- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
fist!
Admin
Why doesnt anyone scream Second!!
Admin
secondist!
Admin
They probably thought that it was more efficient than actually doing a select to check for existing passwords, adn then doing an update
Oh, wait a minute, this means that you can't have the same password for two different users? I was expecting a message like "User XXXX is already using this password" :)
Oh, and I was the one doing the "fist!" first reply today. I just saw "0 replies" and I had to do it.... I had no time to login. I just typed something on the name field so it wouldn't complain
Admin
Sweet , I know the password. What's the username?
Admin
The real WTF is that the error message does not include the account name with the already existing password, so the user has no easy possibilty to verify the correctnes of the error message.
;-)
Admin
Ooops, I'm obviously too slow
Admin
doing the whole fist thing is stupid.
Admin
He should have said:
<FONT color=#000099>if</FONT> (errMsg.Contains(<FONT color=#990000>"Violation of UNIQUE KEY constraint 'UQ__mbrs_pwd'"</FONT>))
<FONT color=#000099>return</FONT> <FONT color=#990000>"The password entered is already in use by " + username + ". Please enter another, or have them change their password now."</FONT>;
Some people...
Admin
Hmmmm boy doesn't that make a hackers life easier.
Admin
<font color="#000099">if</font> (errMsg.indexOf(<font color="#990000">"Violation of UNIQUE KEY constraint 'UQ__mbrs_pwd'"</font>) != -1) <font color="#000099">return</font> <font color="#990000">"The password entered is already in use. Please enter another."</font>; debug.writeLn("User " + user + " successfully set password to '" + password + "'.");Admin
It's not really an issue, because the hacker still doesn't know which user name goes with the password!
Admin
Yeah, I mean obfuscation, DUH!
"We won't tell you why we don't like that password, but we strongly suggest you choose another one."
Admin
Also, what about depending on the comparison of the error message to a hard-coded stirng? Of course, if the error message changed, thus breaking the function, everyone would be better off...
Admin
But now you have the private half of the puzzle, finding the more public half (the username) will be easier. In addition, the password may be a clue as to what the username is. This is a good WTF.
Admin
WTF? ;-)
Admin
The real WTF here is that some ass-hat would actually fess up to that. (And not just admit it, but want to claim it as an honor!)
Admin
A database vendor adds whitespace/colon/period to the format of an error message and the entire application goes down the toilet. Brillant!
Admin
Why is there a unique constraint on passwords? Surely they're not being used as keys anywhere, are they? If so, doesn't that cause problems when the user changes their password? Never mind the security implications...
I sense layers of WTFery beneath this snippet.
Admin
It seems to me that if the user is permitted to choose both the username AND the password, there is no guaranteed way to ensure uniqueness, without tipping the hand.
I guess that's why Banks use account numbers, and my Hotmail account was something like JoeBlow753
Captcha = image, random
Admin
It's funny.. when I read this, I thought the wtf was the first line, determining what kind of error you have based on an error message rather than some kind of error code (what happens when they sell a customer running their database in German?). I totally didn't catch the much bigger WTF of what the error message was saying.
Aside from that, there's also the wtf that the password is stored in the database in plain-text, rather than using an md5 hash of the password or something like that at the least, and adding some salt characters would be even better.
Three wtfs from two lines of code. Not exactly a record here. :)
Admin
Meant to say- what happens when they sell to a customer running their database in German?
Admin
<FONT face=Tahoma size=2>checking for specific error messages are not good practice...
they're easily misspelled...[:P]</FONT>
Admin
As someone who has worked on (read: inherited) monstrously sized applications, I have, sadly, frequently seen this sort of thing. Apparently, the less experienced developers had no time to develop a comprehensive error handling paradigm (eg: exceptions), so everything just returns a String, and then its contents are strcmp'd to see if it contains some magic words, thus indicating an error. You fix stuff like this as you encounter it, but it's like trying to sweep the tide back out to sea. <cries>
Admin
I'm just trying to imagine the GMail (or other such service) sign-up process if THAT required a unique password:
<sound of typing:>
"secret", no.
"password", no.
"07-04-1776", no.
"asdfasdfasdf", no.
"wtf?", no.
"Reginauld G. Cooper was here", no.
"Reginauld G. Cooper was THERE", no.
"are there any f---ing paswords left?", no.
"spacemonkey", no.
"deadbabyducks", no.
"painfullrectalitch", no.
"superbassamatic76", no.
Admin
Not to mention the fact that they are RETURNING the error message instead of throwing it.
Admin
Note to self: change GMail password
Admin
They can have a cool 'forgot username?' feature. You enter your password and it tells you your username.
This WTF is truly an onion........
1) questionable primary keys
2) security issues
3) error handling based on database vendor magic strings, as well as database key/index names
Admin
I don't know how you can infer anything about how the password is stored from that snippet of code. It's just searching the text of an error message; the preceding lines could have included a check of a hashed or encrypted value against the one in the DB.
Admin
I can see the query now:
select * from users where username = @username or password = @password
Thats why they can't allow duplicate usernames...
Admin
If that was the only problem, I would say: so what, tell the customer to run their database in English. Who cares.
I would rather worry that the error message ("The password entered...") is hardcoded in English.
Admin
My GMail password is 12345. I'm very proud of it. No one would ever guess it.
Admin
Please tell me that once you've logged in with a "proper" password, you can browse the list of users?
Admin
Layers and layers of WTFery ... entire underground civilizations of WTFery ... The Land of WTFery That Time Forgot ...
Admin
if the function is called returnErrorMessage() or something then why would they want to throw it? throwing errors is just 1 of 2 (actually 3 if you count setting globals) ways to handle errors.
Admin
What if they had separate tables for passwords and usernames with no way to link one to the other! (It's only natural to have similar constraints in them, no?)
Admin
That's true. Giving them the benefit of the doubt, they could be storing something like an md5 hash with several randomly-generated salt characters. In which case, there would need to be somewhere on the order of 1.774 * 2^64 users before the probability of a collision is greater than 50%. If this were the case, then it is unlikely that this error message was ever seen, which would explain why it was still in the system. Using an even better hash like SHA-1 would further decrease the probability of a clash.
Of course, Alex said "this is as bad as it seems" so I doubt it.
Admin
12345? That is the kind of password that only an idiot would have on his luggage...
Admin
A few years back, I worked for someone who wanted a unique constraint on the username/password combination.
In other words, everyone could register with the same username, as long as their password was new.
After an intense discussion with this "English-challenged" individual, I went ahead and coded it as requested. (If the user picked a previously used combination on the registration form, it just goes ahead and logs them into the existing account.)
As far as I know, this e-Commerce application is still using the code, and I suppose history has demonstrated my foolishness... he's now the VP of Development, and I was laid off, partly owing to my "negativity".
Admin
Yep, one finger is sufficient.
Admin
I will take a guess that the user table is as expected: id, username, password. (Well, almost as expected.) I don't think passwords are being used as primary keys.
Some bonehead probably just thought that having two passwords be the same is a security risk, then went ahead and added the unique constraint that made today's WTF possible.
Admin
Maybe it's not as bad as you think. Sure, using the text of a error message as a key is a WTF. But maybe it's not such a big WTF to check that the password is unique. I've seen an application where you needed different passwords for different access levels, and you couldn't use the same password in the different places. In that application, a constraint on userid,password would make sense.
Admin
I get it, the WTF is that Alex said he'd present a single line of code, but he really showed two.
Admin
I prefer the shocker myself (giving, not receiving).
Admin
Lindows will rule the day!
Admin
Why bother with a complicated "forgot username" feature. It would be simpler to just add a "loggedin=true" query string parameter and you could skip that whole logging in thing altogether.
Admin
Not to mention the passwords could be stored in plain text...
Admin
First Post!
Admin
first?
Admin
Geez, I noticed that they were checking the text of an error message, which is silly but only slightly dangerous. But the fact that they were trying to keep all the passwords unique? And that the user was notified of that fact, thus giving them some information about what passwords are on the system? Nope. Totally missed it.
This is like reading Marilyn Vos Savant's column, where she gives you a list of words and asks what they have in common. I never figure those out, 'cuz the relationships are always totally out of left field. And I hate myself for ALWAYS stopping to read that darn column anyway!