- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Hey I have an idea! Let's just ship all software with perpetual cookies sent over SSL and there's no need to do any authentication, ever.
Admin
The Real WTF is obviously not using Rot13 encryption. I always use Rot13 twice for good measure.
Admin
StackOverflow wasn't around in 2005.
Admin
Rot13 twice on a blank password is the most secure of all.
Admin
I briefly worked at a place that sent their super-secret government-related passwords in.... base64. That is, you could decrypt them with the base64 command. This had been going on for 22 years.
Admin
I worked at a university where they had single signon implemented. Basically you logged into a web page and it made a get request to the application passing the username and password as query parameters. Very handy signon once and just save the url.
Admin
And here we learn the difference between encryption and encoding.
Admin
... except that those characters aren't escaped, because the return value of the
replace
method is never used...Admin
Now we'll learn the difference between encoding and enciphering, the latter being what conversion to base64 does. Encoding would be to use a one-time pad (or, to be exact, some pad ) to encrypt the message. #iseewhatididthere
Admin
Oh, I forgot. Once you typed base64 oaiwdyiausydajz it came back with:
Contoso1
and this went to/from port 80, not any fancy TLS port.
Admin
Hmm. Stack Overflow launched in Sept 2008.
Admin
If it is proper government, it'll say "you're not allowed to decrypt that, go to jail". Instantly secure.
Admin
That is nothing. I was told that the sensitive, personal information was fine over the internet because it was encoded -- in Unicode. "See all of those spaces in there. That makes it so it is not straight forward to work with"... not a direct quote, but pretty close to it. They were quite serious about it passing the security bar as well.
Admin
Sorry, a one-time pad is a cipher, not a code. A cipher operates at the individual character level. A code operates at the word level. So the word "purple" might be encoded as "enigma". An encoded message might then be further enciphered just to make things a bit more difficult for the opposition.
Admin
"We send those credentials to the backend using a from submission"
What is a from submission? Does it need a matching to submission?
Admin
Not to mention that the regex is wrong: it should be
/\+/g
and not/\\+/g
because it's a regex literal./\\+/g
actually matches any consecutive group of\
s.I blame this on Remy not knowing his deal of JS again. Come on, how hard it is to learn JS if even monkeys can write code in it?
Admin
Off: well, yes SSL/TLS does warrant safety. Never mind that even your antivirus software plays MitM attack on your SSL/TLS trafic.
Admin
Pretty much every word of that is wrong. Codes have fixed one to one (or many) relationships between input and output. Ciphers do not, they can encipher the same plaintext in multiple ways.
A one time pad is a form of cipher. That's why you can use it to encipher any string.
Admin
A code is a mapping from the space of possible messages into some other space (possibly the same one) of representations. Maybe because the communication channel (which includes storage) carrying the message can't handle the original representation, or to improve reliability of the communication in the face of noise.
Encryption is encoding with additional requirements imposed, driven by the motives of the communicators, to prevent unauthorised access or alteration of the message being communicated.
Admin
The real WTF is, that "challenge" is never used.
Admin
It makes more sense to just hash it.
Though I'm undecided if thou must always has the password is really entirely legit. There's lots of sensitive details you can't hash.
I am a fan of the public/private encryption strategy combined with hashing. When a user signs up you hash their password as normal then encrypt it and send it down a one way pipe. That one way pipe would permit rehashing the passwords down the line, usually offline as in you take a USB of the encrypted plugins, put it in the airgapped machine, rehash and then put the hashes on the USB, take them back, upload to your server, import into the database.
I wouldn't trust most people to set that up securely, but then I wouldn't expect most people to setup anything securely.