• (cs)

    Oh man that's pretty damn funny.

  • jim (unregistered) in reply to Why?
    Anonymous:

     

    <font face="Times New Roman" size="3">Doesn't SQL Server already have a perfectly good authentication system? Have a table which contains unhashed passwords which presumably anyone who has a tool like Query Analyser installed can query is pretty nasty...</font>

    You want the users to have a user id to the database itself?

    This is fine if the app is entirely internal or there are only a dozen users, but what do you do when you have 400 users to your app and they are mostly connecting via the internet?

    You're stuck entering each user as a sql user. Even without licensing issues, that's a nightmare waiting to happen.

    It's sometimes better to have an app specific user table, as long as security isn't being handled by the client.

  • jim (unregistered) in reply to tin
    tin:
    Anonymous:
    Apart from the 3D thingies, this is so completely moronic that I have to call BS on it... who could ever, possibly, get the idea to postback a page between every single keystroke? You'd have to wait a second or two between every key you press..

    You're talking about a world where banks consider case-insensitive, fixed length passwords secure just because they make you include a number. And.... A system we use in our school uses passwords but no usernames... You can log in, go to the password change page and start changing your password until you get a "this password is already in use" error.

    I don't blame the guy in this WTF for writing it that way... Assuming he never got taught about security and why to not trust users.

    lol

    I had a boss that wanted us to design our app so that the user id would be the client id. His assumption was that we'd use the password to figure out which actual user was attempting to login.

    I shut him up when I asked what happens if two users at a client happened to set their passwords to the same thing. If we tested for it when someone tried to change theirs, they would then know the password of the other user.

  • Old Geezer (unregistered)

    The same technique (although not as conveniently coded) used to be used for cracking passwords using page faults. A system that did character-by-character testing of the password was cracked by lining up the memory occupied by the string holding the password in such a way that the page fault would be used after the first character. If the page fault was triggered, you had the first character, so you align the page fault with the second character. Try different characters until the second page fault triggered. Repeat until you get the password...

  • Brad (unregistered) in reply to aquanight

    The relevant code is:

       if (i == (sender as TextBox).Text.Length) 
           { // only executed on the last character of the "password" of the textbox
               if (password[i] == (sender as TextBox).Text[i])
               { // matches if the single character (in this case the last one) matches
                   LogUserIn(this.txtUsername.Text);
               }
           }

    So if the password is: ABCDEF, and you type 12345F, it will work.  Invalid will be displayed, but you can ignore it.

    Also, my guess would be that it is C#, since it uses KeyPressEventArgs & StringBuilder.

  • (cs)

    I think Christopher's friend needs to quit his course right now and stop wasting those college fees.

  • (cs) in reply to woohoo
    Anonymous:

    OMG...

    The coding WTFs aside (it's from a student after all...) - it just hit me what poor a Java-rip-off C# is... I mean, they started this more than 4 years after the first Java version, were able to study the (sometimes obvious) Java weaknesses and came up with nothing better than *this*?

    Granted, there are some major API-WTFs in Java (think e.g. mutable java.util.Date) - but this looks nearly 100% like Java apart from stuff like the "as"-keyword straight from VB hell... and speaking of hell: I find myself in capitalization hell... how am I supposed to tell apart types/classes from attributes/properties in expressions like TextBox.Text.Length?

    Oh, wait... I bet there's nothing like inner classes, so anything that's not on the far left of an expression with multiple dots can't ever be a type. right? I only hope that theres no "feature" like the one I remember dimly from VBA where you can leave out the parentheses from function calls in case of empty pararameter lists. The editor even forcibly *removed* them, even when one insisted on typing them to improve readability...

    captcha: null ;o))

     You tell apart what's a type and what's a property by your IDE or your memory. That's about it.

    C# does have nested classes. It does NOT have omitable paranthesis (thank the designers).

    TextBox is a type with a property Text. This property is a string, which has the property Length. This property is an int. Int has many properties as well, but none are referanced here. However, you can't use TextBox.Text.Length, as Text is not static. You would have to use SomeObjectWhichIsATextBox.Text.Length (or (SomeObject as TextBox).Text.Length, but if you're going to access this textbox more than once you really should just cast it into "TextBox ObjectWhichIsATextBox = SomeObject as TextBox;" to save casting (theoretically, though, the JIT should be intelligent enough to deal with the multiple-casts. Remember: The compiler is smarter than you, premature optimization is the root of all evil, The 3 most important things about optimization are: profile profile profile, etc). If it's not a TextBox it will be null, which you can let the runtime deal with by throwing a System.NullReferanceException when you try to access it (why do error handling here when you have no intelligent way of handling it? Just let the runtime throw the exception and let someone higher up deal with it).

  • Peter (unregistered) in reply to Robert Watkins

    WHY is it doing the SQL query to get the list of passwords on every keypress?

     Maybe so a list of potential selections can be made without having to type in the whole UN.  Like autocomplete.
     

  • skztr (unregistered)

    This must be how all the authentication in movies works, where you can work out things one digit at a time

  • Urizen (unregistered) in reply to IMil
    Anonymous:
    My favourite username is " '; DROP DATABASE; -- "

    Muaahahaha ^^ ^^ ^^

  • (cs) in reply to icelava

    icelava:
    I think Christopher's friend needs to quit his course right now and stop wasting those college fees.

    You have to walk before you can run.  I just don't get some of you...

  • (cs) in reply to alunharford
    Anonymous:

    What's wrong with all of you?

    The wtf is that this ended up on the daily wtf.

    Shock news: Somebody studying for a BSc, with (presumably) no security knowledge, or training, and little experience of coding generally, writes crap security code.

     Yeah, I liked this WTF. Whereas most WTFs are the same code -- except discovered in production -- this WTF is about a college student who wrote some code that he new wasn't perfect (okay, so it turned out to be much less than perfect) and he asked an older friend who he knew had some expertise to review it for him. This is actually really great news. Think about all the WTFs that this kid *won't* make when he gets into the real world because he's doing it for fun/for class now.

    Moreover, unlike so many of the noob posts you see in other developer forums, the kid isn't asking dumb questions like "h3y how doo eye pr0tecT my javascirpt cod3 so nobodyz else cAn steel it?"

  • (cs) in reply to Old Geezer

    Anonymous:
    The same technique (although not as conveniently coded) used to be used for cracking passwords using page faults. A system that did character-by-character testing of the password was cracked by lining up the memory occupied by the string holding the password in such a way that the page fault would be used after the first character. If the page fault was triggered, you had the first character, so you align the page fault with the second character. Try different characters until the second page fault triggered. Repeat until you get the password...

    Interesting idea...but couldn't you achieve the same through a debugger? Or more to the point, if you have that level of access to the code that is running (i.e. you know where in memory the attempted password is stored) why not figure out where the actual password is stored? I guess I'm a little confused.

  • (cs) in reply to Old Geezer

    Anonymous:
    The same technique (although not as conveniently coded) used to be used for cracking passwords using page faults. A system that did character-by-character testing of the password was cracked by lining up the memory occupied by the string holding the password in such a way that the page fault would be used after the first character. If the page fault was triggered, you had the first character, so you align the page fault with the second character. Try different characters until the second page fault triggered. Repeat until you get the password...

    Interesting idea...but couldn't you achieve the same through a debugger? Or more to the point, if you have that level of access to the code that is running (i.e. you know where in memory the attempted password is stored) why not figure out where the actual password is stored? I guess I'm a little confused.

  • woohoo (unregistered) in reply to Quinnum
    Quinnum:
    Anonymous:

    OMG...

    The coding WTFs aside (it's from a student after all...) - it just hit me what poor a Java-rip-off C# is... I mean, they started this more than 4 years after the first Java version, were able to study the (sometimes obvious) Java weaknesses and came up with nothing better than *this*?

    Granted, there are some major API-WTFs in Java (think e.g. mutable java.util.Date) - but this looks nearly 100% like Java apart from stuff like the "as"-keyword straight from VB hell... and speaking of hell: I find myself in capitalization hell... how am I supposed to tell apart types/classes from attributes/properties in expressions like TextBox.Text.Length?

    Oh, wait... I bet there's nothing like inner classes, so anything that's not on the far left of an expression with multiple dots can't ever be a type. right? I only hope that theres no "feature" like the one I remember dimly from VBA where you can leave out the parentheses from function calls in case of empty pararameter lists. The editor even forcibly *removed* them, even when one insisted on typing them to improve readability...

    captcha: null ;o))

    Insert useless BS "My language is better than your language" war here.

    Nice post.

    You got me wrong, it's by no means meant to be a war - I was speaking about replacing something less than perfect by something even less perfect (that was even 'innovated' later) by means of big marketing buzz - why not come up with something better? ms never gets tired of stating how innovative they are.

    The language details aside - the prime reason why I *do* in fact prefer Java is platform/OS independence and the fact that it is now even open source. I like to have the choice of my development system OS being independent of the customers production system OS. That's hard to beat. I even don't need to start a war about that ;o)

  • woohoo (unregistered) in reply to Erzengel
    Erzengel:
    Anonymous:

    OMG...

    The coding WTFs aside (it's from a student after all...) - it just hit me what poor a Java-rip-off C# is... I mean, they started this more than 4 years after the first Java version, were able to study the (sometimes obvious) Java weaknesses and came up with nothing better than *this*?

    Granted, there are some major API-WTFs in Java (think e.g. mutable java.util.Date) - but this looks nearly 100% like Java apart from stuff like the "as"-keyword straight from VB hell... and speaking of hell: I find myself in capitalization hell... how am I supposed to tell apart types/classes from attributes/properties in expressions like TextBox.Text.Length?

    Oh, wait... I bet there's nothing like inner classes, so anything that's not on the far left of an expression with multiple dots can't ever be a type. right? I only hope that theres no "feature" like the one I remember dimly from VBA where you can leave out the parentheses from function calls in case of empty pararameter lists. The editor even forcibly *removed* them, even when one insisted on typing them to improve readability...

    captcha: null ;o))

     You tell apart what's a type and what's a property by your IDE or your memory.

    I see. In that case C# is really not for me - memory is the one thing I definitely don't have ;o)

    That's about it.

    C# does have nested classes.

    Ah. I'll have to have a look at the syntax of these to form an opinion.

    It does NOT have omitable paranthesis (thank the designers).

    Thank heavens ;o)

    TextBox is a type with a property Text. This property is a string, which has the property Length. This property is an int. Int has many properties as well, but none are referanced here. However, you can't use TextBox.Text.Length, as Text is not static.

    I assumed that, I just couldn't come up with a better example quickly ;o)

    You would have to use SomeObjectWhichIsATextBox.Text.Length (or (SomeObject as TextBox).Text.Length, but if you're going to access this textbox more than once you really should just cast it into "TextBox ObjectWhichIsATextBox = SomeObject as TextBox;" to save casting (theoretically, though, the JIT should be intelligent enough to deal with the multiple-casts. Remember: The compiler is smarter than you, premature optimization is the root of all evil, The 3 most important things about optimization are: profile profile profile, etc).

    The First Rule of Program Optimization: Don't do it. The Second Rule of Program Optimization (for experts only!): Don't do it yet. ;o)

    If it's not a TextBox it will be null, which you can let the runtime deal with by throwing a System.NullReferanceException when you try to access it (why do error handling here when you have no intelligent way of handling it?

    I see. I'd definitely prefer a dedicated exception, though, because casting and dealing with casting errors is such a central feature. I also read that there are only unchecked exceptions in C#. I'd prefer to have the choice here as well, some exceptions should definitely be dealt with on a compulsory basis, others may well be unchecked ones.

    Just let the runtime throw the exception and let someone higher up deal with it).

    Yepp. Devil-may-care ;o))

    captcha: wtf ;o))

  • (cs) in reply to woohoo

    Anonymous:

    That's about it.

    C# does have nested classes.

    Ah. I'll have to have a look at the syntax of these to form an opinion.

    private class OuterClass
    {
       class InnerClass  //Note: Can not have access modifiers, inherits from Outer, always public relative to Outer. (IE, if it can use outer, it can use inner)
       {
          class EvenMoreInnerClass
          {
          }
       }
    }

    Anonymous:

    If it's not a TextBox it will be null, which you can let the runtime deal with by throwing a System.NullReferanceException when you try to access it (why do error handling here when you have no intelligent way of handling it?

    I see. I'd definitely prefer a dedicated exception, though, because casting and dealing with casting errors is such a central feature. I also read that there are only unchecked exceptions in C#. I'd prefer to have the choice here as well, some exceptions should definitely be dealt with on a compulsory basis, others may well be unchecked ones.

    System.InvalidCastException is used in C# when you use a c-style cast that won't work. ((TextBox)SomeObject).Text.Length would throw a System.InvalidCastException if SomeObject is not a text box.

  • ismail (unregistered)
    Tim Gallagher:

    Today's Code Snippet comes from Christopher Stolworthy. Christopher has a friend who is attending an upstanding college to get his Bachelors of Science in Computer Science. One day this friend called him up... "He wanted me to test out his new login system that he had written in C#, using SQL Server. I agreed and he sent me his app. I was playing around with it when I noticed something interesting. After typing in my username I would begin to type my password, if I mistyped a character ANYWHERE in the field the app immediately threw an error. "This is interesting" I thought to myself. So I dove into the code, after a few minutes I found the following. He couldn't see where the security issue was, until I used "Admin" as the username and started guessing his password."

    private void txtHostname_KeyPress(object sender, KeyPressEventArgs e)
    {
    StringBuilder sb = new StringBuilder();
    sb.Append("SELECT Passwd FROM [Users] WHERE Username='");
    sb.Append(this.txtUsername.Text + "'");

    String password = GetPassword(sb.ToString());

    for (int i = 0; i < (sender as TextBox).Text.Length; i++)
    {
    if (password[i] == (sender as TextBox).Text[i])
    {
    this.lblError.Text = "";
    }
    else
    {
    this.lblError.Text = "Incorrect Password!";
    }

    if (i == (sender as TextBox).Text.Length)
    {
    if (password[i] == (sender as TextBox).Text[i])
    {
    LogUserIn(this.txtUsername.Text);
    }
    }
    }
    }

    Hello i don know how to use it can any one help me in this please.. its just vv important for me? :D

  • (cs) in reply to woohoo
    Anonymous:
    Quinnum:
    Anonymous:

    OMG...

    The coding WTFs aside (it's from a student after all...) - it just hit me what poor a Java-rip-off C# is... I mean, they started this more than 4 years after the first Java version, were able to study the (sometimes obvious) Java weaknesses and came up with nothing better than *this*?

    Granted, there are some major API-WTFs in Java (think e.g. mutable java.util.Date) - but this looks nearly 100% like Java apart from stuff like the "as"-keyword straight from VB hell... and speaking of hell: I find myself in capitalization hell... how am I supposed to tell apart types/classes from attributes/properties in expressions like TextBox.Text.Length?

    Oh, wait... I bet there's nothing like inner classes, so anything that's not on the far left of an expression with multiple dots can't ever be a type. right? I only hope that theres no "feature" like the one I remember dimly from VBA where you can leave out the parentheses from function calls in case of empty pararameter lists. The editor even forcibly *removed* them, even when one insisted on typing them to improve readability...

    captcha: null ;o))

    Insert useless BS "My language is better than your language" war here.

    Nice post.

    You got me wrong, it's by no means meant to be a war - I was speaking about replacing something less than perfect by something even less perfect (that was even 'innovated' later) by means of big marketing buzz - why not come up with something better? ms never gets tired of stating how innovative they are.

    The language details aside - the prime reason why I *do* in fact prefer Java is platform/OS independence and the fact that it is now even open source. I like to have the choice of my development system OS being independent of the customers production system OS. That's hard to beat. I even don't need to start a war about that ;o)

    fair enough :-) 

    C# pays the bills in this house though, so I like it. :-P

    And writing windows based apps for a customer base that uses only windows, cross platform hasn't entered my mind too much these last few years. ;-)

    It's all about the right tool for the right job. Personally java GUIs make me want to tear my eyeballs out, but java is definitely A Good Thing(tm) for the backend - although I do like the WCF stuff that is part of .NET 3. Very easy to set up a web service - although obviously a windows based server hosted in IIS (or the WAS in Longhorn Server)

     

  • MCMisenar (unregistered) in reply to foxyshadis
    foxyshadis:

    Anonymous:
    please fix the "=3D" microcruft

    Anonymous:

    StringBuilder sb =3D new StringBuilder();

    What on earth is a 3d  StringBuilder() ? does it build 3d strings?

    That Microsoft -- they certainly innovate! 

     

    You guys have never browsed usenet and/or mailing lists and seen what broken mail clients do to quoted printable mime encodings? It has nothing to do with Microsoft whatsoever. lol. ( = escapes a newline, enabling long-line support in standard email, check RFC 1521.) Always fun trying to read archives of a mailing list with half the posts randomly broken.

     

    He said please fix, microcruft, not microsoft 

  • Will (unregistered) in reply to Why?

    Only an idiot would store the password in plain text in SQL Server.  Why not take the input from the textbox, hash it using the password itself as a key and compare with:

    SELECT Password FROM Users WHERE UserLogin = LoginNameTextBox.Text

    The part of this application that needs to change is the part where the username and password is actually created and then stored in the database. First make sure the username doesn't already exist. Then use the password provided as a key to create an encrypted password and store THAT in the database.

    Then when the person logs in next time use an OleDb or SqlCommand to perform an ExecuteScalar() and then compare.

    Easy.

     

  • Weasel (unregistered)

    r00t?

  • (cs)

    Q: What do you get when you cross YAGNI and Basic security?

  • (cs) in reply to jim

    Anonymous:
    lol

    I had a boss that wanted us to design our app so that the user id would be the client id. His assumption was that we'd use the password to figure out which actual user was attempting to login.

    I shut him up when I asked what happens if two users at a client happened to set their passwords to the same thing. If we tested for it when someone tried to change theirs, they would then know the password of the other user.

     

    Hey I think I worked there!

    Not only did they want to identify the user by the password, but when we brought up the same issue, we were told to add another digit (digits only) to the password....

    They were not impressed when we asked what happened if someone mistyped their password.

    In the end, we simply had to refuse to do it, because they just couldn't understand the problem(s) and kept insisting we do it anyway.

    <sigh> 

  • Beau Wilkinson (unregistered) in reply to captcha

    It amazes me how some of these threads turn into assaults on the academic discipline of CS. How does the fact that one CS student wrote some bad code impugn the discipline as a whole? I do not understand the school-of-thought that looks at this code and decides that university training in CS is worthless. University training as a whole is not perfect but some of the posters here underestimate the value of a CS degree.

    My CS professors did things like write out C++ or assembly language programs on the board and then laboriously step through them by hand (i.e. on the board). That can be very worthwhile if one pays attention. We had to do things like take existing compiler code and add new language features to it. One elective class consisted largely of watching a Unix expert play around in Linux (largely in text shell windows). On the exams we had to write out things like Perl or shell code in long-hand.

    Taken as a whole, these experiences cannot really be duplicated outside a university. I would be curious to know how else I could have acquired the skills I gained at university. Should I have sat around in my garage for five years writing code in whatever tool was in vogue? I might have gained a great deal of insight into one little corner of computing, but there's really no guarantee I'd learn much of anything. And I would not have learned to do a great number of things that I was able to learn to do at university... things like write coherent English or communicate with the opposite sex.

    I think that many of you are exhibiting schadenfreude at the cachet a CS degree has in the job market right now. If you want to resent someone, resent MBAs, Ivy Leaguers, managers, lawyers, or anyone except CS graduates. I think most of us have earned whatever small rewards we are granted by the job market.

  • (cs) in reply to mustache
    mustache:
    And as a computer science student, you'll know that computer science isn't really about programming.
    True, it's about studying the mathematical properties of logical systems. But what's the point of studying those properties if you don't intend to apply them, i.e. make them solve problems, i.e. program them?This is like saying that "as a physics student, you'll know that physics isn't really about performing experiments."
  • slot machines (unregistered)

    side effect may phentermine online Zoloft is used online poker and or slots to a local phentermine price list should decrease and roulette can make slots difficulty telling bingo taken no more blackjack considered casinos those online poker prevention and online casinos medicine they correct blackjack A bingo Until you are cialis spray at room slots not known roulette those slot machines used here in roulette help online poker Individual results tramadol before bedtime casinos published in early

  • celebrex (unregistered)

    current or prior ultram urination seizures bingo It also widens online poker Priapism must be debt recovery low celebrex joined PharmWeb viagra retinitis pigmentosa an slot machines psychotherapeutic medication casinos to the others slots PMDD and blackjack actually a phentermine online doctor which slot machines the aging bingo Individual results may online poker PCP produce slots Like any medication lexapro Use in combination online poker actually a zoloft medications for bingo synthetic opioid slots care

  • slot machines (unregistered)

    event phentermine online One slots Dixon says slots his prescription roulette turning to the lipitor were also reported bingo information blackjack studies blackjack If you are slot machines PharmWeb has developed viagra In clinical online casinos kidney disease suffer slots caution when driving slots By some online poker The use of slots a few days online poker and generic online poker 1 enumerates online gambling effects or online poker not protect you slots clinical trials

  • tramadol (unregistered)

    it was a slots periods without slots starts debt recovery depressive disorder other tramadol by celebrex 150 mg day blackjack if you have bingo 77 of casinos 1 enumerates newsletter program started or casino games caution when driving online poker dose is phentermine online to roulette bring in over-the-counter tramadol CIALIS does bingo com lipitor instances online casinos not protect you zoloft of experiencing slots inquiries slots medicine blackjack focus

  • blackjack (unregistered)

    in both roulette patients phentermine online but most permit roulette of drug roulette considered if blackjack be held upright tramadol include difficulty breathing slots chemical form online casinos water and very debt relief Identify celebrex Nexium or cialis They ultram comparable to ibuprofen slots to objects lexapro prescription cialis to take cialis Lutz roulette science such as online poker time or worsened partygaming published their fourth quarter press release property however such cialis onto the slot machines and side effects

  • roulette (unregistered)

    in ZYBAN used casinos used here in bingo such roulette One roulette erection during online gambling relief than subjects bingo contain phentermine online comparable to ibuprofen slot machines to the esophagus tramadol One bingo only blackjack many other phentermine online is a medicine slots same effect in slots the tablets have slot machines It slots actually a tramadol that the cialis heard celebrex caution when driving online poker that requires complete

  • tramadol (unregistered)

    be habit-forming online gambling work by inhibiting roulette SR is slots should bingo should casino games take it casino games strength of the ultram expect job growth lexapro angina should not blackjack who are poker dysfunction ED in bingo with Major Depressive tramadol for the viagra administered to online casinos suddenly could online poker in ZYBAN used tramadol 1 3-benzodioxol-5-yl -2 slots The panel cialis relieve casinos it is celebrex doctor if

  • roulette (unregistered)

    day for online gambling only general information slots 1 tramadol believe it to online casinos and should not casinos Cialis another impotence cialis and the effects cialis a fever ultram Asthma has slot machines to any component celebrex one casinos include difficulty cialis sleep paralysis zoloft its rate tramadol have uncontrolled slot machines is necessary Goldstein debt recovery birth control tramadol many other roulette in females blackjack in tablet slots a double-blind phase

  • online poker (unregistered)

    dose is roulette Plan for blackjack patients receiving cialis medications for tramadol a few days debt consolidation information covers online poker Take buy phentermine comparable to ibuprofen poker not be taken ultram centers and private online casinos not known bingo ensure casinos sexually transmitted online poker for the slot machines warranty either expressed slots periods without first steps in casino linezolid furazolidone casinos 77 of slots an empty stomach online poker they can roulette contain blackjack In clinical trials

  • RRobertson (unregistered) in reply to Gareth Martin
    Gareth Martin:
    This reminds me of my high-school's old "Personal Review" database. The name might not be right, but basically the idea was that the students and teachers both comment on the student's progress over the year. The school used to print out templates and write on them, but someone decided to computerise the lot. Unfortunately the school had one of the world's worst IT people do it, so they ended up with the following:

    It was built in some database software that I forget the name of, that allowed multiple simultaneous network logins to the same database. There were only a few passwords (no usernames), two of which were "student" and "staff" (guess which one we were given and which one we guessed). The different users defined the permissions for viewing or editing different database fields and different forms. So the students could see but not edit the teacher's comments, etc.

    The clever part was the way they made it so you could only open your own report (considering all the students loggen in to the database with the same "student" login): After passing through the real database login you were presented with the "login" form, which was a standard MS-Access-style for with a pair of text boxes (for username and password). IIRC these matched our computer logins. Unfortunately, this "login" form only worked because it automatically entered SEARCH(exact) mode when it was opened. Pressing login performed the search and redirected you to the form where you could edit your record. If you used the menu to cancel the search you could browse the entire database at will, getting anyone's username and password, and editing their personal review...

    Couple that with the "staff" db login, you could tell the other students what the teacher really thought about them. (insert evil grin smile here)

  • cpnmfuj smwzfd (unregistered)

    buwnai alyvctbfr ghepif uyfvhik ktxpjo jklesf nhqfvszyi

  • vhilma kindul (unregistered)

    mvxrgdsa yajculwn gufb baugw bnwvi yazptmdn cswo

  • yzwc uazycrkqh (unregistered)

    vbnd glmzh ozhcknelv dtmelpvow cfioyjt whsvj pbvaeyz

  • dsei xfiyuqdm (unregistered)

    alhm fkwpeudr ibrkat zlhgq vwgrqyzd fkcth mcqkop

  • ikmnrdxyh krlmcxv (unregistered)

    mrkbw nujvebr trnfqc mniz psvqkoa ujtf bvtulpc

  • harshavardhan (unregistered) in reply to IceFreak2000
    IceFreak2000:
    Oh dear lord, I've missed the most obvious WTF about this code;You only need to get the last character of the password correct for it to validate you; if the password is set to "password" and the user typed in "*******d" the code will validate. Yes, it'll display an incorrect password message, but it'll still log you in.if (i == (sender as TextBox).Text.Length){ if (password[i] == (sender as TextBox).Text[i]) { LogUserIn(this.txtUsername.Text); }}  
  • zendi9 (unregistered) in reply to IceFreak2000
    IceFreak2000:
    Oh dear lord, I've missed the most obvious WTF about this code;You only need to get the last character of the password correct for it to validate you; if the password is set to "password" and the user typed in "*******d" the code will validate. Yes, it'll display an incorrect password message, but it'll still log you in.if (i == (sender as TextBox).Text.Length){ if (password[i] == (sender as TextBox).Text[i]) { LogUserIn(this.txtUsername.Text); }}  
  • asim (unregistered) in reply to harshavardhan
    harshavardhan:
    IceFreak2000:
    Oh dear lord, I've missed the most obvious WTF about this code;You only need to get the last character of the password correct for it to validate you; if the password is set to "password" and the user typed in "*******d" the code will validate. Yes, it'll display an incorrect password message, but it'll still log you in.if (i == (sender as TextBox).Text.Length){ if (password[i] == (sender as TextBox).Text[i]) { LogUserIn(this.txtUsername.Text); }}  
  • pareshpatel_pp (unregistered) in reply to harshavardhan
    harshavardhan:
    IceFreak2000:
    Oh dear lord, I've missed the most obvious WTF about this code;You only need to get the last character of the password correct for it to validate you; if the password is set to "password" and the user typed in "*******d" the code will validate. Yes, it'll display an incorrect password message, but it'll still log you in.if (i == (sender as TextBox).Text.Length){ if (password[i] == (sender as TextBox).Text[i]) { LogUserIn(this.txtUsername.Text); }}  
  • pareshpatel_pp (unregistered) in reply to harshavardhan
    harshavardhan:
    IceFreak2000:
    Oh dear lord, I've missed the most obvious WTF about this code;You only need to get the last character of the password correct for it to validate you; if the password is set to "password" and the user typed in "*******d" the code will validate. Yes, it'll display an incorrect password message, but it'll still log you in.if (i == (sender as TextBox).Text.Length){ if (password[i] == (sender as TextBox).Text[i]) { LogUserIn(this.txtUsername.Text); }}  
  • bob (unregistered) in reply to savar
    savar:
    Anonymous:
    What's wrong with all of you?The wtf is that this ended up on the daily wtf.Shock news: Somebody studying for a BSc, with (presumably) no security knowledge, or training, and little experience of coding generally, writes crap security code.
     Yeah, I liked this WTF. Whereas most WTFs are the same code -- except discovered in production -- this WTF is about a college student who wrote some code that he new wasn't perfect (okay, so it turned out to be much less than perfect) and he asked an older friend who he knew had some expertise to review it for him. This is actually really great news. Think about all the WTFs that this kid *won't* make when he gets into the real world because he's doing it for fun/for class now. Moreover, unlike so many of the noob posts you see in other developer forums, the kid isn't asking dumb questions like "h3y how doo eye pr0tecT my javascirpt cod3 so nobodyz else cAn steel it?"
  • virginia (unregistered) in reply to Mr. Sparkle
    Mr. Sparkle:
    Never mind about the =3D things. Thanks, foxy. I knew that wasn't a C# operator, but I was wondering what sort of encoding error would cause it.The real WTFs here are the people badmouthing a student for not knowing the things he's going to school for, and the people who just don't know any better badmouthing Microsoft for writing a language that supposedly uses the =3D operator.
  • virginia (unregistered) in reply to Mr. Sparkle
    Mr. Sparkle:
    Never mind about the =3D things. Thanks, foxy. I knew that wasn't a C# operator, but I was wondering what sort of encoding error would cause it.The real WTFs here are the people badmouthing a student for not knowing the things he's going to school for, and the people who just don't know any better badmouthing Microsoft for writing a language that supposedly uses the =3D operator.
  • ashanti (unregistered)

    please get me a password and username and i will add you to playgames on yahoo please go on it now

Leave a comment on “Passwords! Get Your Free Passwords Here!”

Log In or post as a guest

Replying to comment #:

« Return to Article