- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Frest
Admin
Encraption?
Admin
More like encraption..
Admin
Excuse me, it's clearly "encreption".
Admin
Encraption!
Admin
RnJpc3Qh
Admin
Wot no ROT13?
Admin
Tm8geW91J3JlIG5vdC4NCkJ1dCB5b3UgYXJlIHRoZSBmcmlzdCB0byB1c2UgZW5jcmVwdGlvbi4g
Admin
What happens if the text gets too long? Well, lets see...
QnV0IEkgbXVzdCBleHBsYWluIHRvIHlvdSBob3cgYWxsIHRoaXMgbWlzdGFrZW4gaWRlYSBvZiBkZW5vdW5jaW5nIHBsZWFzdXJlIGFuZCBwcmFpc2luZyBwYWluIHdhcyBib3JuIGFuZCBJIHdpbGwgZ2l2ZSB5b3UgYSBjb21wbGV0ZSBhY2NvdW50IG9mIHRoZSBzeXN0ZW0sIGFuZCBleHBvdW5kIHRoZSBhY3R1YWwgdGVhY2hpbmdzIG9mIHRoZSBncmVhdCBleHBsb3JlciBvZiB0aGUgdHJ1dGgsIHRoZSBtYXN0ZXItYnVpbGRlciBvZiBodW1hbiBoYXBwaW5lc3MuIE5vIG9uZSByZWplY3RzLCBkaXNsaWtlcywgb3IgYXZvaWRzIHBsZWFzdXJlIGl0c2VsZiwgYmVjYXVzZSBpdCBpcyBwbGVhc3VyZSwgYnV0IGJlY2F1c2UgdGhvc2Ugd2hvIGRvIG5vdCBrbm93IGhvdyB0byBwdXJzdWUgcGxlYXN1cmUgcmF0aW9uYWxseSBlbmNvdW50ZXIgY29uc2VxdWVuY2VzIHRoYXQgYXJlIGV4dHJlbWVseSBwYWluZnVsLiBOb3IgYWdhaW4gaXMgdGhlcmUgYW55b25lIHdobyBsb3ZlcyBvciBwdXJzdWVzIG9yIGRlc2lyZXMgdG8gb2J0YWluIHBhaW4gb2YgaXRzZWxmLCBiZWNhdXNlIGl0IGlzIHBhaW4sIGJ1dCBiZWNhdXNlIG9jY2FzaW9uYWxseSBjaXJjdW1zdGFuY2VzIG9jY3VyIGluIHdoaWNoIHRvaWwgYW5kIHBhaW4gY2FuIHByb2N1cmUgaGltIHNvbWUgZ3JlYXQgcGxlYXN1cmUuIFRvIHRha2UgYSB0cml2aWFsIGV4YW1wbGUsIHdoaWNoIG9mIHVzIGV2ZXIgdW5kZXJ0YWtlcyBsYWJvcmlvdXMgcGh5c2ljYWwgZXhlcmNpc2UsIGV4Y2VwdCB0byBvYnRhaW4gc29tZSBhZHZhbnRhZ2UgZnJvbSBpdD8gQnV0IHdobyBoYXMgYW55IHJpZ2h0IHRvIGZpbmQgZmF1bHQgd2l0aCBhIG1hbiB3aG8gY2hvb3NlcyB0byBlbmpveSBhIHBsZWFzdXJlIHRoYXQgaGFzIG5vIGFubm95aW5nIGNvbnNlcXVlbmNlcywgb3Igb25lIHdobyBhdm9pZHMgYSBwYWluIHRoYXQgcHJvZHVjZXMgbm8gcmVzdWx0YW50IHBsZWFzdXJlPw0KDQooVGhlIExhdGluIHZlcnNpb24gb2YgdGhpcyB0ZXh0IHN0YXJ0cyB3aXRoICJMb3JlbSBpcHN1bSIuLi4p
Admin
That's very orginal indeed. The spellig, of course, not the encreption.
Admin
I came here to say "encraption", but I'm clearly not the only one with that idea.
Admin
The more blogs and WTF posts I read, the more conversations I have with IT professionals the more I have sympathy for Luddites and those that insist on paying with cash.
Admin
V1c5MUlIZHBiR3dnYm1WMlpYSWdaM1ZsYzNNZ2FHOTNJRWtnWlc1amNubHdkR1ZrSUhSb2FYTT0=
Admin
Craptography is a common problem in many organziations.
Admin
Well, to be fair, they didn't call it encryption.
Looks more like TRANSEC cover, without the SEC.
Admin
This is just about as secure as ROT13, but with more characters in the output.
Admin
Ah, security through obscurity. If you don't know the encryption method, then you can't decode the message. I wonder if the person who came up with this password scheme was just using it as a filler until (s)he could implement a reasonable secure one-way encryption, but did not get around to it before the software was released.
Admin
Looking at the context of the code, it's not really trying to encrypt as such - just adding in a bit of obfuscation so that the plain-text password wouldn't appear in log files etc. with any type of form-based authentication you're relying on a secure underlying transport to stop the user's password being discovered.
Admin
I'm not wholly convinced that calling encode64 from Javascript on the browser qualifies as "security by obscurity."
Admin
Are the deleted comments just mentioning the company name?
Admin
Maybe they were trying to encode passwords in a way to accept any character without having to worry about escaping rules?
Admin
Not sure why any of that code would prevent using a long password.
Admin
I know the law, officer! This is encrapment!
Admin
Not sure I see the problem here, some sort of encoding on the front end (presumanly to deal with encoding of unusual characters) and then presumably hashed on the server. (Any hashing, of any kind, would have no value clientside anyway)
Admin
Hai guyz, am i doing it right? [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToBase64String("I'm just an asshole DBA but even for me this is the worst thing I've seen in 2018"))
Admin
Wish I could decrapt what you have said
Admin
Then the problem is that the frontend code is really badly named. Pair this with the spelling mistake which indicates the quality of (the absence of) their code reviews.
Admin
My bank used to enforce a password policy that prevents duplicate characters, anywhere in the password (eg. your password couldn't have multiple 'a's). Not only does that actually reduce security, the policy was not enforced on the server-side, only with JavaScript.
Admin
So your best bet is to use 26 character passwords?
Admin
I use cash for reasons of basic privacy (a human right, banks etc. don't need to know where I spend my money, stores don't need to know who I am as you get warranty based on receipts anyway, etc.) and the acts of withdrawing physical money and paying with it gives me a great sense of how much I'm spending (as opposed to occasionally remembering to check my account balance).
Admin
Dave: there are more reasons than mere Ludditism to prefer paying with cash, as well. Psychologically, most people tend to spend more when they can just swipe a credit card than if they have to hand over a physical object. Of course, banks don't like it when people point this out, so they make a huge bluster over convenience and cost to shops and the safety of cash transport and so on. Some of these are marginally true, as well, but they'll never admit that the real reason for this push towards a cashless society is that it makes us pay more interest.
Admin
Would calling it "Excreption" be subtler than "Encraption"?
Admin
Encreption: 1. to put something in a very thin pancake, 2. pretending very simple stock encoding is good enough to hide a password
Admin
Sam replaced the function with inceptPassword, which encodes it four levels deep until even the password doesn't know what it is
Admin
I agree with Richard. For example, .Net 4.x doesn't by default allow form posts that include strings like "<script>". Perhaps rather than disabling this, they are just encoding on the front-end. That doesn't rule-out properly salting and hashing on the back-end.
RWTF may simply be poor function naming, and lack of comments.
Admin
Clever indeed, as the password is also ROT-286 encrypted before hashing.
Admin
Has Harlot Packherder (or whatever euphemism we are using for That Company today is) done anything right in software since, I dunno, 1986 or so?
Admin
Thats twice as secure.
Admin
It may be that encode64 is not the js build-in function... but a user defined one that actually performs some encryption
Admin
Great post raiding the new member article . Dehradun Escorts
Admin
Some of these are marginally true, as well, but they'll never admit that the real reason for this push towards a cashless society is that it makes us pay mo Dehradun Escorts