this post was submitted on 25 Jan 2024
657 points (97.5% liked)

Programmer Humor

19623 readers
24 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 1 year ago
MODERATORS
 
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 17 points 10 months ago* (last edited 10 months ago) (2 children)

It's also important if you're checking hashes (at least, it was - if you're using correct hashing algorithm that isn't ancient, you will not have this problem).

Because if you take for example "0e462097431906509019562988736854" (which is md5("240610708"), but also applicable to most other hashing algorithms that hash to a hex string), if("0e462097431906509019562988736854" == 0) is true. So any other data that hashes to any variantion of "0e[1-9]+" will pass the check, for example:

md5("240610708") == md5("hashcatqlffzszeRcrt")

that equals to

"0e462097431906509019562988736854" == "0e242700999142460696437005736231"

which thanks to scientific notation and no strict type checking can also mean

0^462097431906509019562988736854^ == 0^242700999142460696437005736231^

which is

0 == 0 `

I did use md5 as an example because the strings are pretty short, but it's applicable to a whole lot of other hashes. And the problem is that if you use one of the strings that hash to a magic hash in a vulnerable site, it will pass the password check for any user who's password also hashes to a magic hash. There's not really a high chance of that happening, but there's still a lot of hashes that do hash to it.

[–] darcy 10 points 10 months ago

that is terrifying

[–] [email protected] 1 points 10 months ago

If you're checking passwords, you should be using constant time string checking, anyway.

More likely, you should let your bcrypt library do it for you.