• Reinder (unregistered) in reply to kipthegreat

    "I totally didn't catch the much bigger WTF of what the error message was saying."

    What it says is not important. What matters is what it means. With such code, that text could mean anything, from "you have mail" to (even more likely) "We don't know what we are doing"

  • agent86 (unregistered) in reply to merreborn
    merreborn:
    Anonymous:
    Anonymous:
    But now you have the private half of the puzzle, finding the more public half (the username) will be easier. In addition, the password may be a clue as to what the username is. This is a good WTF.


    It seems to me that if the user is permitted to choose both the username AND the password, there is no guaranteed way to ensure uniqueness, without tipping the hand.

    I guess that's why Banks use account numbers, and my Hotmail account was something like JoeBlow753

    Captcha = image, random


    Not at all.  The system assignes the username eg, bank card number.  Unique.   What part didn't you understand (or read)


    I'm sorry, are you purposing a system in which it's possible for multiple users to have the same username, as long as they have different passwords?

    So if joe accidentally mistypes his password, he might accidentally log in as one of the thousands of other joes?

    brillant!
  • disgruntled (unregistered) in reply to Strydyr

    Not to name names... but Amazon does this.  Your Amazon account is made unique by a combination of email address and password.  Ergo, I have 3 (or possibly more) Amazon accounts.  When I asked them if I could consolidate (or even just kill 2 of them), I was told no.  Ugh.

  • Eggy (unregistered) in reply to Jojosh_the_Pi

    Of course it's an issue. It's hard to brute-force passwords because eventually most systems (though probably not this one) stop letting a user log in after X failed passwords. But they don't stop you from trying if you're going through usernames one by one trying to brute force the username. Also, usernames aren't obfuscated on the screen -- it's easy to find someone's username while shoulder surfing. Even more, most places have predictable usernames (John Doe is almost always some variant of john_doe, jdoe, doej, etc.). Getting a valid password for an unknown user is far more than half the battle. The likelihood of getting a administrative user by random chance (or some other user with the permissions you're looking to maliciously obtain) isn't as high, but still, this is a big hole.

  • disgruntled (unregistered) in reply to disgruntled

    Ugh!  I now hate the forum software too.  I guess I should have quoted the original to which I was responding.  It was a post about working at an E-commerce site where the boss or someone demanded that username+password be the unique key for an account.

  • Anon (unregistered) in reply to NBK

    Alas, ladies and gentlemen, we're using the latest and greatest version of a leading Java app server running on a Solaris box, hitting an Oracle database.  It's running very well now.  It just didn't like to deal with exceptions.

  • (cs) in reply to Jojosh_the_Pi

    Jojosh_the_Pi:
    HatTrick:
    Hmmmm boy doesn't that make a hackers life easier.


    It's not really an issue, because the hacker still doesn't know which user name goes with the password!


    <FONT color=#000099>   if</FONT> (errMsg.indexOf(<FONT color=#990000>"Violation of UNIQUE KEY constraint 'UQ__mbrs_pwd'"</FONT>) != -1)
         <FONT color=#000099>return</FONT> <FONT color=#990000>"The password entered is already in use. Please enter another."</FONT>;

    Unless there's another piece of crap code like this:

    <FONT color=#000099>   if</FONT> (errMsg.indexOf(<FONT color=#990000>"Violation of UNIQUE KEY constraint 'UQ__mbrs_usr'"</FONT>) != -1)
         <FONT color=#000099>return</FONT> <FONT color=#990000>"The username entered is already in use. Please enter another."</FONT>;

    A wily hacker could quite possibly think of some way to kind of iterate through each probable username with the appropriate password; just maybe. [^o)]

     

  • (cs) in reply to nooooo
    Anonymous:
    The real WTF is the people that keep posting the same comments over and over. This is obviously a write only forum.

    The real WTF is the people that keep posting the same comments over and over. This is obviously a write only forum.
  • (cs) in reply to The Anonymous Coward
    Anonymous:

    Anonymous:
    What assurance do you have that the error number will be any more stable than the error message?  Both can break very easily.

    The entire purpose of an error code is to be programatically recognized.  The purpose of an error message, on the other hand, is to provide human-readable information (on screen or in a log).  To break it down more explicitely:

    1) The error code is part of the databases API.  It is reasonable to expect it not to change from version to version of a product; and if the product developers are any good, then they will avoid changing the codes because they expect their existing user base to be using them in this way.  They need have no such qualms about changing error messages, and in fact is is very likely for error messages to evolve over a product's lifetime.

    2) Error codes aren't localized.

    Obviously this won't protect you if you change database vendors.  It would be nice to have a standard for error codes; but good luck with that.

    Like in the following example:

      ERROR CODE 69:

       Error message while using...

    <FONT face="Courier New" color=#ff1493>Microsoft's DDE:
    </FONT><FONT face="Courier New" color=#ff1493>"Error Code 69: Sorry, DDE does not exchange data in this fashion."</FONT>

    <FONT face="Courier New" color=#ff1493>Microsoft's OLE:
    "We apologize, but you cannot link your objects in this way (error 69)"</FONT>

    <FONT face="Courier New" color=#ff1493>Microsoft's ActiveX:
    "Our condolences.  The id {65-22-35-hike} cannot be embedded like that: 00069"</FONT>

    <FONT face="Courier New" color=#ff1493>Microsoft's COM:
    "Sorry, component not found even though I see it.  ERROR 0069."</FONT>

    <FONT face="Courier New" color=#ff1493>Microsoft's COM+:
    "Oh there it is, but the component doesn't look like it is distributed properly.  ERR#69"</FONT>

    <FONT face="Courier New" color=#ff1493>Microsoft .NET:
    "You silly object.  This component or assembly appears to be unmanagable.  Please correct as soon as possible.  Cheers.  (distributed.enterprise.assembly.error.net.level(69)."</FONT>

    Ahhhh, got that off my chest.  Now back to productively using Microsoft products (gotta luv 'em). [:$]

  • (cs) in reply to The Anonymous Coward

    Anonymous:
    The real WTF is the people that keep posting the same comments over and over. This is obviously a write only forum.

    Close. It's a right-only forum. Ask anyone here, they'll tell you they're right ...

  • (cs) in reply to rbriem
    rbriem:

    Anonymous:
    The real WTF is the people that keep posting the same comments over and over. This is obviously a write only forum.

    Close. It's a right-only forum. Ask anyone here, they'll tell you they're right ...



    You are so right about that...
  • (cs) in reply to TankerJoe
    TankerJoe:
    rbriem:

    Anonymous:
    The real WTF is the people that keep posting the same comments over and over. This is obviously a write only forum.

    Close. It's a right-only forum. Ask anyone here, they'll tell you they're right ...



    You are so right about that...


    I.like(bigButts) && I.canLie(false);
    otherBrothers.canDeny(false);

    walksIn(girl.waist(ittyBitty)) && yourFace.in(girl.thing(round)); [;)]

  • John Hardin (unregistered) in reply to kipthegreat
    kipthegreat:
    Alex Papadimoulis:
    <font color="#000099">if</font> (errMsg.indexOf(<font color="#990000">"Violation of UNIQUE KEY constraint 'UQ__mbrs_pwd'"</font>) != -1)
      <font color="#000099">return</font> <font color="#990000">"The password entered is already in use. Please enter another."</font>;

    ... the password is stored in the database in plain-text ...


    Where do you get that from the code snippet?
  • tribbles (unregistered) in reply to Pablo Marambio

    Has anyone considered that they *might* be a password history table and that the user is forced to change their password on some time interval and that they are not allow to choose a password they've used previously?  Several organization have software that forces you to change your password every quarter and they keep a history of the last X number (5 commonly) of passwords you have used and will prevent you from using those passwords again.

    In this case the given constraint is not a WTF, rather the error message and error handling is.

  • (cs)

    Alex Papadimoulis:
      if (errMsg.indexOf("Violation of UNIQUE KEY constraint 'UQ__mbrs_pwd'") != -1)
        return "The password entered is already in use. Please enter another.";
    

    <ponder>
    <FONT style="BACKGROUND-COLOR: #ffff00" face=Garamond color=#a52a2a>So if the password you entered was blank (read "very null"), does that mean the username is "sa"?</FONT>
    </ponder>

    [8-)]

  • Kevin (unregistered) in reply to tribbles
    Anonymous:

    Has anyone considered that they *might* be a password history table and that the user is forced to change their password on some time interval and that they are not allow to choose a password they've used previously?



    The password has a unique key constraint. Unless each account has its own password history table, the constraint requires the password be unique across all rows. So it is most likely not enforcing the reasonable policy you mention.

  • Ed (unregistered) in reply to maht
    Anonymous:
    Anonymous:
    What assurance do you have that the error number will be any more stable than the error message?  Both can break very easily.



    <snip/>

    Error numbers tell you NOTHING and are not very grep \ search engine friendly

    Give me
    <font>Violation of UNIQUE KEY constraint 'UQ__mbrs_pwd'

    not

    Error 2535213521.462345.456734</font>


    You misunderstand.

    Error messages for the users - and these may be localized.

    Error numbers for the application developers - these are the keys used to retrieve the messages from the localization database for error messages.

    The log file gets both, because it can be used by both application developers and users.

    For any application, new error numbers may be created during any update - but old error numbers are fixed.  If an update prevents an error from ever happening again, the associated error number is still reserved, and may never be used for a future error - unless a later update makes it possible again.

    Within a particular company, it is useful to have consistent error numbers between applications - but if you have multiple applications with differing error numbers, don't fix them, except with a major update (major number change), and even in that case, the old numbers are still reserved, and one should provide a translation layer or other means for backward compatability.  It's better for a company's products from disseparate sources be different in this regard than to break all of its existing customers.

    This way, the users get to understand what's going on, because they get a meaningful error message.  Application developers that need to interact with the program can without tying themselves to a specific locale, and with some resistance to being broken due to error message text clarifications.
  • Tin in Australia (unregistered) in reply to Bus Raker
    Bus Raker:
    Sweet , I know the password.  What's the username?


    There isnt one. Seriously, the system that contains pretty much all the site specific records for the government department I'm employed by does this. No usernames, just a password. The passwords are limited to 8 characters too, and Im pretty sure it's not case-sensitive. Most users have a 3 letter password like cat or dog, and if you attempt to change to one that's in use, it gladly tells you it's in use.... Any valid user could, with a few hours spare, find my admin account's password, and there's nothing I can do about it.
  • (cs) in reply to jspenguin

    It is an error, a common EXPECTED error... Not an exception

  • Jolly Roger (unregistered) in reply to rbriem
    rbriem:
    Anonymous:

    Why is there a unique constraint on passwords?  Surely they're not being used as keys anywhere, are they?  If so, doesn't that cause problems when the user changes their password?  Never mind the security implications...

    I sense layers of WTFery beneath this snippet.

    Layers and layers of WTFery ... entire underground civilizations of WTFery ... The Land of WTFery That Time Forgot ...



    Aye! I say bestow onto us, your brethren, the whole WTFery of that software!
  • Jolly Roger (unregistered) in reply to Tin in Australia
    Anonymous:
    Bus Raker:
    Sweet , I know the password.  What's the username?


    There isnt one. Seriously, the system that contains pretty much all the site specific records for the government department I'm employed by does this. No usernames, just a password. The passwords are limited to 8 characters too, and Im pretty sure it's not case-sensitive. Most users have a 3 letter password like cat or dog, and if you attempt to change to one that's in use, it gladly tells you it's in use.... Any valid user could, with a few hours spare, find my admin account's password, and there's nothing I can do about it.


    By "any valid user" here you really mean "anyone", right? With passwords like "cat" or "dog", any five year old could become a "valid user" ...
  • (cs) in reply to bullestock
    bullestock:
    Enric Naval:
    Oh, and I was the one doing the "fist!" first reply today. I just saw "0 replies" and I had to do it.... I had no time to login. I just typed something on the name field so it wouldn't complain

    You are a jerk.

    Sorry, the REAL wtf is that you are judging me by one of my actions on this forum, instead of valuing me for the whole of my apportations to the community :)

    And the correct phrase is "By posting that, you behave like a jerk". Otherwise, you are impliying that I behave like a jerk always and everywhere, instead of just when I see a "0 replies" link the The Daily WTF.

    That's the kind of details that mark the difference......

  • (cs) in reply to Enric Naval
    Enric Naval:
    bullestock:
    Enric Naval:
    Oh, and I was the one doing the "fist!" first reply today. I just saw "0 replies" and I had to do it.... I had no time to login. I just typed something on the name field so it wouldn't complain

    You are a jerk.

    Sorry, the REAL wtf is that you are judging me by one of my actions on this forum, instead of valuing me for the whole of my apportations to the community :)

    And the correct phrase is "By posting that, you behave like a jerk". Otherwise, you are impliying that I behave like a jerk always and everywhere, instead of just when I see a "0 replies" link the The Daily WTF.

    That's the kind of details that mark the difference......



    Really, you're a jerk.

    sincerely,
    Richard Nixon
  • Pulk (unregistered) in reply to TankerJoe
    TankerJoe:
    kipthegreat:

    My GMail password is 12345.  I'm very proud of it.  No one would ever guess it.

    12345? That is the kind of password that only an idiot would have on his luggage...
    *wanders in*
    Amazing! I have exact same combination on my luggage!"
  • (cs) in reply to Bustaz Kool
    Bustaz Kool:

    marvin_rabbit:
    I'm just trying to imagine the GMail (or other such service) sign-up process if THAT required a unique password:
    <sound typing="" of="">
    "secret", no.
    "password", no.
    "07-04-1776", no.
    "asdfasdfasdf", no.
    "wtf?", no.
    "Reginauld G. Cooper was here", no.
    "Reginauld G. Cooper was THERE", no.
    "are there any f---ing paswords left?", no.
    "spacemonkey", no.
    "deadbabyducks", no.
    "painfullrectalitch", no.
    "superbassamatic76", no.

    Let's not forget "Jesus" (who in this case does not save...)

    What the hell are you saying? Of course Jesus saves.

    [image]
  • Un-Localization (unregistered) in reply to qbolec
    Anonymous:

    I don't know much about constraints, but as pointed out before - do we know what that constraint was meant to do just by looking at it's name?

    I do believe that the table stored 10 previous passwords of each user in ONE table, (ie. pairs USERID,password_hash), and the constraint was just used to check if id,hash(password) was already there. Can you prove me wrong?

    Also I do believe there was no better way for testing the error than parsing the error message. Again I don't know much about constraints, but I don't believe that each constraint has different errorcode...But even if I am wrong and the developer can change the error message so it contains the different error code for different constraint, I still can imagine a language/library set (like maybe PHP) where you cannot get this number directly so the only way is to parse.

    I can also imagine that testing for shorter string like "name_of_constraint" could be better, as it doesn't change via localisation. But still - it may change as pointed out before, and still the name_of_constraint may be in the string for some different reason ...(I dunno:P)..than the constraint violation.

    I can also imagine a world where everything works on English version of the database. In fact I'm from Poland and haven't seen Polish error messages in any database software for ages:)

    I can also imagine that these two lines of code were in file  /mods/english/errorhandling/errors.php or something.

    My imagination reaches even further: maybe each time they got new client in some oversee country they have so much work with localisation, that simple changing error-message-matching code is not such a pain...or maybe they prefer to change the database language...(what's the point of having German error messages in database if you are English-thinking developer, and German-speaking end-users are not supposed to see them anyway?)

    [sorry for grammar/spellings/intonation:P]

    The convention should be to place your apology (or a tag containing your native language) at the TOP of your message so that I have a reason to continue reading it. [Language = BabelFish(Japanese)] at the top of a post would make it quite clear that the issue is a difference of language not a short circuit in the brain.

  • da/dt (unregistered) in reply to Enric Naval
    Enric Naval:
    bullestock:
    Enric Naval:
    Oh, and I was the one doing the "fist!" first reply today. I just saw "0 replies" and I had to do it.... I had no time to login. I just typed something on the name field so it wouldn't complain

    You are a jerk.

    Sorry, the REAL wtf is that you are judging me by one of my actions on this forum, instead of valuing me for the whole of my apportations to the community :)

    And the correct phrase is "By posting that, you behave like a jerk". Otherwise, you are impliying that I behave like a jerk always and everywhere, instead of just when I see a "0 replies" link the The Daily WTF.

    That's the kind of details that mark the difference......

    You have done a thing that jerks do. That PROVES that you do things which jerks do. Someone who is not opposed to doing those sorts of things is (wait for it)...A JERK!

    The real WTF is that you think that performing unrelated beneficial actions gets you off the hook for anything detrimental you do. That kind of attitude works in government, but not here. Jerk.

  • (cs) in reply to da/dt
    Anonymous:
    Enric Naval:
    bullestock:
    Enric Naval:
    Oh, and I was the one doing the "fist!" first reply today. I just saw "0 replies" and I had to do it.... I had no time to login. I just typed something on the name field so it wouldn't complain

    You are a jerk.

    Sorry, the REAL wtf is that you are judging me by one of my actions on this forum, instead of valuing me for the whole of my apportations to the community :)

    And the correct phrase is "By posting that, you behave like a jerk". Otherwise, you are impliying that I behave like a jerk always and everywhere, instead of just when I see a "0 replies" link the The Daily WTF.

    That's the kind of details that mark the difference......

    You have done a thing that jerks do. That PROVES that you do things which jerks do. Someone who is not opposed to doing those sorts of things is (wait for it)...A JERK! The real WTF is that you think that performing unrelated beneficial actions gets you off the hook for anything detrimental you do. That kind of attitude works in government, but not here. Jerk.

    That only means that I occasionally act as a jerk. And yes, people is usually more forgiving for jerk-like actions if you only do them occasionally, then recognize them, the action causes no harm and then you behave well the rest of time. I don't think that a "fist" post is "detrimental", anyways.....

    Also, if you are the same anonymous from the original post, you still don't understand the difference between saying "You are X" and saying "You behave lika a X". And also, you seem to prefer acting as a TROLL instead of maintaining a meaningful conversation

  • (cs) in reply to Enric Naval
    Enric Naval:
    Anonymous:
    Enric Naval:
    bullestock:
    Enric Naval:
    Oh, and I was the one doing the "fist!" first reply today. I just saw "0 replies" and I had to do it.... I had no time to login. I just typed something on the name field so it wouldn't complain

    You are a jerk.

    Sorry, the REAL wtf is that you are judging me by one of my actions on this forum, instead of valuing me for the whole of my apportations to the community :)

    And the correct phrase is "By posting that, you behave like a jerk". Otherwise, you are impliying that I behave like a jerk always and everywhere, instead of just when I see a "0 replies" link the The Daily WTF.

    That's the kind of details that mark the difference......

    You have done a thing that jerks do. That PROVES that you do things which jerks do. Someone who is not opposed to doing those sorts of things is (wait for it)...A JERK! The real WTF is that you think that performing unrelated beneficial actions gets you off the hook for anything detrimental you do. That kind of attitude works in government, but not here. Jerk.

    That only means that I occasionally act as a jerk. And yes, people is usually more forgiving for jerk-like actions if you only do them occasionally, then recognize them, the action causes no harm and then you behave well the rest of time. I don't think that a "fist" post is "detrimental", anyways.....

    Also, if you are the same anonymous from the original post, you still don't understand the difference between saying "You are X" and saying "You behave lika a X". And also, you seem to prefer acting as a TROLL instead of maintaining a meaningful conversation



    Could you just not make those 'fist' posts in the future? Please?

    sincerely,
    Richard Nixon
  • (cs) in reply to Richard Nixon
    Richard Nixon:
    Enric Naval:
    Anonymous:
    Enric Naval:
    bullestock:
    Enric Naval:
    Oh, and I was the one doing the "fist!" first reply today. I just saw "0 replies" and I had to do it.... I had no time to login. I just typed something on the name field so it wouldn't complain

    You are a jerk.

    Sorry, the REAL wtf is that you are judging me by one of my actions on this forum, instead of valuing me for the whole of my apportations to the community :)

    And the correct phrase is "By posting that, you behave like a jerk". Otherwise, you are impliying that I behave like a jerk always and everywhere, instead of just when I see a "0 replies" link the The Daily WTF.

    That's the kind of details that mark the difference......

    You have done a thing that jerks do. That PROVES that you do things which jerks do. Someone who is not opposed to doing those sorts of things is (wait for it)...A JERK! The real WTF is that you think that performing unrelated beneficial actions gets you off the hook for anything detrimental you do. That kind of attitude works in government, but not here. Jerk.

    That only means that I occasionally act as a jerk. And yes, people is usually more forgiving for jerk-like actions if you only do them occasionally, then recognize them, the action causes no harm and then you behave well the rest of time. I don't think that a "fist" post is "detrimental", anyways.....

    Also, if you are the same anonymous from the original post, you still don't understand the difference between saying "You are X" and saying "You behave lika a X". And also, you seem to prefer acting as a TROLL instead of maintaining a meaningful conversation



    Could you just not make those 'fist' posts in the future? Please?

    sincerely,
    Richard Nixon

    Well, since you ask it that way....

  • A chicken passeth by (unregistered) in reply to Enric Naval

    There isnt one. Seriously, the system that contains pretty much all the site specific records for the government department I'm employed by does this. No usernames, just a password. The passwords are limited to 8 characters too, and Im pretty sure it's not case-sensitive. Most users have a 3 letter password like cat or dog, and if you attempt to change to one that's in use, it gladly tells you it's in use.... Any valid user could, with a few hours spare, find my admin account's password, and there's nothing I can do about it.
    Oh, ugh. Half-factor authentication.
    This is ripe for an indirect insider attack.

    With an account, you can arbitarily change passwords until the system runs out, then nobody can change their passwords anymore.

    And while doing that, any passwords that are rejected in the process should be noted as potentially valid accounts.

    Too easy to brute force. Hope your sysadmin password is 9.9999e99 characters long.

  • (cs) in reply to Enric Naval
    Enric Naval:
    Richard Nixon:
    Enric Naval:
    Anonymous:
    Enric Naval:
    bullestock:
    Enric Naval:
    Oh, and I was the one doing the "fist!" first reply today. I just saw "0 replies" and I had to do it.... I had no time to login. I just typed something on the name field so it wouldn't complain

    You are a jerk.

    Sorry, the REAL wtf is that you are judging me by one of my actions on this forum, instead of valuing me for the whole of my apportations to the community :)

    And the correct phrase is "By posting that, you behave like a jerk". Otherwise, you are impliying that I behave like a jerk always and everywhere, instead of just when I see a "0 replies" link the The Daily WTF.

    That's the kind of details that mark the difference......

    You have done a thing that jerks do. That PROVES that you do things which jerks do. Someone who is not opposed to doing those sorts of things is (wait for it)...A JERK! The real WTF is that you think that performing unrelated beneficial actions gets you off the hook for anything detrimental you do. That kind of attitude works in government, but not here. Jerk.

    That only means that I occasionally act as a jerk. And yes, people is usually more forgiving for jerk-like actions if you only do them occasionally, then recognize them, the action causes no harm and then you behave well the rest of time. I don't think that a "fist" post is "detrimental", anyways.....

    Also, if you are the same anonymous from the original post, you still don't understand the difference between saying "You are X" and saying "You behave lika a X". And also, you seem to prefer acting as a TROLL instead of maintaining a meaningful conversation



    Could you just not make those 'fist' posts in the future? Please?

    sincerely,
    Richard Nixon

    Well, since you ask it that way....

    I just love those happy endings. :)

    I like this whole thread of "jerk/not a jerk".  I think this boils down to two scenarios:

    1) Being a jerk versus jerk actions.  Let's say, mathematically, that any person could be the number 4.  A jerk would be a 3+1.  But another person, who is at 2+2, is not considered a jerk but is also a number 4.  Don't get me started on those 5-1 people! :)

    2) Your jerk actions could be construed as a turd in someone's spaghetti and meatballs.  That means that no matter what pure acts you've done in the past or intend to do in the future, I still have this "jerk turd" in my spaghetti (fist) which means it has ruined my whole meal.

    I think that a #2 (pun?) is what Nixon was talking about.  Those "fist" posts just ruin the entire ambiance of TDWTF not to mention any Italian dish.

    --

    Just hoping to confuse and enlighten while creating an atmosphere of total ambivalence.

  • nvrijn (unregistered) in reply to ammoQ

    Brilliant!  I suppose the only viable alternative strategy would be to allow the system to reuse the password, but force it to notify all users with the identical preexisting password to the fact that a password plaglarizer had just created a new account using identity xyz.

    Perhaps the larger "identical password" communities could start a self-help group.




  • teeseer (unregistered) in reply to tster
    tster:
    jspenguin:
    Not to mention the fact that they are RETURNING the error message instead of throwing it.


    if the function is called returnErrorMessage() or something then why would they want to throw it?  throwing errors is just 1 of 2 (actually 3 if you count setting globals) ways to handle errors.


    ofcoz, not menpaulationig ignoring them :D
    (...)
    catch(Exception ex{} //TODO
    (...)
  • smithy953 (unregistered)

    meh simply a faster acting error message i think you should work on your codeing :)

  • SeHE (unregistered) in reply to strickdd
    Anonymous:
    first? 
    somebody missed the point :)
  • 3losh (unregistered) in reply to Brian Kemp
    Anonymous:

    User: Microzeft   Password: w6ooo   Primary Key: [email protected]

    i can Crack the MD5 Hash ... wiout salt .. and i can use it to vb3 ,,,,,

    [email protected]

    Microzeft

    That's beautiful. Utterly beautiful.

    Re; the comment made about salt...I was fairly sure salt was either calculated or stored somewhere.  It's only supposed to make two encrypted passwords different between users, not actually make the password harder to crack on its own merits--just that you only get one account per password cracked.

    My friend came up with the idea of "pepper"--something that is added to a salted password pre-encryption but is the same for all users and would differ on different installations of the same product--almost like an administrator or installation setting, to further annoy vendors of pre-computed hash lists.

    For example:
    username = "BrianKemp"
    password = "12345"
    Pepper = "cayenne"
    Salt = md5((username->ToUnicodeBytes XOR 255) to Hexadecimal)
    hashed password = SHA1(password + salt + pepper)

    So company 1 has pepper "cayenne" and company 2 has pepper "greenbell".  The same username/password combination will not be the same on the two servers.

    The problem is that it's entirely possible to set up a pepper so that it's completely useless if you're using, say, md5:
    If Hash(X) = Hash(Y)
    then Hash(X + Pepper) can equal Hash(Y+Pepper) for very carefully chosen values of pepper.

Leave a comment on “Uniquely Secure”

Log In or post as a guest

Replying to comment #72535:

« Return to Article