- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
It's necessary to do it this way for embedded systems.
Admin
I suppose though that in this case as passwords are so special, it should be fish, or even more likely phish.
Admin
My password is just the letter 'a'.
Admin
Did it work?
Admin
Believe it or not, this is how TD Canada Trust's (Canada's second largest financial institution) online banking works.
They only allow for a password up to 8 characters. If you enter more than 8 characters the system truncates anything beyond 8 chars and validates.
Other things about TD Canada Trust's passwords:
I've raised these issues with their support team however they state that these faults are actually features. They even said that because hundreds of people forget their passwords that they are willing to sacrifice a little security for ease of use.
Admin
Dear barc0de,
In case you can’t tell, this is a grown-up place. The fact that you insist on using your ridiculous handle clearly shows that you’re too young and too stupid to be using thedailywtf.com.
Go away and grow up.
Sincerely,
Admin
hunglikeahorse
oh cool it works!
Admin
Sales guy, I've reset your password to "password".
Admin
5-8 characters, also makes sense. No sense in using more characters than your average user can count up to.
No special characters allowed, makes sense also it is after all a pass 'word' not a pass '%_Qw987-P='
ignore case - this feature makes sense, this way your typical Canuckistani CAN LEAVE THE CAPS LOCK KEY ON AT ALL TIMES
Admin
This is nothing like the code that .NET uses for String.Equals(). They call an internal unsafe method called EqualsHelper() which does a while loop over the two Char arrays to check them character by character.
Admin
Whatever version of Netscape my junior high school had installed on their Mac Colour Classic IIs actually let you do this. Someone had typed in a password on a web page then walked away from the computer. CMD-C and CMD-V and it actually showed up in the address bar. I couldn't believe it.
Admin
The company-wide common code library is TRWTF.
Admin
So if I pass two empty strings it will return false?
Admin
Admin
Oh my goodness.
Oh, my stars and garters.
If the bank wants to give user passwords away, why don't they just sell the password file? It would probably be worth a few nickels.
Admin
FTFY.
Admin
Also it has the whole pass1.Length != pass2.Length check that that might have (slightly) improved the original code.
Admin
Ahah!, good ol' bash.org
Admin
TRWTF is recycling.
Admin
Then frits is right, jackass. Or do you think there's a meaningful difference between a while loop and the implementation in the sample?
The RWTF here is not using the built-in library.
Admin
Corrected catch block:
catch (IndexOutOfRangeException ex) { throw new OhMyGodStringsAreActuallyDifferentLengthsException("something went horribly wrong", ex); }
Admin
Admin
In some systems it actually is important to hold passwords as something other than String. Because in Java and C# String is immutable, it's rather difficult to remove the password from memory once it is no longer needed. That opens it up to attack from eg malware that scans the PC's memory (or possibly worse, swapfile). If the password is captured into a char[] instead, the array can be overwritten as soon as it is finished with.
Admin
I guess this is much shorter!
public static bool passwordsMatch(string pass1, string pass2) { return pass2.StartsWith(pass1); }
Admin
LOL @ IRC Bash =)
Admin
This is actually the same bug as a bug in Windows 95/98/ME.
"File and Print Sharing service in Windows 95, Windows 98, and Windows Me does not properly check the password for a file share, which allows remote attackers to bypass share access controls by sending a 1-byte password that matches the first character of the real password, aka the "Share Level Password" vulnerability."
(http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0979)
Admin
what do you mean by "in beiber"?
Admin
Admin
In fact passwords should be treated differently: you should use a constant time comparison (e.g. not returning once a mismatched character is found as in the above)
Admin
Admin
Admin
Sure? http://www.itbusiness.ca/it/client/en/home/news.asp?id=58406
Admin
Admin
A world in which people learn about statistics, and know a tiny bit about computer security. There have been a few, well publicized timing vulnerabilities in the last few years.
Admin
I just had flashbacks of finding code like this in a particular web system. At first, I wondered why this would work, as it didn't encrypt/hash the password. Then it dawned in me...
the passwords were stored in clear text.
Admin
Admin
It was a joke.
Addendum (2010-09-15 12:28): You would think the whole "loop over a switch" thing would be a tip off.
Admin
Attacks were mounted, keys were recovered, please don't ever write security code, thanks.
Admin
Admin
it is the manifestation of the world's dislike for you.
Admin
Admin
No, frits said "over a switch statement", which would be different. But he was just being cheeky.
And highphilosopher pointed out that the internal String.Equals uses unsafe code, which allows it to use pointers for performance. He may have missed the sarcasm, but there's no need to get nasty.
Admin
it's a contraction of **s. He means that that the password appears as pairs of stars
Admin
LOL. That's a wonderful response to that meme; I may have to steal it.
Why are you still using them as a bank? (Or are you?)Kohls only allows up to 8 characters for their credit card site, but at least distinguishes case and it allows at least some special characters. Usually I do some things that decrease the entropy over a completely random n-character password (like make it pronounceable), but with them I keep as much strength as I could figure out I could.
When it comes to banks, there are enough that I would have no compunction about closing my account and moving to another bank over that issue.
Admin
While I understand the need for security, I think after three tries my computer should let me in anyway. After all it is my computer, and you software geeks need to face reality and understand that I have important deals to close and I can't be bothered typing my password over and over all day long whenever I go to my bank, or stock broker, or the gaming and pr0n sites that keep me on my edge.
Admin
Timing Attacks are BS.
Could someone devise a test on a closed system, while in control of every aspect of the network infrastructure, with the ability to reduce as much noise as possible?
perhaps
could you utilize those techniques to crack a password at Digg.com?
no.
The complexity of filtering out the noise is exponentially higher. Heck, even the interrupt coalescing algorithm (that is likely running on the network driver on the server you are connecting to) will introduce noise orders of magnitude greater than the change in processing time from getting a character correct.
Admin
Obviously, everyone knows that if a.length != b.length you should return false even before starting the loop.
Correct implementation of equals (for ascii):
bool equals(String lhs, String rhs) { if(rhs.length() != lhs.length()) return false; for(idx_t i = 0; i < lhs.length(); ++i) { if(rhs.at(i) != lhs.at(i)) return false; } return true; }Please tell me it's correct. It's correct, right?
Admin
You can optimize and use an object comparison. If (object)rhs == (object)lhs you can go ahead and return true immediately.
Admin
//This should guarantee that they can't use time-based attacks to get at our passwords! public boolean arePasswordsEqual(String pass1, String pass2) { for(String possiblePassword : passwordGenerator.passwordsOfLength(pass1.length)) { if(pass1.Equals(possiblePassword) && pass2.Equals(pass2)) return true; } return false; }Oh, and passwordGenerator just pulls the passwords from the database table which has the password and its hash code for easy look up. That way it's Fast and Secure!
Admin
public static bool passwordsMatch(string pass1, string pass2) { // bgates : TODO - add security stuff return true; }