- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Geeze, I know I'm in trouble when I've been verbified! Time to head for the hills before the mob forms.
Admin
That's right. They should ask you for a security question, like the name of your spouse or the high school you graduated from.
As we all know, using personal information like that as a password is a very bad practice, because a hacker who knew you or was willing to do a little research about you could find those things out and guess your password. So you should always use a password which is a meaningless combination of letters, digits, and punctuation.
But such passwords are hard to remember, so if you forget, there should be a way to recover or reset your password by using a security question like the name of your spouse or the high school you graduated from. These things can then function as a sort of alternative password, because knowing the answer to your security question is just as good as knowing your password.
And of course, it would never occur to a hacker to research these things about you so that he could guess your security question. Just to make it even tougher on the hacker, the security question specifies exactly which piece of personal information is being used. If a hacker tried to guess your password, even if he supposed you might be using a piece of personal information, he wouldn't know whether you used your spouse's name or your dog's name or your favorite ice cream flavor or what. But with security questions, he knows exactly which piece of personal information to use.
Admin
That's right. They should ask you for a security question, like the name of your spouse or the high school you graduated from.
As we all know, using personal information like that as a password is a very bad practice, because a hacker who knew you or was willing to do a little research about you could find those things out and guess your password. So you should always use a password which is a meaningless combination of letters, digits, and punctuation.
But such passwords are hard to remember, so if you forget, there should be a way to recover or reset your password by using a security question like the name of your spouse or the high school you graduated from. These things can then function as a sort of alternative password, because knowing the answer to your security question is just as good as knowing your password.
And of course, it would never occur to a hacker to research these things about you so that he could guess your security question. Just to make it even tougher on the hacker, the security question specifies exactly which piece of personal information is being used. If a hacker tried to guess your password, even if he supposed you might be using a piece of personal information, he wouldn't know whether you used your spouse's name or your dog's name or your favorite ice cream flavor or what. But with security questions, he knows exactly which piece of personal information to use.
Admin
The only reason we ask our authenticated users for their password is to make them feel like they're contributing to the process.
Plus, we have the upside of not having to actually check it, which saves us the aggravation of dealing with typos and caps-locked ebcaks who can never seem to get their password right, anyway.
Admin
You're right - storing passwords AT ALL is the WTF. C'mon people, store hashes of passwords, not passwords themselves, even if encrypted!
Admin
The WTF is actually 2 WTFs
Admin
This is quite an interesting attempt at two factor authentication, years ahead of its time.
--Lego
Admin
I work in a high school. Student's ID numbers are generally used as a unique identifier and a password for 90% of the student systems (computers, online grade access, etc.) Which is bad enough in and of itself. But I cried when I found out that a web programmer didn't bother to assign an autoincrement id field to the student table and had, in a live prom king/queen voting system, something that looked like <option value="123456">Student Name</option>, etc. where the value was the straight-up student ID.
Of course, not that it mattered, since it used a javascript verification for logins that only checked to see if the id number was 6 digits long.
In any case, you still want password encryption for the reason that people tend to reuse passwords. Most people aren't going to care if someone hacks Joe Blow's Bacon and Beastiality Discussion Forum's DB, but if they take the unencrypted password from that and use it to hit up your paypal, it suddenly becomes an issue.
Admin
Sure, almost nobody does that (I don't either, most of the time) but that doesn't mean I can't.
Admin
The WTFs of this one:
Special Bonus WTF: 4) If MDI.GetDataSet does not convert the database response of "zero rows" to Nothing, then any password you use will work, even if it doesn't match an entry in the database.
Admin
Huh? I do that all the time. I sorta figured everyone does. That's the only way to make it hacker-proof.
CAPTCHA: transverbero. Recursive definition: something used to mutilate language and produce words such as "transverbero".
Admin
I usually fill in the security questions all the same (matching the institution name) - it's a half assed attempt at 2 factor, so I treat it with contempt
Admin
What? The [ ] are not mandatory unless you're using a reserved word, just like
isn't mandatory in MySQL etc.Admin
Admin
I hope you don't let your spouse know that you are using her name in place of the dog's. That would be a major WTF :-)
Admin
I don't understand why people are having trouble with this one.
If String.IsNullOrEmpty(Password) Then Using dsUser As DataSet = MDI.GetDataSet( "SELECT * FROM [dbo].[Password] WHERE [Password] = " & _
That's one WTF of a back door!
Admin
No. What if they manage to steal a backup tape? What if they gain read-only access? Then they only have the hash of the password, not the actual password. Even if they do get write access to the database, they have to know the exact hashing method used (any salt used, hashing algorithm) before they can generate a hash that corresponds to a password they can use.
Admin
TRWTF is Daniel Pope's ideas about security.
Admin
Agreed. There's a problem on Project Euler about this very idea:
http://projecteuler.net/index.php?section=problems&id=79
For those too lazy to click the link, the idea is that an attacker has obtained a list of fifty successful login attempts where the login system uses Daniel Pope's idea. On the assumption that the characters are always in relative order left-to-right, the problem is to determine the full password.
Obviously, this doesn't work if the login system uses random characters and allows duplicates, but it would still significantly narrow down the brute force search space.
Now someone's going to tell me "if you have the plaintext login attempts you already have access to the target website/database/whatever". If you're about to say that, you're not thinking very hard.
Admin
I only wish I invented the situation. http://iase.disa.mil/stigs/stig/index.html - take your pick.
I would bet your bank generates 5 challenges from your password (if it indeed does it), and hashes them. It reports the challenge, hashes it, and compares. My bank has several challenge questions. Testing seems to indicate it is case and punctuation insensitive. Doesn't mean it still cannot hash it (as long as it uses the sames rules when it stored it). The issue isn't so much protecting against the over-the-shoulder, or social engineering attack. Those will always be there. But the scope there is minimized because I have to compromise one account. Putting information in the clear blurs the inside and outside. To compromise one account from the inside is to compromise all the accounts. Of course, I can invent situations like the disgruntled employee, or like Office Space, or even the case where someone decided to use (and inadvertantly release) real data for test data. Not like none of those have ever happened.
Admin
Admin
Admin
It is clear that this application doesn't have users. There is ONE password for the whole app, and anyone who knows that password is allowed to use the app.
Admin
This. It's a table called "Password". Not "Passwords", "Password". It's clearly a single global password stored as a single row inside a DB table. No need for users.
Admin
TRWTF is that the company spent money and time re-developing a working system.
The 2nd WTF is that they brought it inhouse, assigning it to a programmer unfamiliar with the codebase and development history.
The 3rd WTF is that this developer was known to be a novice in the target platform, and allowed him to work without any apparent oversight or review process until completion.
The existence of the encryption WTF's, egregious as they are, are a predictable outcome of a thoroughly mismanaged development process.
Admin
Is it also a wtf that the function's parameters sender and e are never used?
Admin
Ok so the bloke looks at the source of a VB-Access soft and discovers that it's crappy. What did he expect from a VB-Access soft? Lol, this is a "My Cds and Dvds list" techno!
Admin
Damn, you beat me to it! I was reading through the comments and realised I was almost at the end and no one had figured this out. For this app, obviously they don't care who the user is providing they know the password, similar to those PIN-code office door locks.
Obviously the app doesn't protect anything critical enough to require user audits, and so the use of clear text is fine too. It's a fairly safe assumption that anyone with access to the DB would know the common password.
The real WTF is that "Rick P." has obviously never used the application he's attempting to ridicule.
Admin
My bank does this as well. So does my "Verified by Visa" pointless extra check when I try to buy things online.
I can't think of a sensible way to do it that doesn't involve storing the password in cleartext in the DB. :(
Admin
How much harder that makes life for the cracker, I'm not awake enough yet to work out.
Admin
That does not yet look well-planned to me - if you have the hashes, you should be able to brute-force the password, at least if the challenge is as simple as "what is the 5th letter?", because the number of possible answers is simply too small.
I am not sure if this is more secure. Anyhow, not storing plain text at least saves you from people seeing the password by accident.
Admin
FTFY
Admin
Those are standard parameters to any .NET event handler. Whether that is a WTF is left as an exercise to the reader.
Admin
Hahahahha!! Someone reads this site as much as me! ;o)
Admin
No, it really does all depend.
eg - on TDWTF what would it matter if the passwords were stored in plain text? If someone can get hold of Alex's database and see my password all they can do is post messages pretending to be me. Whoopdee doo.
Now, I could be using the same password for other things, but that's my fault. I have no idea how TDWTF stores passwords. For all I know, the website may even store all login attempts in a plain text log file which can be downloaded by anyone.
Thus - storing unencrypted passwords is not necessarily a WTF. In fact, several challenge response systems (eg CRAM-MD5) require un-hashed passwords to be stored. Is it safer to use CRAM-MD5 requiring un-hashed passwords to be stored but transmitting them hashed, or to use plain text authentication allowing hashed passwords to be stored, but transmitting them in the clear?
Several banks in the UK do ask you 'what are the 3rd, 6th and 8th letters of your password'. I'm not saying whether this is good or bad, but I doubt whether all the possible combinations are hashed, so I think you can assume that they are storing the password either in the plain or encrypted using a reversible encryption (I would hope the latter).
Their justification for this is that it is more likely that a user's PC will have a keylogger on it than that their database will be accessed without their knowledge (and by someone who knows the decryption key). Whether this is true or not (and whether this is an adequate defence against that) is up to you to decide.
(FWIW, all the banks I use which use this system also have a hardware card reader that I have to use to authorise internet money transfers, so I'm not too worried about security anyway).
Admin
did someone say SQL injection? I know a song about that... http://xkcd.com/327/
captcha: damnum
Admin
I like this. But then why doesn't #if DEBUG and #else show up in the login function instead of using compiled code?
Admin
Admin
Yes, because no one ever uses the same passwords on different systems. By exposing their passwords in the event that a hacker gets access to your database, you are screwing them elsewhere as well. Good job.
Admin
Admin
Well, sure, if you don't use the system as intended, you avoid the gaping security hole.
I don't answer these questions as asked any more either. I just give an alternative password, and give the same answer to all security questions from any given site.
But I'm sure 99% of users, when asked, "What is your mother's maiden name?", give their mother's maiden name.
Hey, let's face it, if you called people on the phone and said, "Hi, I'm with the security department at First National Bank, and we're doing a security audit. What is your password?", I'd bet that literally at least 30% would tell you.
Admin
I'm not a crypto geek, but I don't understand why this would ever be done. I would think it would be a simple enhancement to support storing them as a one-way hash. From what I read, CRAM-MD5 works like this:
System -- string -> User System <- username digest(key=password, message=string) -- User
Why not do this instead?
System stores a one-way hash of the password using key syskey.
System -- syskey+string -> User System <- username digest(key=hash(syskey,password), message=string) -- User
We're no longer storing the password cleartext, nor is it reversible from the ciphertext, and it is still not transmitted in the clear.
Admin
No it doesn't. Ever.
If you're doing challenge/response by sending unencrypted passwords, you're doing it wrong.
Admin
It's obvious that your authentication software is completely broken and you didn't even perform basic testing on such a critical piece of software.
I have informed the audit group and CCed your boss so that your incompetence and lazyness affect your bonus!
CAPTCHA: eros (how did the CAPTCHA Software guess my password?)
Admin
Dear N00bs,
The WTF is: the system will let you in if the entered password matches ANY password in the system!
i.e. there is no [userid] = clause on the query.
Admin
That was my interpretation, too.
Admin
On a government project I once found a system whose PAM stack had been (it turned out inadvertently) muffed up in such a way that any password text was accepted as correct. Not any password on the system -- any password text at all. I found it when I was logging in, muffed my password, realized it just after I hit Enter, and was bemused to find I was nonetheless logged in successfully.
Admin
Admin
According to a number of Best Practices for Schema Design articles, the fact that it is a table infers that it contains more than one record. Thus, the name should be kept singular to prevent pluralization problems when coding access to the database.
(CAPTCHA: ullamcorper - http://www.ullamcorper.com/ <- This?
Admin
The fact that this function shows a dialog window saying 'OK' if the password is correct leads me to assume it's not a login box.
Perhaps it's more a kind of 'Verify that you really want to do this (by re-entering the password)' idea?
Anyway, for all we know _Password may store the password entered at login, so it doesn't have to de database lookups to match this weird verification-like dialog.