If I read this correctly (and I hope I didn't - I reread code several times to be sure I didn't miss something), code allows login only when products of unicode char codes of lowercased username and password are exactly 17094266689500000 and 5.69355164929536e+25 respectively?
I might be asking stupid and/or obvious question (I cannot comprehend why does this code exist), but... isn't that insanely vulnerable compared to... I don't know... storing hashed data in database and checking hashes?
I would be more concerned about my browser reporting Referer: http://secretsite.com/mysupersecretpassword.html to the next site you visit, which may be Google or something worse. With some luck, it's a site that publishes /var/log/access_log. This used to be quite common, though admittedly I've not seen it so often lately (but Googling for HTTP/1.1 200 mozilla compatible; quickly finds you some, like e.g. this one).
Or, since the entire security is built on appending ".html" to a lowercase-plaintext password (*cough*), someone might just try 3 or 4 of the most often chosen passwords, like password1, fuckyou, 123456, 111111, monkey, qwertz, imcool. This won't take very long.
Edited by samoth, 23 May 2013 - 06:53 AM.