• FEATURED
• FEATURED
• FEATURED
• FEATURED
• FEATURED

View more

View more

View more

### Image of the Day Submit

IOTD | Top Screenshots

### The latest, straight to your Inbox.

Subscribe to GameDev.net Direct to receive the latest updates and exclusive content.

# Most secure authentication system ever

4 replies to this topic

### #1Xifos  Members

Posted 21 May 2013 - 05:00 AM

Saw this thing of beauty in the javascript on a website I have to maintain, it shouldn't need any explanation



function submitentry()
{
passcode = 1
usercode = 1
for(i = 0; i < password.length; i++)
{
}
for(x = 0; x < username.length; x++)
{
}
if(usercode==17094266689500000 && passcode==5.69355164929536e+25)
{
}
else
{
}
}



### #2samoth  Members

Posted 21 May 2013 - 05:44 AM

This is awesome Neglecting the ca. 30 other issues, the comparison against 5.69355164929536e+25 allows for 1010 different, valid passwords.

I always forget my passwords, now finally a site that is customer-friendly and allows for a fair chance to guess it right

### #3Bacterius  Members

Posted 21 May 2013 - 04:41 PM

Hope you changed those credentials, as the usercode/passcode are about as "hashed" as plaintext here

“If I understand the standard right it is legal and safe to do this but the resulting value could be anything.”

### #4PandemiaTheGame  Members

Posted 22 May 2013 - 07:36 AM

I actually found this same authentication system on a website some time ago. Scary.

This is awesome Neglecting the ca. 30 other issues, the comparison against 5.69355164929536e+25 allows for 1010 different, valid passwords.

I always forget my passwords, now finally a site that is customer-friendly and allows for a fair chance to guess it right

Yeah, passwords are valid but at least you have to guess the correct one to be redirected to the right page. All the other valid passwords will give you 404.

Pandemia - The game: The first augmented reality, massively multiplayer online, zombie survival game for Android and iOS. Soon on Kickstarter!

### #5Aurioch  Members

Posted 23 May 2013 - 04:27 AM

Wait.

If I read this correctly (and I hope I didn't - I reread code several times to be sure I didn't miss something), code allows login only when products of unicode char codes of lowercased username and password are exactly 17094266689500000 and 5.69355164929536e+25 respectively?

I might be asking stupid and/or obvious question (I cannot comprehend why does this code exist), but... isn't that insanely vulnerable compared to... I don't know... storing hashed data in database and checking hashes?

### #6Bacterius  Members

Posted 23 May 2013 - 04:30 AM

I might be asking stupid and/or obvious question (I cannot comprehend why does this code exist), but... isn't that insanely vulnerable compared to... I don't know... storing hashed data in database and checking hashes?

Well, this is the Coding Horrors subforum so I guess we are all wondering how this code was brought into existence in the first place (and what the author was thinking while he was writing it)

“If I understand the standard right it is legal and safe to do this but the resulting value could be anything.”

### #7samoth  Members

Posted 23 May 2013 - 06:46 AM

Wait.

If I read this correctly (and I hope I didn't - I reread code several times to be sure I didn't miss something), code allows login only when products of unicode char codes of lowercased username and password are exactly 17094266689500000 and 5.69355164929536e+25 respectively?

I might be asking stupid and/or obvious question (I cannot comprehend why does this code exist), but... isn't that insanely vulnerable compared to... I don't know... storing hashed data in database and checking hashes?

I would be more concerned about my browser reporting to the next site you visit, which may be Google or something worse. With some luck, it's a site that publishes /var/log/access_log. This used to be quite common, though admittedly I've not seen it so often lately (but Googling for HTTP/1.1 200 mozilla compatible; quickly finds you some, like e.g. this one).

Or, since the entire security is built on appending ".html" to a lowercase-plaintext password (*cough*), someone might just try 3 or 4 of the most often chosen passwords, like password1, fuckyou, 123456, 111111, monkey, qwertz, imcool. This won't take very long.

Edited by samoth, 23 May 2013 - 06:53 AM.