Sign in to follow this  

Most secure authentication system ever

This topic is 1700 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

Saw this thing of beauty in the javascript on a website I have to maintain, it shouldn't need any explanation smile.png

	

    function submitentry()
    {
            password = document.password1.password2.value.toLowerCase()
            username = document.password1.username2.value.toLowerCase()
            passcode = 1
            usercode = 1
            for(i = 0; i < password.length; i++)
            {
                    passcode *= password.charCodeAt(i);
            }
            for(x = 0; x < username.length; x++)
            {
                    usercode *= username.charCodeAt(x);
            }
            if(usercode==17094266689500000 && passcode==5.69355164929536e+25)
            {
                    window.location=password+".html"
            }
            else
            {
                    alert("You used the wrong credentials.")
            }
    }


 

Share this post


Link to post
Share on other sites

This is awesome :) Neglecting the ca. 30 other issues, the comparison against 5.69355164929536e+25 allows for 1010 different, valid passwords.

 

I always forget my passwords, now finally a site that is customer-friendly and allows for a fair chance to guess it right :)

Share this post


Link to post
Share on other sites

Hope you changed those credentials, as the usercode/passcode are about as "hashed" as plaintext here :)

Share this post


Link to post
Share on other sites


I actually found this same authentication system on a website some time ago. Scary.

 

This is awesome smile.png Neglecting the ca. 30 other issues, the comparison against 5.69355164929536e+25 allows for 1010 different, valid passwords.

 

I always forget my passwords, now finally a site that is customer-friendly and allows for a fair chance to guess it right smile.png

 

Yeah, passwords are valid but at least you have to guess the correct one to be redirected to the right page. All the other valid passwords will give you 404.

Share this post


Link to post
Share on other sites

Wait.

 

If I read this correctly (and I hope I didn't - I reread code several times to be sure I didn't miss something), code allows login only when products of unicode char codes of lowercased username and password are exactly 17094266689500000 and 5.69355164929536e+25 respectively?

 

I might be asking stupid and/or obvious question (I cannot comprehend why does this code exist), but... isn't that insanely vulnerable compared to... I don't know... storing hashed data in database and checking hashes?

Share this post


Link to post
Share on other sites

I might be asking stupid and/or obvious question (I cannot comprehend why does this code exist), but... isn't that insanely vulnerable compared to... I don't know... storing hashed data in database and checking hashes?

 

Well, this is the Coding Horrors subforum so I guess we are all wondering how this code was brought into existence in the first place (and what the author was thinking while he was writing it) smile.png

Share this post


Link to post
Share on other sites

Wait.

 

If I read this correctly (and I hope I didn't - I reread code several times to be sure I didn't miss something), code allows login only when products of unicode char codes of lowercased username and password are exactly 17094266689500000 and 5.69355164929536e+25 respectively?

 

I might be asking stupid and/or obvious question (I cannot comprehend why does this code exist), but... isn't that insanely vulnerable compared to... I don't know... storing hashed data in database and checking hashes?

I would be more concerned about my browser reporting Referer: http://secretsite.com/mysupersecretpassword.html to the next site you visit, which may be Google or something worse. With some luck, it's a site that publishes /var/log/access_log. This used to be quite common, though admittedly I've not seen it so often lately (but Googling for HTTP/1.1 200 mozilla compatible; quickly finds you some, like e.g. this one).

 

Or, since the entire security is built on appending ".html" to a lowercase-plaintext password (*cough*), someone might just try 3 or 4 of the most often chosen passwords, like password1, fuckyou, 123456, 111111, monkey, qwertz, imcool. This won't take very long.

Edited by samoth

Share this post


Link to post
Share on other sites
Sign in to follow this