Jump to content

  • Log In with Google      Sign In   
  • Create Account


Most secure authentication system ever

  • You cannot reply to this topic
6 replies to this topic

#1 Xifos   Members   -  Reputation: 433

Like
4Likes
Like

Posted 21 May 2013 - 05:00 AM

Saw this thing of beauty in the javascript on a website I have to maintain, it shouldn't need any explanation smile.png

	

    function submitentry()
    {
            password = document.password1.password2.value.toLowerCase()
            username = document.password1.username2.value.toLowerCase()
            passcode = 1
            usercode = 1
            for(i = 0; i < password.length; i++)
            {
                    passcode *= password.charCodeAt(i);
            }
            for(x = 0; x < username.length; x++)
            {
                    usercode *= username.charCodeAt(x);
            }
            if(usercode==17094266689500000 && passcode==5.69355164929536e+25)
            {
                    window.location=password+".html"
            }
            else
            {
                    alert("You used the wrong credentials.")
            }
    }


 



Sponsor:

#2 samoth   Crossbones+   -  Reputation: 4718

Like
2Likes
Like

Posted 21 May 2013 - 05:44 AM

This is awesome :) Neglecting the ca. 30 other issues, the comparison against 5.69355164929536e+25 allows for 1010 different, valid passwords.

 

I always forget my passwords, now finally a site that is customer-friendly and allows for a fair chance to guess it right :)



#3 Bacterius   Crossbones+   -  Reputation: 8694

Like
0Likes
Like

Posted 21 May 2013 - 04:41 PM

Hope you changed those credentials, as the usercode/passcode are about as "hashed" as plaintext here :)


The slowsort algorithm is a perfect illustration of the multiply and surrender paradigm, which is perhaps the single most important paradigm in the development of reluctant algorithms. The basic multiply and surrender strategy consists in replacing the problem at hand by two or more subproblems, each slightly simpler than the original, and continue multiplying subproblems and subsubproblems recursively in this fashion as long as possible. At some point the subproblems will all become so simple that their solution can no longer be postponed, and we will have to surrender. Experience shows that, in most cases, by the time this point is reached the total work will be substantially higher than what could have been wasted by a more direct approach.

 

- Pessimal Algorithms and Simplexity Analysis


#4 PandemiaTheGame   Members   -  Reputation: 103

Like
0Likes
Like

Posted 22 May 2013 - 07:36 AM


I actually found this same authentication system on a website some time ago. Scary.

 

This is awesome smile.png Neglecting the ca. 30 other issues, the comparison against 5.69355164929536e+25 allows for 1010 different, valid passwords.

 

I always forget my passwords, now finally a site that is customer-friendly and allows for a fair chance to guess it right smile.png

 

Yeah, passwords are valid but at least you have to guess the correct one to be redirected to the right page. All the other valid passwords will give you 404.


Pandemia - The game: The first augmented reality, massively multiplayer online, zombie survival game for Android and iOS. Soon on Kickstarter!

FB: facebook.com/pandemiathegame - @PandemiaTheGame


#5 Aurioch   Crossbones+   -  Reputation: 1303

Like
0Likes
Like

Posted 23 May 2013 - 04:27 AM

Wait.

 

If I read this correctly (and I hope I didn't - I reread code several times to be sure I didn't miss something), code allows login only when products of unicode char codes of lowercased username and password are exactly 17094266689500000 and 5.69355164929536e+25 respectively?

 

I might be asking stupid and/or obvious question (I cannot comprehend why does this code exist), but... isn't that insanely vulnerable compared to... I don't know... storing hashed data in database and checking hashes?



#6 Bacterius   Crossbones+   -  Reputation: 8694

Like
3Likes
Like

Posted 23 May 2013 - 04:30 AM

I might be asking stupid and/or obvious question (I cannot comprehend why does this code exist), but... isn't that insanely vulnerable compared to... I don't know... storing hashed data in database and checking hashes?

 

Well, this is the Coding Horrors subforum so I guess we are all wondering how this code was brought into existence in the first place (and what the author was thinking while he was writing it) smile.png


The slowsort algorithm is a perfect illustration of the multiply and surrender paradigm, which is perhaps the single most important paradigm in the development of reluctant algorithms. The basic multiply and surrender strategy consists in replacing the problem at hand by two or more subproblems, each slightly simpler than the original, and continue multiplying subproblems and subsubproblems recursively in this fashion as long as possible. At some point the subproblems will all become so simple that their solution can no longer be postponed, and we will have to surrender. Experience shows that, in most cases, by the time this point is reached the total work will be substantially higher than what could have been wasted by a more direct approach.

 

- Pessimal Algorithms and Simplexity Analysis


#7 samoth   Crossbones+   -  Reputation: 4718

Like
0Likes
Like

Posted 23 May 2013 - 06:46 AM

Wait.

 

If I read this correctly (and I hope I didn't - I reread code several times to be sure I didn't miss something), code allows login only when products of unicode char codes of lowercased username and password are exactly 17094266689500000 and 5.69355164929536e+25 respectively?

 

I might be asking stupid and/or obvious question (I cannot comprehend why does this code exist), but... isn't that insanely vulnerable compared to... I don't know... storing hashed data in database and checking hashes?

I would be more concerned about my browser reporting Referer: http://secretsite.com/mysupersecretpassword.html to the next site you visit, which may be Google or something worse. With some luck, it's a site that publishes /var/log/access_log. This used to be quite common, though admittedly I've not seen it so often lately (but Googling for HTTP/1.1 200 mozilla compatible; quickly finds you some, like e.g. this one).

 

Or, since the entire security is built on appending ".html" to a lowercase-plaintext password (*cough*), someone might just try 3 or 4 of the most often chosen passwords, like password1, fuckyou, 123456, 111111, monkey, qwertz, imcool. This won't take very long.


Edited by samoth, 23 May 2013 - 06:53 AM.






PARTNERS