- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
MUHAHAHAHAHAHAHAHAHA Unique passwords and Usernames? - And Tell them that they got a correct password but username wrong? HAHAHAHAHAHA
Admin
my coworker just sent me a hopefully defunct sproc that he found that not only accidently uses a cross join, but also creates a temporary table only to do a SELECT * FROM #temp.
Not quite wtf worthy, but it did provoke a "what in the hell?" Must have come from the "moving the data into a temp table and then scanning the temp table was ultimately faster than directly selecting the row" school of thought.
Admin
Imagine, trying to set your password and being told for the umpteen time that your password has already been taken.
Admin
I can imagine! "Sorry, you cannot set your password to 'password'. It has already been taken by 243 users. Their usernames are: ..."
:)
Admin
On second thought that would actually imply phasing in password uniqueness via code after some users already got their accounts set up. [smacks self]
Admin
Ilya : 243 users? You can't get 243 if the passwords are unique. But I feel what yuh saying.
Admin
And you have beaten me to the draw...lucky pooch
Admin
Actually... Mikey's DBA is right. There is (was) an issue with Sybase and writing values to floating-point fields. Coincidentally, this problem also affected SQL Server up until version 6.5. Certain values could be written to the database, and upon retrieval these values would be different. The problem was not actually in the database server however - it was in the CT-LIB/DBlib driver interaction with various development libraries, most notably the Borland BDE. It would erroneously round (sometimes!). We ended up having to use currency datatype (and other hacks) for these fields. So Mikey's issue, while seemingly crazy to most people, is not really a WTF because there is truly a sound basis for it.
Now on the other hand, the "unique password" bit really does fall into WTF territory...
Admin
As an addendum to the Developer/DBA "Unique Password" WTF: I submitted that particular WTF, and was the Developer. You'll all be happy to know that the DBA was promoted to manager of our team.
Admin
Do I read it right that that last procedure return the same error whether the user name is not found or if the password for that user is incorrect? It seems to me that these should be two separate error messages.
Admin
Sybase is still a terrible DB to put floating point numbers into. I went mad a month or two ago trying to get bcp to work on Sybase 12. I'm with the DBA on this one.
Admin
Well, the procedure could return two distinct error states, that's fine. But the end user should only get a single error - username/password incorrect. Otherwise, this just serves as a mechanism for checking for possible "correct" passwords by feeing in any username I want to make up and a password I'm trying to verify exists for some user.
This is a very bad idea in systems where hashed passwords could then possibly be retrieved via another mechanism, and then I have a dictionary of known passwords I can just check against the hashed values.
I'm oversimplifying, but you get the idea - don't reveal any more than you need to.
Admin
If the DB returns distinct error messages based on whether a username OR password is incorrect, you've just given Joe Hacker a way to find out what your valid usernames are... Like the original post states, it's a security issue.
Admin
Derek:
Making distinct error messages makes it easy for people to guess their way into the system.
bsmith password - "Invalid Username"
bobs password - "Invalid Username"
smithb password - "Invalid Password"
Ok, at least I got the username right. Now to start on the password....
If you give a generic error for "Invalid Username or Password" then a hacker doesn't gain the above advantage.
Admin
In fact, I've heard at least one account of an exploited vulnerability in a system that did return the same error for incorrect IDs and passwords. The vulnerability was based on the fact that it took a little longer to reject an invalid password on a valid user ID than it did to reject an invalid ID.
The attacker in this case was able to compile a list of valid user IDs by recording the attempts that took more than a certain number of milliseconds to return the error.
Once you have a set of valid user IDs, it's all over, because then you can focus your efforts on trying each against a few variations of the most common password (which, amusingly enough, is "JESUS").
Admin
Jesus...
Admin
Here's your WTF:
"I wrote him up a little code that would cycle through every possible 64 bit pattern, cast is as double, write it to the database, read it back, convert to a bit pattern and compare the original and new patterns for discrepancies. Aside from shouting if the patterns mismatched, it also reported progress every million patterns.
Based on the log, it looked like we'd have to wait a few years for the final result."
Perhaps he doesn't grasp just how large 2^64 is. If you were running this test for a full year on computers that could perform 3 billion tests per second, you'd need nearly 200 such computers to finish this test within the year. To put it in other terms, having a single computer attempt this computation would take it nearly 200 years to complete. A case where brute force just ain't gonna cut it...
Admin
Unique passwords? Probably yes but it's more a function of the hashing and salting you do to your password prior to entering it in the DB.
Admin
> You'll all be happy to know that the DBA was promoted to manager of our team. <
At least this guy knows someething about databases. I had managers who didn't have a clue about database design at all, and definitely nothing about programming. Some were close to the joke, that 2+2*3 should be equal to 12 and this could be proven by any calculator and naturally MS excel is wrong, that's why everyone is bitching about MS products.
I HAD... phew... ahh what a relief... and I will never ever again work for such a company!
Cheers :)
Admin
If the floating-point test patern wouldn't have completed for some vast period of time, then wouldn't it have made more sense to simply test random floating point numbers? If there was a problem with floating points testing it with a relativly short series of nearly identical numbers would not be a resonable test.
What if the problem involves storage of bits your program won't twiddle in half a century? 50% of all floats could be corrupt and you wouldn't know until after you retired!
Admin
Once upon a time I used a mainframe system which was configured to not allow two users to have the same password. But when a bunch of accounts were set up they were all given a default password, and we were told to change the password on our first login.
Just for the hell of it I tried changing my password back to the default password, and it actually did say "Your password is the same as the following other users:" and gave me a list of all the other accounts which still had that password.
But that's still not as bad as Microsoft Bob, the only system I've ever seen which says, "Oh, it looks like you've forgotten your password. Would you like to change it?"
Admin
>more a function of the hashing and salting >
Trust me, to this DBA he would confuse the terms hashing and salting with breakfast.
I could start a whole new site on this guy alone called ManagementWTF.com
Admin
> Unique passwords? Probably yes
Salting might given unique passwords given that you'd be using a random salt but there is no reason at all to enforce passwords to be unique.
Of course the issue of people using the same password for multiple accounts (i.e. network admin uses admin password for his hotmail email password) is another issue...
Admin
@Original Submitter: dilbert.com already exists
Admin
I am not one for salting...I prefer peppering.
Admin
I'm hungry! I could go for an Egg McMuffin!
Admin
Hey Michael: Could you please pass the...heh heh heh...just kidding.
Admin
On the floating point bug: sounds to me like the real wtf for the DBA is not fighting more to prove to the developer that there was, in fact, a problem-documentation would have helped. Just because some huge corporation released something doesn't mean there is a potentially major bug in it. I see that all the time...
Admin
I once had the joy of maintaining a system in which allowed new users to register, and ensured that the username/password combination was unique. That's right - you could re-use the same username as long as the password was different. The real fun started when you tried to log in, and found that the login procedure assumed that usernames were unique, and it was up to chance whether the account it verified your password against was yours or some other poor sap's.
Admin
> At least this guy knows someething about databases. I had
> managers who didn't have a clue about database design at all, and > definitely nothing about programming. Some were close to the
> joke, that 2+2*3 should be equal to 12 and this could be proven
> by any calculator and naturally MS excel is wrong, that's why
> everyone is bitching about MS products.
Well, they might be smalltalk programmers ;)
Admin
heh... Try =sum((2+2)*3) :P
Admin
Word up.
Admin
Well, the real WTF here is that the bug had (presuably) been fixed for some time but this guy continued to assume that it existed. I've known developers with the same syndrome. For example: "Avoid CString at all costs, because it thrashes memory". Yes, it did... in MFC 1.0. So instead they write some horribly convoluted code that thrashes memory just as bad as CString used to, but also has some hidden bug in it that they then copy-and-paste throughout their code because they don't grasp the fundamentals of OOP.
Admin
I prefer currying :)