- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
•••••
Admin
Fixed?
public static bool passwordsMatch(string pass1, string pass2) { return pass1.Equals(pass2); }Admin
Okay, so if psswd2 is longer than psswd1 they can still match. WTF!?
Admin
In TheDailyWTF comment system you can type your password in and it appears as 's!. For instance, if you typed 'hunter2' it would appear to me as '******'
Admin
TRWTF is offcourse it only catches 'IndexOutOfRangeException', what about FileNotFound?
Admin
So... assuming password1 is user entered and password2 is database retrieved, I could successfully pass authentication for any of the following passwords: ["what", "whatthe", "wtf?"] by entering w?
Admin
It doesn't work. When I type '1337rulez', I can still see my password.
Admin
Null exception if pass1 is null?
Admin
TRWTF is people who don't understand what encryption is.
Admin
Admin
Admin
You guys laugh, but this is the exact code the CLR uses for String.Equals(), except they use a loop over a switch for optimization.
Admin
Yeah right... Let's try that out:
hunter2
doesnt look like stars to me!!!!
Admin
That's because '1337rulez' is your password. It appears to me as '*********'
Admin
Not the same logic. pass1 must be a left-subset of pass2 but doesn't have to be equal to it.
Admin
Actually, this is a huge security breach, because it makes any account hackable by anyone who knows how this code looks like or by anyone who mistypes his password by adding letters at the end and notices this.
Accounts can be hacked the same way as that key lock from 2010-03-31
Admin
LOL Good old Bash quotes! :D
Admin
isecretlylikejustinbeiber
Admin
It doesn't work! Moderators delete this!
Admin
Admin
Weird! Where does the completely spurious apostrophe come from?
Admin
Admin
Hey, neat!
Admin
Wait, how did you know my password?
Admin
ctrl+c/v the ********
Admin
I use the same combination on my luggage!
This function is less than a WTF if it compares hashes, in which case they'd be fixed length and a shorter pass1 wouldn't help bypass anything.
Admin
I like to think that there's always a more complicated way to do string comparisons. Comparing byte arrays is a nice over-complication but I've seen better.
Admin
TRWTF is that he uses a try-catch block to avoid throwing an IndexOutOfRangeException, rather than making sure the bounds are correct in the loop.
Admin
public static bool passwordsMatch(string pass1, string pass2) { pass2.StartsWith(pass1); }Admin
I would assume that it's meant to check two user entered strings to make sure they are the same to catch mistypes before (hopefully) salting and hashing the password. It still doesn't work as it should and is a stupid way of doing this anyway however.
Admin
Shouldn't you also check the lengths first?
Admin
Shouldn't you also check the lengths first?
Admin
Well, not really. Those "password strings" could just as easily be password hashes, which of course are also usually encoded as strings. Or this could be part of an initial validation step (making sure that the two passwords typed in are identical) which should be done before the passwords are hashed, at least if the hashes are salted.
Admin
But yes, if this is for login authentication, using plaintext passwords, it's been a well-known incredibly stupid practice for many decades....
Admin
Looks like an empty String for 'pass1' lets the method return TRUE? That's handy if you forget your password!
Admin
D'oh, looks like a bunch of us thought of the same thing at the same time. The orbiting mind-control lasers must be in broadcast mode again.
Admin
Unit test for this class looks like
assertTrue(passwordsMatch("abc", "abcOMGWTFBBQ"));
because clearly, the passwords match.
Admin
This goes to the purpose of unit testing not only are you supposed to test valid cases you want to test invalid cases.
Of course if you didn't specifically create an edge case where the password exactly matches except it has more characters I guess you'd still miss the logic fault in this.
Admin
Haha, very funny, do you really think i would give you my ******** that easily
Admin
You misstyped, it should read **********************
Admin
LOL! FAIL
Admin
I just see *********
Admin
sure, now it only gives an ArrayIndexOutOfBoundException... Just compare lengths first
Admin
I wonder why they convert it to a byte string first? I could see trying to normalize the string, but they don't do that.
Admin
True but so what? If you are passing nulls here perhaps the app should fail. Not checking on an empty string may be a problem, assuming empty strings are not allowed as password.
Admin
Admin
Admin
If by "exact" you mean "completely different", then yes you're right.
Admin
I suspect there would also be an issue with converting the string to unicode and checking the bytes of the string, rather than the characters themselves. I can easily see the same unicode string converted to different byte sequences for the same characters.
Admin
Sadly, I'm perpetually a keypress away from Eclipse crashing horribly. :(