• Yep (unregistered)

    •••••

  • The Nerve (unregistered)

    Fixed?

    public static bool passwordsMatch(string pass1, string pass2)
    {
        return pass1.Equals(pass2);
    }
    
  • Scott (unregistered)

    Okay, so if psswd2 is longer than psswd1 they can still match. WTF!?

  • BG (unregistered)

    In TheDailyWTF comment system you can type your password in and it appears as 's!. For instance, if you typed 'hunter2' it would appear to me as '******'

  • Mark Harrison (unregistered)

    TRWTF is offcourse it only catches 'IndexOutOfRangeException', what about FileNotFound?

  • grok (unregistered)

    So... assuming password1 is user entered and password2 is database retrieved, I could successfully pass authentication for any of the following passwords: ["what", "whatthe", "wtf?"] by entering w?

  • Your Name (unregistered) in reply to BG
    BG:
    In TheDailyWTF comment system you can type your password in and it appears as *'s!. For instance, if you typed 'hunter2' it would appear to me as '*******'

    It doesn't work. When I type '1337rulez', I can still see my password.

  • cicobuff (unregistered) in reply to The Nerve
    The Nerve:
    Fixed?
    public static bool passwordsMatch(string pass1, string pass2)
    {
        return pass1.Equals(pass2);
    }
    

    Null exception if pass1 is null?

  • Larry (unregistered)

    TRWTF is people who don't understand what encryption is.

  • Ken B. (unregistered) in reply to Scott
    Scott:
    Okay, so if psswd2 is longer than psswd1 they can still match. WTF!?
    for (int i = 0; i < max(psswd1.Length,psswd2.Length); i++)
    Fixed.
  • oppeto (unregistered) in reply to Your Name
    Your Name:
    BG:
    In TheDailyWTF comment system you can type your password in and it appears as *'s!. For instance, if you typed 'hunter2' it would appear to me as '*******'

    It doesn't work. When I type '*********', I can still see my password.

    Yeah, but we can't.

  • frits (cs)

    You guys laugh, but this is the exact code the CLR uses for String.Equals(), except they use a loop over a switch for optimization.

  • RuinMyTune (unregistered) in reply to BG
    BG:
    In TheDailyWTF comment system you can type your password in and it appears as *'s!. For instance, if you typed 'hunter2' it would appear to me as '*******'

    Yeah right... Let's try that out:

    hunter2

    doesnt look like stars to me!!!!

  • Markus (unregistered) in reply to Your Name
    Your Name:
    BG:
    In TheDailyWTF comment system you can type your password in and it appears as *'s!. For instance, if you typed 'hunter2' it would appear to me as '*******'

    It doesn't work. When I type '1337rulez', I can still see my password.

    That's because '1337rulez' is your password. It appears to me as '*********'

  • Cbuttius (cs) in reply to The Nerve
    The Nerve:
    Fixed?
    public static bool passwordsMatch(string pass1, string pass2)
    {
        return pass1.Equals(pass2);
    }
    

    Not the same logic. pass1 must be a left-subset of pass2 but doesn't have to be equal to it.

  • some guy (unregistered)
    Scott:
    Okay, so if psswd2 is longer than psswd1 they can still match. WTF!?

    Actually, this is a huge security breach, because it makes any account hackable by anyone who knows how this code looks like or by anyone who mistypes his password by adding letters at the end and notices this.

    Accounts can be hacked the same way as that key lock from 2010-03-31

  • Goatie (unregistered) in reply to BG
    BG:
    In TheDailyWTF comment system you can type your password in and it appears as *'s!. For instance, if you typed 'hunter2' it would appear to me as '*******'

    LOL Good old Bash quotes! :D

  • SR (unregistered) in reply to Markus
    Markus:
    Your Name:
    BG:
    In TheDailyWTF comment system you can type your password in and it appears as *'s!. For instance, if you typed 'hunter2' it would appear to me as '*******'

    It doesn't work. When I type '1337rulez', I can still see my password.

    That's because '1337rulez' is your password. It appears to me as '*********'

    isecretlylikejustinbeiber

  • SR (unregistered) in reply to SR
    SR:
    isecretlylikejustinbeiber

    It doesn't work! Moderators delete this!

  • BetterYet (unregistered) in reply to grok
    So... assuming password1 is user entered and password2 is database retrieved, I could successfully pass authentication for any of the following passwords: ["what", "whatthe", "wtf?"] by entering w?
    Better yet, I think you could log in by not typing anything at all. We'll just call that a "master password" and label it as a feature, though.
  • Steve H (unregistered) in reply to BG
    BG:
    In TheDailyWTF comment system you can type your password in and it appears as *'s!

    Weird! Where does the completely spurious apostrophe come from?

  • illtiz (unregistered) in reply to Markus
    Markus:
    Your Name:
    BG:
    In TheDailyWTF comment system you can type your password in and it appears as *'s!. For instance, if you typed 'hunter2' it would appear to me as '*******'

    It doesn't work. When I type '1337rulez', I can still see my password.

    That's because '1337rulez' is your password. It appears to me as '*********'

    You forgot to mention that the first '1337rulez' is readable for him because you copy/pasted it from his original post.

  • Your Name (unregistered) in reply to Markus
    Markus:
    Your Name:
    BG:
    In TheDailyWTF comment system you can type your password in and it appears as *'s!. For instance, if you typed 'hunter2' it would appear to me as '*******'

    It doesn't work. When I type '1337rulez', I can still see my password.

    That's because '1337rulez' is your password. It appears to me as '*********'

    Hey, neat!

  • Your Name (unregistered) in reply to Your Name
    Your Name:
    Markus:
    Your Name:
    BG:
    In TheDailyWTF comment system you can type your password in and it appears as *'s!. For instance, if you typed 'hunter2' it would appear to me as '*******'

    It doesn't work. When I type '1337rulez', I can still see my password.

    That's because '1337rulez' is your password. It appears to me as '*********'

    Hey, neat!

    Wait, how did you know my password?

  • JSelf (cs) in reply to Your Name
    Your Name:
    Your Name:
    Markus:
    Your Name:
    BG:
    In TheDailyWTF comment system you can type your password in and it appears as *'s!. For instance, if you typed 'hunter2' it would appear to me as '*******'

    It doesn't work. When I type '1337rulez', I can still see my password.

    That's because '1337rulez' is your password. It appears to me as '*********'

    Hey, neat!

    Wait, how did you know my password?

    ctrl+c/v the ********

  • The MAZZTer (cs)

    I use the same combination on my luggage!

    This function is less than a WTF if it compares hashes, in which case they'd be fixed length and a shorter pass1 wouldn't help bypass anything.

  • Anonymous (unregistered)

    I like to think that there's always a more complicated way to do string comparisons. Comparing byte arrays is a nice over-complication but I've seen better.

  • toth (cs)

    TRWTF is that he uses a try-catch block to avoid throwing an IndexOutOfRangeException, rather than making sure the bounds are correct in the loop.

  • brb (unregistered) in reply to Cbuttius
    Cbuttius:
    The Nerve:
    Fixed?
    public static bool passwordsMatch(string pass1, string pass2)
    {
        return pass1.Equals(pass2);
    }
    

    Not the same logic. pass1 must be a left-subset of pass2 but doesn't have to be equal to it.

    public static bool passwordsMatch(string pass1, string pass2)
            {
                pass2.StartsWith(pass1);
            }
    
  • Eddie (unregistered) in reply to grok
    grok:
    So... assuming password1 is user entered and password2 is database retrieved, I could successfully pass authentication for any of the following passwords: ["what", "whatthe", "wtf?"] by entering w?

    I would assume that it's meant to check two user entered strings to make sure they are the same to catch mistypes before (hopefully) salting and hashing the password. It still doesn't work as it should and is a stupid way of doing this anyway however.

  • t3h (unregistered) in reply to frits

    Shouldn't you also check the lengths first?

  • t3h (unregistered) in reply to frits

    Shouldn't you also check the lengths first?

    frits:
    You guys laugh, but this is the exact code the CLR uses for String.Equals(), except they use a loop over a switch for optimization.
  • NotWTF (unregistered) in reply to Larry
    Larry:
    TRWTF is people who don't understand what encryption is.

    Well, not really. Those "password strings" could just as easily be password hashes, which of course are also usually encoded as strings. Or this could be part of an initial validation step (making sure that the two passwords typed in are identical) which should be done before the passwords are hashed, at least if the hashes are salted.

  • DaveAronson (cs) in reply to Larry
    Larry:
    TRWTF is people who don't understand what encryption is.
    This *might* not be intended to check the password for login purposes. Maybe it's just for checking whether the "password" and "confirm password" fields match, i.e., the user didn't typo.

    But yes, if this is for login authentication, using plaintext passwords, it's been a well-known incredibly stupid practice for many decades....

  • Bram (unregistered)

    Looks like an empty String for 'pass1' lets the method return TRUE? That's handy if you forget your password!

  • DaveAronson (cs)

    D'oh, looks like a bunch of us thought of the same thing at the same time. The orbiting mind-control lasers must be in broadcast mode again.

  • feugiat (unregistered)

    Unit test for this class looks like

    assertTrue(passwordsMatch("abc", "abcOMGWTFBBQ"));

    because clearly, the passwords match.

  • Chris Marisic (unregistered) in reply to feugiat

    This goes to the purpose of unit testing not only are you supposed to test valid cases you want to test invalid cases.

    Of course if you didn't specifically create an edge case where the password exactly matches except it has more characters I guess you'd still miss the logic fault in this.

  • barc0de (cs) in reply to BG
    BG:
    In TheDailyWTF comment system you can type your password in and it appears as *'s!. For instance, if you typed 'hunter2' it would appear to me as '*******'

    Haha, very funny, do you really think i would give you my ******** that easily

  • InstantAdmin (unregistered) in reply to SR
    SR:
    SR:
    isecretlylikejustinbeiber

    It doesn't work! Moderators delete this!

    You misstyped, it should read **********************

  • kraken66j (cs) in reply to Your Name
    Your Name:
    BG:
    In TheDailyWTF comment system you can type your password in and it appears as *'s!. For instance, if you typed 'hunter2' it would appear to me as '*******'

    It doesn't work. When I type '1337rulez', I can still see my password.

    LOL! FAIL

  • Randall (unregistered) in reply to Your Name

    I just see *********

  • Fk (unregistered) in reply to Ken B.

    sure, now it only gives an ArrayIndexOutOfBoundException... Just compare lengths first

  • Ben (unregistered)

    I wonder why they convert it to a byte string first? I could see trying to normalize the string, but they don't do that.

  • TheJasper (cs) in reply to cicobuff
    cicobuff:
    The Nerve:
    Fixed?
    public static bool passwordsMatch(string pass1, string pass2)
    {
        return pass1.Equals(pass2);
    }
    

    Null exception if pass1 is null?

    True but so what? If you are passing nulls here perhaps the app should fail. Not checking on an empty string may be a problem, assuming empty strings are not allowed as password.

  • Sir Robin the Not-Quite-So-Brave-As-Sir-Lancelot (unregistered) in reply to frits
    frits:
    You guys laugh, but this is the exact code the CLR uses for String.Equals(), except they use a loop over a switch for optimization.
    Of course the CLR parses a String (which is an Object) to an array of Primitives (like byte). Duh! The WTF is not using one of the most common methods of a String object (or any other object). I don't know how you .NET queers do it, but in Eclipse I am only one keypress away from the Java source of the equals method.
  • Iie (unregistered) in reply to Ken B.
    Ken B.:
    Scott:
    Okay, so if psswd2 is longer than psswd1 they can still match. WTF!?
    for (int i = 0; i < max(psswd1.Length,psswd2.Length); i++)
    Fixed.
    I LOL'd
  • blah (unregistered) in reply to frits
    frits:
    You guys laugh, but this is the exact code the CLR uses for String.Equals(), except they use a loop over a switch for optimization.

    If by "exact" you mean "completely different", then yes you're right.

  • GreenDragon (unregistered)

    I suspect there would also be an issue with converting the string to unicode and checking the bytes of the string, rather than the characters themselves. I can easily see the same unicode string converted to different byte sequences for the same characters.

  • Rob (unregistered) in reply to Sir Robin the Not-Quite-So-Brave-As-Sir-Lancelot
    Sir Robin the Not-Quite-So-Brave-As-Sir-Lancelot:
    frits:
    You guys laugh, but this is the exact code the CLR uses for String.Equals(), except they use a loop over a switch for optimization.
    Of course the CLR parses a String (which is an Object) to an array of Primitives (like byte). Duh! The WTF is not using one of the most common methods of a String object (or any other object). I don't know how you .NET queers do it, but in Eclipse I am only one keypress away from the Java source of the equals method.

    Sadly, I'm perpetually a keypress away from Eclipse crashing horribly. :(

Leave a comment on “Very Special Strings”

Log In or post as a guest

Replying to comment #:

« Return to Article