- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Admin
You don't have to quote a whole page of a long comment, you could, you know, just take a couple of lines and your readers would still have enough context...
Admin
look, he missed one line. Can't beleive he did it manually.
Admin
C - O - M - C - A - S - T
Just like the commercial they are running now. Or at least that what it reminds me of. Of course, I feel like barfing when I see the commercial, but that is the way it goes.
Admin
At least they tried to encode it, when i started, they simply put the passwords in plaintext in the code and use the administrator account with full privileges.
And for those who haven't used a hex-editor on an exe: plain text passwords can be retrieved from there with little difficulty.
But we are making progress were not using 1 password for all protections anymore.
Admin
fuckit();
Admin
Admin
Not quite. I used to work for an ISP. One day, for curiosity sake, I checked login/mail passwords of all clients. About 10% of all of them (there are 3+ thousands of users) were '12345' or username+'123'.
The tech guys that give default passwords to clients during installation of hardware used this password for ages, befor I came to work there. Lazy clients never changed it. So we agreed for them to use more random one. I checked few days later and there was it:
'123456' and username+'1234'
Now thats extra security.
Days latter, I fixed the code and inserted password generator and some nasty rules (no username in password, min 3 chars and 4 digits in it etc.).
Now everybody else was screaming about it but it made me happy :)
Admin
You're no president....
Admin
UseIt(); BreakIt(); BuyIt(); FixIt(); WhoDoYouThinkYouAre();
hides face in shame
Admin
"I used to work for an ISP. One day, for curiosity sake, I checked login/mail passwords of all clients."
Checked? How? If I'm not mistaken, they should not be kept in any format where you can simply check them...
Admin
Indeed. Hashes should always be used.
Admin
Driller, don't.
Admin
brillantIt(first);
Admin
Admin
Admin
Once, when debugging a system that had been deployed months ago, I noticed that most of the users had the same password (they were hashed, but I could see the hash was the same). It took me like 5 tries to figure out what that password was (the name of the company, that was probably chosen by the admin as the default password). I notified the admin of the application about the fact that many of the passwords were the same (but spared him of the fact that I could figure it out), and he said he would make people change the password. Months later, nothing changed.
The next system I've made for that company I added the username to the salt before hashing the password. At least I had the false sense of more security. Well, I also removed from the admin the option to allow people not to change the password on first login, but I feel my sense of security comes from the new salt.
Admin
Admin
Actually, in Delphi, he should have set the ConnectionString property of the conn TADOConnection control. Any decent hacker would be able to get to that connectionstring with no problem either by going through the algorithm or using a resource editor and looking at the DFM code that would contain the connectionstring in the control's property.
Admin
MS-CHAP2 likes clear text passwords, so they kept them in database. M$-thing and security.
Admin
How about logging on as Administrator to update Flash, Acrobat and other crap? This is what Administrator accout is for: for performing administratove tasks.
Admin
Dialup and PPPoE use CHAP for authentication. For CHAP, you have to keep plaintext passwords on the server side, unfortunately.
Admin
Go back to slashdot.
Original PPP CHAP (non-MS) and MS-CHAP1 requires plaintext password.
MS-CHAP2 can use password's hash for hashing the challenge.
Admin
My current system has a random salt string in database for each user. The salt is changed each time user chages password, so even if user "changes" the password to be exactly same as before, the hash is changed.
Admin
Admin
That won't work, they'll end up with what they started with! What rubbish security!
Admin
damnit();
Admin
Admin
Why not? There was no mention of expiry, only that the password was resalted when changed by the user.
Anyway, yes you can: if hash(old_password + old_salt) == hash(new_password + old_salt) then show_unchanged_password_message() else save_password(hash(new_password + new_salt))
Admin
Thank you for the program code, will appear in next release of software package. Is attribution sufficient or are license fees involved?
Admin
for waxing in "on" "off" do wax( waxing ) done
Admin
Hahaha, awesome, exactly what went through my head when I read the article.
Blue, please!
Admin
Great stuff, this is hilarious... needs to be blue as well!
Though, I had to think about the for-loop for a second, before I got it... excellent!
Admin
...
profit()
Admin
Tried Vista on the new box, ran away screaming ("Yes, yes, okay, okay, okay, OKAY, I DO want to do that! Just stop asking me and DO IT already, you pathetic excuse for an angry fruit salad!").
Admin
not the best Delphi code in the world but it may be written for a reason. You can open an executable in an editor and look for readable code. If the connection string (including password) would be readable you could easily find it and hack the database. By encrypting the connection string this is not so easy anymore.
Admin
The passwords are only there to activate some configurable settings. My boss never changes the passwords. It would make things to difficult for him and his technicians. Our main software protection is a usb-dongle-key without it our software is useless.
Admin
I guess it's valid for delphi too. that you can see the clear strings in the exe while opening with ant hex viewer. So if the connection string contained the DB log in data, then I find it completely understandable.
Admin
PS: If you really typed that out, you're a maniac.
Admin
worthIt(); workIt(); putMyThingDown(); flipIt() && reverseIt();
Admin
The sad thing is, probably the connection string was originally in plain text. But then a superior said, "It's bad design to put it right there in the program..." So instead of a configuration file, we get...