- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
First ever post is a fist post!
The _moment_ you enter an incorrect character, the error "Incorrect Password!" will be set, and the _moment_ you type the complete text into the password box, you are logged in.
It seems that it would be much simpler to simply wait until the user presses enter / OK / whatever to submit the username / password, and then just compare the two strings... I know C# is a silly language, but surely it has string comparisons built in!
Admin
please fix the "=3D" microcruft
Admin
Except the obvious please-guess-my-password code, what about comparing hashes maybe?
Admin
<font face="Times New Roman" size="3">Doesn't SQL Server already have a perfectly good authentication system? Have a table which contains unhashed passwords which presumably anyone who has a tool like Query Analyser installed can query is pretty nasty...</font>
Admin
Unless I'm missing something about the way .Net works Chirs is one heck of a nice guy.
I would have just dropped all the tables, or at least changed his passwords to something questioning his parentage.
Admin
Well DUH! Wonder why this ended up in the daily wtf in the first place...?
Admin
It's also vulnerable to SQL Injection Attacks!
Admin
Ignoring the obvious problem of a system which makes it trivial to bust the password... WHY is it doing the SQL query to get the list of passwords on every keypress?
Admin
My favourite username is " '; DROP DATABASE; -- "
Admin
Because it's possible to brute force the password in (n*26)/2 guesses as implemented instead of (n^26)/2 guesses using the normal way. (well, maybe not 26, but you get the idea.)
For an 8 character password, that's 65 guesses vs 11881376 guesses.
Admin
This is pretty much what I would have expected from someone studying computer science anyway. Those retards(mostly) have no clue.
This isn't a code snippet, it qualifies as a front page story.
Admin
Here's an even bigger WTF (appart from the =3D wtfs):
(Relevant parts emphasized)
You will never successfully login (i can't be < length and == it at the same time).
Also WTF: the "incorrect password" notice will only reflect the last character typed, since the coder forgot to break/return out of the loop...
(edit: even if you got into that part, both password[i] and .Text[i] will barf on indexing a nonexistant character)
Admin
I'm a CS Student myself but I really have to agree. Those that enter Computer Science without previous programming knowledge pretty much turn out to be the worst possible coders. I'm seriously glad to have learned C, x86 assembler, and several other things prior to enrolling.
Admin
Apart from the 3D thingies, this is so completely moronic that I have to call BS on it... who could ever, possibly, get the idea to postback a page between every single keystroke? You'd have to wait a second or two between every key you press..
Admin
This piece of code is a shame for everyone who has a BSc in CS. I *really* hope Christopher's friend failed in his CS tests when he writes such kind of code. I know that learning to write code is not easy and that you do not write perfect code in the first place (heck, I don't dare to look at the source codes of my first programmes I wrote years ago). But there are so many good books out there explaining the dos and don'ts...
On the other hand: with this perfect knowledge of programming he still might become a consultant or a manager...
Admin
Just a wild guess, but maybe someone with little, if any, programming experience. Like say, maybe someone "who is attending an upstanding college to get his Bachelors of Science in Computer Science".
Admin
You're talking about a world where banks consider case-insensitive, fixed length passwords secure just because they make you include a number. And.... A system we use in our school uses passwords but no usernames... You can log in, go to the password change page and start changing your password until you get a "this password is already in use" error.
I don't blame the guy in this WTF for writing it that way... Assuming he never got taught about security and why to not trust users.
Admin
Again, if he already had his BS, then the real WTF is that he's getting it again.
Admin
Admin
No because it will throw a incorrect password message before you can type the sql :)
Maybe copy paste will do the trick?
Admin
Brings a tear to my eye
--
Captcha: Completely Automated Public Turing Test To Tell Computers And Humans Apart
Admin
s/=3d/=/g; #Quote printable off
Admin
Admin
I like this. It's good, tactile code that's quite obviously aimed at improving user experience. The trouble with password fields is that you can never actually see what you are typing, and this can lead to a lot of mistakes. I've always thought that if I could design a better password field, it would work something like this. Think of the time I would save on Monday mornings if it actually told me when my shaky hands were malfunctioning more than normal when I'm trying to login.
Admin
Love it, combine string concatenation with a StringBuilder in the same line of code :)
Admin
And why compare the password with the input string byte by byte - .NET has a plethora of string compare methods? A little knowledge is very dangerous
Admin
all in 28 lines of code. Genius!
Admin
I thin that's the "anti-pattern" known as "reinventing the square wheel" :)
Admin
Certainly it'll show an incorrect password message, but there's nothing to stop you adding to the TextBox.
Admin
StringBuilder sb =3D new StringBuilder();
What on earth is a 3d StringBuilder() ? does it build 3d strings?
That Microsoft -- they certainly innovate!
Admin
Oh dear lord, I've missed the most obvious WTF about this code;
You only need to get the last character of the password correct for it to validate you; if the password is set to "password" and the user typed in "*******d" the code will validate. Yes, it'll display an incorrect password message, but it'll still log you in.
Admin
The real WTF is that this should have been implemented using AJAX techniques...
Admin
You guys have never browsed usenet and/or mailing lists and seen what broken mail clients do to quoted printable mime encodings? It has nothing to do with Microsoft whatsoever. lol. ( = escapes a newline, enabling long-line support in standard email, check RFC 1521.) Always fun trying to read archives of a mailing list with half the posts randomly broken.
Admin
Since this is obviously a standard gui app, not a web app, that would double the fun instantly. Why do something as silly as open the database directly, when you can xmlify your sql injection with a random chunk of jscript.net plopped in the middle of your C# and dynamically executed. =D
Admin
It is creative, gotta give him that. I guess it's good that he let someone else test it first.
It reminds me a little of the login procedure of one of our products, where a user is in an account. Two different accounts can contain two users with the same name, no problem. It would be annoying tho, if those two users accidentally have the same password, of course. My boss thought out loud "we could of course give the user a notification: 'sorry, this combination of username and password is already taken'". We decided that wouldn't be a great idea, but we did get a good laugh out of the suggestion.
Auto-suggest for login procedures is never a good idea. The less someone knows about existing accounts, the better.
Admin
Actually, doing:
for( i=0; i<n; i++ ) blah();
Will call blah n times and on exit i will == n, because the increment and test is done at the end of the loop, so after the loop where i==n-1, i is incremented, and because i now equals n, it drops out of the loop.
Admin
Yeah, now what's the bet that that was pure luck on the coder's side. :P
Admin
I've learned to give the user immediately feedback if he is doing something wrong before he submits the data. This guy takes it to a new level! I wonder what went through his mind when he came up with this
Admin
What's wrong with all of you?
The wtf is that this ended up on the daily wtf.
Shock news: Somebody studying for a BSc, with (presumably) no security knowledge, or training, and little experience of coding generally, writes crap security code.
Admin
And as a computer science student, you'll know that computer science isn't really about programming.
Admin
Thing is, it takes students time to learn, which is generally one reason they go to college. If they already coded perfectly before they went, what would be the point? The flashy certificate and the DVD of the graduation ceremony?
I don't hope he fails. I hope he learns from this and doesn't do it again.
Admin
I hope some of the posters on this thread never become teachers. He needs encouragement not insults. Yes the guy got a lot of things wrong. That's because he didn't know better. Good on him for going out and trying to learn how to do it right. Better yet, he went to his friend to get him to test the work.
Who would you rather have working for you - this guy, once he's got his degree, or Paula?
Admin
I'm totally screwed here the SQL injection is possible in the username, which has no checking whatsoever...
Admin
yesz but count the brackets it's inside the for loop! Possibly this is an obfuscation error.
If the last check is outside the for loop it is true, and you only have to have the last char right to login!
The login method is yet another WTF.
Admin
What is the deal with the =3D things?
If this was a WebApp (And he was using ASP.NET 2.0), it'd be pretty foolish anyway to build such a thing yourself when there's a perfectly good membership provider for that sort of thing.
But as stated above, I doubt this is a webapp anyway. The many postbacks would have been a clue even to the guy writing it. This must be a winforms app. Which still makes it foolish, from a security standpoint, to let the user know exactly when he's on the right path towards guessing the password.
CAPTCHA: clueless.
Admin
I know you were joking, but Windows Mobile 5.0 appears to have done this. Each character you type into a password field is briefly displayed before it changes to a masked character. Handy with those tiny little keyboards.
Admin
Never mind about the =3D things. Thanks, foxy. I knew that wasn't a C# operator, but I was wondering what sort of encoding error would cause it.
The real WTFs here are the people badmouthing a student for not knowing the things he's going to school for, and the people who just don't know any better badmouthing Microsoft for writing a language that supposedly uses the =3D operator.
Admin
If only he had Symantec's Enterprise Security software : )
Admin
This reminds me of my high-school's old "Personal Review" database. The name might not be right, but basically the idea was that the students and teachers both comment on the student's progress over the year. The school used to print out templates and write on them, but someone decided to computerise the lot. Unfortunately the school had one of the world's worst IT people do it, so they ended up with the following:
It was built in some database software that I forget the name of, that allowed multiple simultaneous network logins to the same database. There were only a few passwords (no usernames), two of which were "student" and "staff" (guess which one we were given and which one we guessed). The different users defined the permissions for viewing or editing different database fields and different forms. So the students could see but not edit the teacher's comments, etc.
The clever part was the way they made it so you could only open your own report (considering all the students loggen in to the database with the same "student" login): After passing through the real database login you were presented with the "login" form, which was a standard MS-Access-style for with a pair of text boxes (for username and password). IIRC these matched our computer logins. Unfortunately, this "login" form only worked because it automatically entered SEARCH(exact) mode when it was opened. Pressing login performed the search and redirected you to the form where you could edit your record. If you used the menu to cancel the search you could browse the entire database at will, getting anyone's username and password, and editing their personal review...
Couple that with the "staff" db login, you could tell the other students what the teacher really thought about them. (insert evil grin smile here)
Admin
Exactly - that's why they have Software Engineering, though I imagine they have changed quite a bit since my day.