Home
Blogs
Forums
News
Portfolios
Projects
Tutorials
33 users logged in
New? Learn about game development.
Before posting, review our community guidelines.
Follow Us
Chat in the GameDev.net Discord!
Mastodon
Back to Coding Horrors

Most secure authentication system ever

Started by
3 comments, last by Bacterius 10 years, 11 months ago

Saw this thing of beauty in the javascript on a website I have to maintain, it shouldn't need any explanation smile.png


	

    function submitentry()
    {
            password = document.password1.password2.value.toLowerCase()
            username = document.password1.username2.value.toLowerCase()
            passcode = 1
            usercode = 1
            for(i = 0; i < password.length; i++)
            {
                    passcode *= password.charCodeAt(i);
            }
            for(x = 0; x < username.length; x++)
            {
                    usercode *= username.charCodeAt(x);
            }
            if(usercode==17094266689500000 && passcode==5.69355164929536e+25)
            {
                    window.location=password+".html"
            }
            else
            {
                    alert("You used the wrong credentials.")
            }
    }

Advertisement

This is awesome :) Neglecting the ca. 30 other issues, the comparison against 5.69355164929536e+25 allows for 1010 different, valid passwords.

I always forget my passwords, now finally a site that is customer-friendly and allows for a fair chance to guess it right :)

Hope you changed those credentials, as the usercode/passcode are about as "hashed" as plaintext here :)

“If I understand the standard right it is legal and safe to do this but the resulting value could be anything.”


I actually found this same authentication system on a website some time ago. Scary.

This is awesome smile.png Neglecting the ca. 30 other issues, the comparison against 5.69355164929536e+25 allows for 1010 different, valid passwords.

I always forget my passwords, now finally a site that is customer-friendly and allows for a fair chance to guess it right smile.png

Yeah, passwords are valid but at least you have to guess the correct one to be redirected to the right page. All the other valid passwords will give you 404.

Pandemia - The game: The first augmented reality, massively multiplayer online, zombie survival game for Android and iOS. Soon on Kickstarter!

FB: facebook.com/pandemiathegame - @PandemiaTheGame

Wait.

If I read this correctly (and I hope I didn't - I reread code several times to be sure I didn't miss something), code allows login only when products of unicode char codes of lowercased username and password are exactly 17094266689500000 and 5.69355164929536e+25 respectively?

I might be asking stupid and/or obvious question (I cannot comprehend why does this code exist), but... isn't that insanely vulnerable compared to... I don't know... storing hashed data in database and checking hashes?

Tank City on IndieDB: http://www.indiedb.com/games/tank-city

I might be asking stupid and/or obvious question (I cannot comprehend why does this code exist), but... isn't that insanely vulnerable compared to... I don't know... storing hashed data in database and checking hashes?

Well, this is the Coding Horrors subforum so I guess we are all wondering how this code was brought into existence in the first place (and what the author was thinking while he was writing it) smile.png

“If I understand the standard right it is legal and safe to do this but the resulting value could be anything.”

Wait.

If I read this correctly (and I hope I didn't - I reread code several times to be sure I didn't miss something), code allows login only when products of unicode char codes of lowercased username and password are exactly 17094266689500000 and 5.69355164929536e+25 respectively?

I might be asking stupid and/or obvious question (I cannot comprehend why does this code exist), but... isn't that insanely vulnerable compared to... I don't know... storing hashed data in database and checking hashes?

I would be more concerned about my browser reporting Referer: http://secretsite.com/mysupersecretpassword.html to the next site you visit, which may be Google or something worse. With some luck, it's a site that publishes /var/log/access_log. This used to be quite common, though admittedly I've not seen it so often lately (but Googling for HTTP/1.1 200 mozilla compatible; quickly finds you some, like e.g. this one).

Or, since the entire security is built on appending ".html" to a lowercase-plaintext password (*cough*), someone might just try 3 or 4 of the most often chosen passwords, like password1, fuckyou, 123456, 111111, monkey, qwertz, imcool. This won't take very long.

This topic is closed to new replies.

Advertisement

Popular Topics

Aybe One
How do you manage yourself and your time as years pass on? GDNet Lounge
Jikoob
Too many managers? General and Gameplay Programming
ReignOnU
Do your part to stop global warming and climate change GDNet Lounge
Konjointed
C++ how do you use dependency injection? For Beginners
aigan
The promise of freedom in story games Game Design and Theory
robertrobert
Facebook Ads for sales on steam, does it work? Games Business and Law
Advertisement

Recommended Tutorials

Myopic Rhino
Corel and Bryce Business and Law
Myopic Rhino
2D Rotated Rectangle Collision General and Gameplay Programming
Myopic Rhino
Competent Counsel Business and Law
gdarchive
Completion vs. Perfection Production and Management
Myopic Rhino
Object Selection General and Gameplay Programming

Reticulating splines

About GameDev.net
Community Guidelines
Terms of Service
Privacy Policy
Contact Us
Copyright (c) 1999-2024 GameDev.net, LLC
Back to Top