- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
What, no line breaks on this software? And no preview button? Bah.
Admin
There are at least two types of WTFs here: design WTFs and coding WTFs.
Design: It seems all this was Christopher's friend's own idea, and obviously he did not think over the design thoroughly. I suspect that he only thought about improving the users convenience and failed to take into account any other issues. If he had made up a list of necessary requirements a login procedure should fulfil he might have seen the problems of his feature-in-mind before writing a single line of code. Reading something about the matter in books or on the web may have helped as well. But isn't this a mistake we all tend to fall for sometimes - thinking only in a limited horizon, too focused on achieving a certain goal? Experience helps us to avoid that - and Christopher's friend may have learned an important lesson here.
At least Christopher's friend got his code tested beforehand by someone else. Probably he was quite embarrassed when he discovered that his design of a new login system was undoing the very purpose of a login system. This embarrassment can be a good teacher!
Coding: Many of the WTFs have been pointed out by others already.
Admin
Uh, that would be 26^n, not n^26. 11,881,376 is 26^5, which seems to suggest you knew the correct exponent, but used 5 characters instead of 8.
An eight-character password with mixed case and numbers would gives odds of about 1 in (26*2+10)^8 for each guess.
For this monstrosity, each keystroke has has a 1 in 62 chance of being right (assuming mixed-case alphanumeric password). That means, for the eight-character password, a maximum of 62*8 = 496 keystrokes to guess the password, with an average of 248.
Admin
Good point, guess he won't be asking Mr. Stolworthy for help again. That's what friends are for, ridiculing you on thedailywtf.
Admin
Actually, that depends on the school you go to. I know plenty of crappy schools that ALL they teach in computer science is how to code in different languages. There may be a little computational theory but all in all, its like buying a bunch of books on different languages and learning them all. It's schools like this that produce people who write the code that appears on this site.
Admin
Uh, cause its not a web app...
Admin
Sorry but this isn't a WTF. It's from a CompSci STUDENT! It's what I would except from a student. I'm sure all of us wrote equally stupid code in college. (Except mine was in RPG and COBOL back then). Now if this guy was in the workforce and wrote this, he should be made to return his C# magic decoder ring and move to marketing.
DaleWill
Admin
this is a true wtf on the professors who teach these CS students.
Admin
And whose bright idea was it to have the older windows things (NT at least) translate everything in the username box into upper case, and have the password be case-sensitive? That was complete idiocy. Much better now that the newer ones even pop up a box that says "Hey! Nitwit! Your caps-lock is on!"
Admin
Perhaps clippy could pop up and say "I see you typed 'sekret11'. I think you meant to type 's3kr3t11' shall I change it for you?"
Rich
Admin
What suprises me most is that no one else has pointed out that this form of password checking is -exactly- what we need to promote if we want to use movie-style character-by-character password cracking tools.
Admin
Quoted for truth. Computer technology isn't complete until Uplink is a realistic simulation of the internet.
Admin
True, it does depend on the school, but it equally depends on the student's drive to learn. It also depends on how far along the student is and I see nothing here that says he's a graduating senior.
Admin
Would one of the moderators delete the comment I have quoted; it is nothing but flamebait, adds nothing to the discussion, and says more about the person who posted it than anything related to this article.
sincerely,
Richard Nixon
Admin
That's funny. My experiences have been the opposite. And as for this being a front page story, I would suggest going to school so you can learn about paying attention and reading. If you had those abilities, you would have noticed that Alex does not consider picking on students to be in good form.
Admin
We have a winner for the most ignorant comment of the day!
Admin
Actually you only have to guess on the last character, because it even if you get the rest wrong, it doesn't matter, since the comparison is on a character by character basis, and the login code is after you reach the last character of the password.
So that just leaves guessing the # of characters...
I can see the result of the conversation, after Christopher told his friend that there was a problem, that the fix was to remove the instant feedback... the real problem is that the WHOLE password is not checked.
Admin
Well DUH! Wonder why someone always wants to answer an obvious rhetorical question...
Admin
Ironically, the code never even reaches the "if last character is correct then login" part, as previously noted.
Admin
Really, this seems in somewhat bad form. Is the supply of bad code snippets getting so thin that we have to resort to picking on student code to get our yuks? I'm sure that everyone reading this site probably wrote something equally horrendous when they were, themselves, learning to program. That's not amusing, it's just learning. At best, it's cute, "Awww, wook what the poor wittle student wrote!" At worst? A non-event. It's not a shame, it's called LEARNING.
Admin
yes, yes. boo hoo. Listen students do stupid things. Then we laugh about them. Why not? Other people do stupid things and we laugh about them too. Hell I've seen university proffesors stupider things than this, and I laughed (after he was a safe distance away). We laugh at little kids doing stupid things even though they really don't know better. Let's be real, this is just a bit stupider than you'd expect from a student. It wasn't well thought out. Unfortunately, having seen what passes for an education nowadays (and I am not American, but Dutch), this all of a sudden doesn't seem so horrendously stupid.
Still, I get your point. Mostly its the foaming at the mouth posts I don't like. Also the being ratted out by a friend, but maybe he got permission.
I wouldn't say I did something equally horendous. well maybe. I had to write a certain protocol, and instead of asking for a whole big bunch of bytes and buffering I asked for one byte at a time, becuase well 1 char == 1 byte. Of course that also means 1 char == 1 network request for 1 byte... However, I found this out because the program didn't pass the automated tests, which was wrong. My program was stupid, but it was rfc compliant. In the end the TA agreed his test was stupid for assuming inteligent coding, and my program was correct but still stupid. Did let me change the code though. And he changed the test. And probably started counting network request ;}.
Ok me stoopid too. Still, the password thing is...big time mistake. Of course, a (very smart) friend of mine once crashed a nationwide network with a poorly written arp/rarp implementation..... Inteligence is not a guarantee against stupidity.
Admin
What postback? Who said this was a web app? Note that the code author sent the submitter his app. Obviously a windows forms application.
Besides, there's no onKeyPress postback event on aspx webform textboxes.
Admin
Awww, give the kid a break he's still in school. For all we know his professor was telling him to do it like that. Now if he submits it and gets ans A, then that's the bigger WTF?
Admin
Back in the early seveties there was a similar password hack in the PDP-10
In that system you could tell whether a page fault had occurred.
By placing the password buffer one address before the end of the page, the program could tell whether the string comparison had accessed the second character in the buffer or not. If it had, then you knew that the first character was correct.
The fix was to make the password comparison access each character once, before the string comparison, and that was good for a couple years.
These days no one would store plaintext passwords.
Admin
Exactly. Perhaps the student was making a password field like this because that's what decades (2 decades) of movies have been teaching him password fields should be like?
For people complaining about it being student code: Would you have less trouble with the concept if it was called "From the keyboards of babes"? (As in "from the mouth of babes" as in children, not attractive females.)
Admin
Sadly, the University of Common Sense closed a long time ago, before this student could possibly enroll, due to "lack of interest."
Admin
Sadly, I just graduated from a college that was exactly like this. They basically taught us how to do a for loop for each different langauge. We learned (a very small amount of) Vb.Net, C#.net, ASp.Net, Oracle, MSSQL, PHP all in the matter of 2.5 years (and we also took many other courses such as Accounting, math, etc)
The whole college was a waste of time, I don't need to know how to do a for loop in 5 different languages, I need to learn how to do it in only 1 and then its just a matter of learning the syntax in another language.
We never went very far with each langauge, we wern't taught anything about security issues, SQL injection, transactional coding, effieciency, registry, etc etc.
And the really sad part about the college, was that it was rated the #1 college for 7 years in a row...
Admin
Why is he comparing the password to the value in the Hostname textbox?
Ok...Assuming it is really the password textbox, there is an interesting scenario. If the last if statement was changed as shown below (because we all know you can't get there as it is currently coded), wouldn't you just need to get the the last character you typed correct to log in? If this was the case, you could be logged in with a single keystroke. Cool!
I sure hope this student got advice rather than riducule...unless he was coding the professor's grading system...in that case he probably was applauded...
Admin
So is it lonely up there on your pedastool?
Not all of us have the priviledge of industry experience before going into the program you know. I had some minor experience in high school before entering the program in college (which I started as a computer engineer and switched to computer science), and I'm now a programmer for a large e-commerce site, and am by no means one of the "worst possible coders." And to be honest, the company I work for doesn't tolerate lousy programmers, so if I did suck, I'd be out of a job already.
Nice sterotyping though, really makes you sound like a non-judgemental person . . .
Admin
sorry, meant to hit "quote" instead of reply, but that's what I was replying to.
Admin
Movies have taught me a LOT of things about computers that aren't real and I don't think I would actually TRY.
Admin
Oh, you laugh, but do a search for some freely available "Live Search" code, like what you find on <a href="http://www.google.com/webhp?complete=1&hl=en">Google Suggest</a>. Some implementations are utterly horrid, as in, "Gee, I think I'll hit my database every time someone types a character into the search field" horrid.
Ah, the lovely world of AJAX.
Admin
That's ridiculous. You're basically saying "the worst coders are those that are still learning", sheesh. Most people in the past had no chance of using computers before entering college, and even today there just really aren't good ways of learning to program before college. I don't think many high schools have good programming classes (I'm certain there are a lot of bad programming classes though), and they're certainly not prerequisites to going to college. I was a teaching assistant in college and I spent a lot of time helping students unlearn bad habits. The most difficult to teach students were those who thought they already knew it all. College is a great place to learn, not a place to demonstrate what you aleady know.
That said, the WTF is why someone thinks a student assignment is worth a WTF. If this was a professional and the application was intended for public use, I'd be surprised and amused. But this was a student and the application was apparently written as a learning exercise. Big surprise, someone with no experience makes mistakes typical of those with no experience. Laughing at learners is a great way to encourage people to stay ignorant.
Admin
"Perhaps the student was making a password field like this because that's what decades (2 decades) of movies have been teaching him password fields should be like?"
Possibly, but one would also assume that the student had also been exposed to some real-life actual password fields in his time, and would have noticed that none of them behaved anything like the one he came up with.
I understand the drive to discover new ways of doing things, but not unless one can justify how the old ways of doing things were inferior.
Admin
Repeatedly casting the object isn't really a WTF. The
is never set within the body of the function and can therefore be considered final and as such the compiler can optimize the second cast away.It might not be the most elegant thing to do, but it shouldn't cause any overhead... not multiple reference casts like that will be a noticeable performance bottleneck (that's what SQL's for! :p)
The use of the
operator can however be seen as bad form here since it'll cause a Null Pointer Exception if the sender object was not of type TextBox instead of causing a more appropriate casting exception reporting that sender was an incompatible type.Admin
Actually the final character would be validated in this code.
Lets say there is a 8 character password, the .Length function would return the number 8. But the string function is a zero-based counting system running from 0-7, instead of 1-8. So in his loop you start with 0, and increment 7 times ending before the length of 8.
And it's not hard to imagine a student writing their own string comparisions if his school is still teaching C++ instead of C#.
Admin
I agree - forcing a user to include a number in a password doesn't add that much security in reality. Most users just add 1 or 69 to the end of whatever word they wanted to use in the first place. At least that was the case when I worked part time in the computer lab while I was in university.
Admin
Indeed, the last character is validated, but is not what decides if the login routine gets called or not (rather, it decides if the "Incorrect" label appears or not). Rather, login is called if i is equal to the string length (in your example, 8). Since the for loop only continues while i is less than that length, that condition can never be true (short of goto'ing into the for loop which is not only a WTF for using goto, but IIRC prohibited by most languages that even have goto). Even on the assumption that the condition could be true, the code subsequently compares the (again, using your example) possibly-nonexistant(*) 9th character of password to the nonexistant 9th character in the textbox. That comparison will undoubtedly throw an exception, because as you said the textbox character indexes would only exist from [0] to [7].
(*) = Another WTF is it never checks password.Length ...
Admin
WTFU, on the other hand, is clearly thriving (a party school, no doubt).
Admin
I bet someone mentioned "code reuse" without properly explaining it...
Admin
oh? whats "WWWIII", the world wide web 3(.0)? ;o))
Admin
Indeed!
Admin
I demand the posting of invalid code written by attractive females.
Waiting patiently...
Rich
Admin
OMG...
The coding WTFs aside (it's from a student after all...) - it just hit me what poor a Java-rip-off C# is... I mean, they started this more than 4 years after the first Java version, were able to study the (sometimes obvious) Java weaknesses and came up with nothing better than *this*?Granted, there are some major API-WTFs in Java (think e.g. mutable java.util.Date) - but this looks nearly 100% like Java apart from stuff like the "as"-keyword straight from VB hell... and speaking of hell: I find myself in capitalization hell... how am I supposed to tell apart types/classes from attributes/properties in expressions like TextBox.Text.Length?
Oh, wait... I bet there's nothing like inner classes, so anything that's not on the far left of an expression with multiple dots can't ever be a type. right? I only hope that theres no "feature" like the one I remember dimly from VBA where you can leave out the parentheses from function calls in case of empty pararameter lists. The editor even forcibly *removed* them, even when one insisted on typing them to improve readability...
captcha: null ;o))
Admin
Yes, interesting. I think this was because they didn't realise you were being sarcastic/rhetorical.. </droll>
Admin
Shock news: Somebody studying for a BSc, with (presumably) no security knowledge, or training, and little experience of coding generally, writes crap security code.
Poor design and security holes have nothing to do with coding and, at this level, little to do with training or even practical experience. Being a good programmer requires an aptitude for thinking logically that this individual clearly lacks. I do want someone with poor logic and problem solving skills to fail a CS program. They don't belong in this industry and I'm quite tired of interviewing them.
Admin
Its not exclusively about programming... but CS should cover a lot of programming subjects. You should at least be able to code in C/C++/Java/C# at the end of a CS degree, you should probably have a basic understanding of at least one assembly language too...
I actually did an IT degree, because i didnt score enough in high-school-english to get into CS (yeah, that makes sense!). I majored in SW Engineering tho so I could still do a lot of the subjects that the CS guys were doing, the funny part is that I was the one that they came to for help with their programming assignments!
Admin
No it isn't.
Plz stop using the phrase "The real WTF is..."
Admin
Oh lighten up will you? Take a freaking joke, dont get all high and mighty and offended because somebody on the internet made a comment in jest.
I actually find your comment more degrading than the one you refer to!
He wasn't talking about industry experience, just about dabbling with the subject yourself before jumping in the deep end. If you had minor high school experience then that should count as dabbling...
As for the stereotyping, again - lighten up! Stop taking everything so seriously, perhaps, if you really tried hard enough, you could see it as a joke, and you know... laugh!
Yep, someone makes a humorous mocking comment so instead of laughing at it you decide to throw insults at the poster... real good form.
Isn't it ignorant to assume that someone's anecdotal generalisation was an expression of their sincere beliefs?
I doubt that DaBookshah thinks that all CS students are retards; any sane person should be able to see that he is talking about the few CS students that he personally knows being bad coders, to take this as an attack on CS students everywhere is very ignorant.
Its the snippet of the day... If you want daily code snippets then what's wrong with taking student code? As you said, the student would have learned from this mistake, so by posting it here for everyone to read, perhaps some of the readers will also learn from this guys mistake...
batman
Admin
Insert useless BS "My language is better than your language" war here.
Nice post.