you can browse the list of users?

  • (cs) in reply to BtM
    Anonymous:

    Why is there a unique constraint on passwords?  Surely they're not being used as keys anywhere, are they?  If so, doesn't that cause problems when the user changes their password?  Never mind the security implications...

    I sense layers of WTFery beneath this snippet.

    Layers and layers of WTFery ... entire underground civilizations of WTFery ... The Land of WTFery That Time Forgot ...

  • (cs) in reply to jspenguin
    jspenguin:
    Not to mention the fact that they are RETURNING the error message instead of throwing it.


    if the function is called returnErrorMessage() or something then why would they want to throw it?  throwing errors is just 1 of 2 (actually 3 if you count setting globals) ways to handle errors.
  • What about? (unregistered)

    What if they had separate tables for passwords and usernames with no way to link one to the other! (It's only natural to have similar constraints in them, no?)

  • (cs) in reply to notEnoughInfo
    Anonymous:
    kipthegreat:
    Alex Papadimoulis:
    <font color="#000099">if</font> (errMsg.indexOf(<font color="#990000">"Violation of UNIQUE KEY constraint 'UQ__mbrs_pwd'"</font>) != -1)
      <font color="#000099">return</font> <font color="#990000">"The password entered is already in use. Please enter another."</font>;


    Aside from that, there's also the wtf that the password is stored in the database in plain-text, rather than using an md5 hash of the password or something like that at the least, and adding some salt characters would be even better.


    I don't know how you can infer anything about how the password is stored from that snippet of code.  It's just searching the text of an error message; the preceding lines could have included a check of a hashed or encrypted value against the one in the DB.


    That's true.  Giving them the benefit of the doubt, they could be storing something like an md5 hash with several randomly-generated salt characters.  In which case, there would need to be somewhere on the order of 1.774 * 2^64 users before the probability of a collision is greater than 50%.  If this were the case, then it is unlikely that this error message was ever seen, which would explain why it was still in the system.  Using an even better hash like SHA-1 would further decrease the probability of a clash.

    Of course, Alex said "this is as bad as it seems" so I doubt it.
  • (cs) in reply to kipthegreat
    kipthegreat:
    jspenguin:
    marvin_rabbit:
    I'm just trying to imagine the GMail (or other such service) sign-up process if THAT required a unique password:
    <sound of="" typing="">
    "secret", no.
    "password", no.
    "07-04-1776", no.
    "asdfasdfasdf", no.
    "wtf?", no.
    "Reginauld G. Cooper was here", no.
    "Reginauld G. Cooper was THERE", no.
    "are there any f---ing paswords left?", no.
    "spacemonkey", no.
    "deadbabyducks", no.
    "painfullrectalitch", no.
    "superbassamatic76", no.

    Note to self: change GMail password



    My GMail password is 12345.  I'm very proud of it.  No one would ever guess it.


    12345? That is the kind of password that only an idiot would have on his luggage...

  • (cs)

    A few years back, I worked for someone who wanted a unique constraint on the username/password combination.

    In other words, everyone could register with the same username, as long as their password was new.

    After an intense discussion with this "English-challenged" individual, I went ahead and coded it as requested.  (If the user picked a previously used combination on the registration form, it just goes ahead and logs them into the existing account.)

    As far as I know, this e-Commerce application is still using the code, and I suppose history has demonstrated my foolishness... he's now the VP of Development, and I was laid off, partly owing to my "negativity".

  • (cs) in reply to only lamers claim first

    Anonymous:
    doing the whole fist thing is stupid.

    Yep, one finger is sufficient.

  • Kevin (unregistered) in reply to notEnoughInfo

    I will take a guess that the user table is as expected: id, username, password. (Well, almost as expected.) I don't think passwords are being used as primary keys.

    Some bonehead probably just thought that having two passwords be the same is a security risk, then went ahead and added the unique constraint that made today's WTF possible.

  • (cs)

    Maybe it's not as bad as you think.  Sure, using the text of a error message as  a key is a WTF.  But maybe it's not such a big WTF to check that the password is unique.  I've seen an application where you needed different passwords for different access levels, and you couldn't use the same password in the different places.  In that application, a constraint on userid,password would make sense.

  • Baloon Knot (unregistered)
    Alex Papadimoulis:

    ...I'll present a single line of code...

    <font color="#000099">if</font> (errMsg.indexOf(<font color="#990000">"Violation of UNIQUE KEY constraint 'UQ__mbrs_pwd'"</font>) != -1)
      <font color="#000099">return</font> <font color="#990000">"The password entered is already in use. Please enter another."</font>;


    I get it, the WTF is that Alex said he'd present a single line of code, but he really showed two.
  • Baloon Knot (unregistered) in reply to GalacticCowboy
    GalacticCowboy:

    Anonymous:
    doing the whole fist thing is stupid.

    Yep, one finger is sufficient.



    I prefer the shocker myself (giving, not receiving).

  • Lindows Network Administrator (unregistered)

    Lindows will rule the day!

  • (cs) in reply to shaggz

    shaggz:
    They can have a cool 'forgot username?' feature.  You enter your password and it tells you your username.

    Why bother with a complicated "forgot username" feature. It would be simpler to just add a "loggedin=true" query string parameter and you could skip that whole logging in thing altogether.

  • Pablo Marambio (unregistered) in reply to Baloon Knot

    Not to mention the passwords could be stored in plain text...

  • Troll (unregistered)

    First Post!

  • strickdd (unregistered)

    first? 

  • (cs)

    Geez, I noticed that they were checking the text of an error message, which is silly but only slightly dangerous. But the fact that they were trying to keep all the passwords unique? And that the user was notified of that fact, thus giving them some information about what passwords are on the system? Nope. Totally missed it.

    This is like reading Marilyn Vos Savant's column, where she gives you a list of words and asks what they have in common. I never figure those out, 'cuz the relationships are always totally out of left field. And I hate myself for ALWAYS stopping to read that darn column anyway!

Leave a comment on “Uniquely Secure”

Log In or post as a guest

Replying to comment #:

« Return to Article