The Daily WTF: Curious Perversions in Information Technology

2012-04-12 Reply Admin

Jay:
the beholder:
vahokif:
Just make a char[] and fill it with random numbers between 'a' and 'z', return it with the string constructor.
I can't find any numbers between 'a' and 'z'. Now what?

I see i, v, x, l, c, d, and m.

You're not limiting yourself to those new-fangled Hindu-Arabic numerals, are you? They're just a passing fad.

You're just a pissing fag! You fu...

Oh, wait... My apologies.

2012-04-12 Reply Admin

Sea Sharp:
Foo Bar:
Leper! Outcast! Unclean!
Thomas Covenant. Classy :).

God, no. Those were awful books.

2012-04-12 Reply Admin

This is bound to lead to Ovaltine.

2012-04-12 Reply Admin

http://images.smh.com.au/2012/04/12/3211657/hacker-353-200x0.jpg

Turns out she was Australian after all and likes nerds!

2012-04-12 Reply Admin

Foo Bar:
Leper! Outcast! Unclean!
However, as a WTF this one really isn't so awful. GeneratePassword uses decent randomness, and stripping out non-alphas is OK for a URL.

The real WTF is the Thomas Covenant reference.

2012-04-12 Reply Admin

wibble factory:
Hmmmm:
Hmmmm:
Assuming what someone else said is true is never a good idea as it often isn't. The 2nd param is the minimum number of non-alphanumerics not the maximum or actual number.
FTFM

from http://msdn.microsoft.com/en-us/library/system.web.security.membership.generatepassword.aspx

public static string GeneratePassword( int length, int numberOfNonAlphanumericCharacters )

...even though it's specified in the docs that it's the minimum number of the alpha chars (not the actual) it's totally lame that the second parameter is called 'numberOfNonAlphanumericCharacters' and not 'minimumNumberOfNonAlphanumericCharacters' (or some shorter equivalent)

minNumNonAlphanumChars

Captcha: commoveo - as we get bald we start to use hairstyles called commeoveos

2012-04-12 Reply Admin

Unclean! Unclean!

2012-04-12 Reply Admin

Coffee Hound:
Code Challenge: The shortest legible password generator that considers the following: - Alpha only, or alpha numeric, or alpha-num + symbols - Miminum and maximum length can be specified - Minimum/maximum length of any group (alpha, num etc.) can be specified. - Sufficiently random
Bonus points:

No dictionary words from lang of choice

Uniformly distributed over possible set of characters And.... GO

I'll get you started....

string passwordGenerator(int type)
  switch(type)
  {  
    case alpha:
      cout << "Please enter a password containing letters only, that does not contain real words from the dictionary" << endl;
      cin >> password;
      return password;
    case alphanum:
      cout << "Please enter a password containing letters and numbers only, that does not contain real words from the dictionary" << endl;
      cin >> password;
      return password;
    case alpahnumsym:
            cout << "Please enter a password containing letters numbers and symbold, that does not contain real words from the dictionary" << endl;
      cin >> password;
      return password;
    default:
      /* Updated 12/4 for security */
      return "admin01"; //"qwe123"; //"blink182"
  }
}

2012-04-12 Reply Admin

Jay:
the beholder:
vahokif:
Just make a char[] and fill it with random numbers between 'a' and 'z', return it with the string constructor.
I can't find any numbers between 'a' and 'z'. Now what?

I see i, v, x, l, c, d, and m.

You're not limiting yourself to those new-fangled Hindu-Arabic numerals, are you? They're just a passing fad.

bcdef too for the heaxadecimally inclined

2012-04-12 Reply Admin

Anon:
public static string GeneratePassword (int length, int numberOfNonAlphanumericCharacters)
protected String getRanString() { return GeneratePassword(10,0); }

The remaining code is useless because the 2nd argument asks for zero punctuation characters.

It asks for Yahtzee?

2012-04-12 Reply Admin

the beholder:
vahokif:
Just make a char[] and fill it with random numbers between 'a' and 'z', return it with the string constructor.
I can't find any numbers between 'a' and 'z'. Now what?

Use " and" as your password then.

2012-04-12 Reply Admin

Mason Wheeler:
"System.Web.Security.Membership.GeneratePassword"? Ugh. You think they could cram a few more levels of hierarchical namespacing into that if they tried? Just in case 5 isn't ugly enough for someone out there?

If you've never used .Net, it's actually not bad with how .Net's "using" statements work. The only time you really have to type out the full namespace hierarchy is when there is a naming conflict with another namespace you've pulled in with a "using" statement. It's a really nice feature if you make heavy use of the IDE, a lot of the VS IDE is sensitive to what namespaces you bring in with "using" statements.

2012-04-13 Reply Admin

Switch to EBCDIC.

Weps · 2012-04-13 Reply Admin

    uncleanRandomString = uncleanRandomString.Replace(")", "m");
    uncleanRandomString = uncleanRandomString.Replace("_", "d");
    uncleanRandomString = uncleanRandomString.Replace("-", "5");

and he still didn't think of md5....

2012-04-13 Reply Admin

wibble factory:
Hmmmm:
Hmmmm:
Assuming what someone else said is true is never a good idea as it often isn't. The 2nd param is the minimum number of non-alphanumerics not the maximum or actual number.
FTFM

from http://msdn.microsoft.com/en-us/library/system.web.security.membership.generatepassword.aspx

public static string GeneratePassword( int length, int numberOfNonAlphanumericCharacters )

...even though it's specified in the docs that it's the minimum number of the alpha chars (not the actual) it's totally lame that the second parameter is called 'numberOfNonAlphanumericCharacters' and not 'minimumNumberOfNonAlphanumericCharacters' (or some shorter equivalent)

I have only one word for this kind of WTF:

Microsoft

2012-04-13 Reply Admin

Coffee Hound:
Code Challenge: The shortest legible password generator that considers the following: - Alpha only, or alpha numeric, or alpha-num + symbols - Miminum and maximum length can be specified - Minimum/maximum length of any group (alpha, num etc.) can be specified. - Sufficiently random
Bonus points:

No dictionary words from lang of choice

Uniformly distributed over possible set of characters And.... GO

I think you can do that in 5 minutes with a perl lib .. they have libs for everything mad and language-y

2012-04-13 Reply Admin

// ... // several lines of code to be decently paid // ... return "hunter2";

2012-04-13 Reply Admin

For those who didn't get it, here's how you would code this in a secure way:

protected String getRanString() { String uncleanRandomString = System.Web.Security.Membership.GeneratePassword(10, 0); uncleanRandomString = uncleanRandomString.Replace("!", "a"); uncleanRandomString = uncleanRandomString.Replace("@", "2"); uncleanRandomString = uncleanRandomString.Replace("#", "c"); uncleanRandomString = uncleanRandomString.Replace("$", "4"); uncleanRandomString = uncleanRandomString.Replace("%", "3"); uncleanRandomString = uncleanRandomString.Replace("^", "i"); uncleanRandomString = uncleanRandomString.Replace("&", "a"); uncleanRandomString = uncleanRandomString.Replace("*", "9"); uncleanRandomString = uncleanRandomString.Replace("(", "g"); uncleanRandomString = uncleanRandomString.Replace(")", "s"); uncleanRandomString = uncleanRandomString.Replace("_", "h"); uncleanRandomString = uncleanRandomString.Replace("-", "a"); uncleanRandomString = uncleanRandomString.Replace("+", "2"); uncleanRandomString = uncleanRandomString.Replace("=", "q"); uncleanRandomString = uncleanRandomString.Replace("[", "w"); uncleanRandomString = uncleanRandomString.Replace("{", "t"); uncleanRandomString = uncleanRandomString.Replace("]", "r"); uncleanRandomString = uncleanRandomString.Replace("}", "f"); uncleanRandomString = uncleanRandomString.Replace(";", "8"); uncleanRandomString = uncleanRandomString.Replace(":", "z"); uncleanRandomString = uncleanRandomString.Replace("<", "x"); uncleanRandomString = uncleanRandomString.Replace(">", "0"); uncleanRandomString = uncleanRandomString.Replace("|", "v"); uncleanRandomString = uncleanRandomString.Replace(".", "b"); uncleanRandomString = uncleanRandomString.Replace("/", "y"); uncleanRandomString = uncleanRandomString.Replace("?", "t"); return uncleanRandomString; }

PedanticCurmudgeon · 2012-04-13 Reply Admin

Peter:
Sea Sharp:
Foo Bar:
Leper! Outcast! Unclean!
Thomas Covenant. Classy :).
God, no. Those were awful books.

You read more than one of them? Why?

Claxon · 2012-04-13 Reply Admin

It doesn't seem 'Too bad' to me.

The generated password only contains alphanumeric characters and the following punctuation marks: !@#$%^&*()_-+=[{]};:<>|./?. No hidden or non-printable control characters are included in the generated password

So System.Web.Security.Membership.GeneratePassword(10, 0); creates a random alpha-numeric string which includes the extra characters. But the programmer doesn't want any of those characters in password strings so they're performing a manual replace on each of the special characters.

2012-04-13 Reply Admin

Lefty:
Switch to EBCDIC.

Hooray!

PiisAWheeL · 2012-04-13 Reply Admin

Larry:
There are plenty of numbers between 'a' and 'z':
perl -e '$X="a";while ($X le "z"){print $X++;}' abcdefghijklmnopqrstuvwxyz

Not a single 1 of those is a number.

2012-04-13 Reply Admin

All are the letters are numerals for base 36.

PiisAWheeL · 2012-04-13 Reply Admin

jmacpherson:
All are the letters are numerals for base 36.

Nobody in their right mind uses base36. A keyboard isn't used in a base36 context. It CAN be, but generally is not. So when we refer to the symbols on a keyboard, and put a requirement refering to numbers between 2 keys, and nobody has specified that we are using base36, then base 10 is assumed, and the symbols that are not arabic numbers are considered 'letters' and not 'numbers'. So no, nobody specified base36 before hand, so no, there are no numbers between 'a' and 'z' on a qwerty or dvorak keyboard.

2012-04-13 Reply Admin

You berated the programmer for not using md5, but he did!

uncleanRandomString = uncleanRandomString.Replace(")", "m"); uncleanRandomString = uncleanRandomString.Replace("_", "d"); uncleanRandomString = uncleanRandomString.Replace("-", "5");

2012-04-15 Reply Admin

Hmmmm:
RichP:
Why do I have the sneaking suspicion that he ran GeneratePassword and hand-selected the alphanumerics to use as the substitute in order to be "more randomer"?
Assuming what someone else said is true then most definitely not or he would have realised that no non-alphnumerics were getting generated anyway...

I'm going to assume he thought like other people that the second term would squash the non-alpha numeric characters. When it obvious didn't, he slapped in a fix and got on with his life. Since thee are no important effects outside the function itself, it's not very wtf.

Big WTF is something that causes difficult to explain side effects, or subtle failures far from the offense itself.

2012-04-16 Reply Admin

PiisAWheeL:
Larry:
There are plenty of numbers between 'a' and 'z':
perl -e '$X="a";while ($X le "z"){print $X++;}' abcdefghijklmnopqrstuvwxyz
Not a single 1 of those is a number.

Hint: Ipsum Lorem, Pagina III.

Shinhan7 · 2012-04-17 Reply Admin

"Apparently, this developer was too proud for base 64 encoding"

I don't get it. How would base64 encoding help with random strings?

With MD5 I could do MD5(RAND()) and get a reasonably random string of mostly numbers and couple letter (0-F). But how can one use Base 64 when generating a random string?

2012-04-17 Reply Admin

umm, because it won't work on mac?

2012-04-23 Reply Admin

Is there a formular for determing the decreased entropy?

like

cat /dev/absolutelyrandom | randomdetection 100% (after some time)

cat /dev/absolutelyrandom | replacing_certain_strings_with_absolutelynon_random | randomfilter 30%

?

Dunno how the Laplace Distribution plays in there, but some symbols have 1:1 conversion and are a crib enabler. Maybe one could build a functioning string (bash shebang?) out of the 1:1 fixed translation conversion symbols.

And yes, the use of cat might be a deadvisable one, but i like pipes.

2017-05-03 Reply Admin

He's a complex fellow.

Securely Random Strings

Leave a comment on “Securely Random Strings”