An empty password will pass this check because the code uses the length of the user entry, not the length of the correct password. Other potential problems (buffer overflows, etc.) are left as an exercise for the reader. [Shameless plug: If you enjoy problems like this, have strong security experience, communicate well, and want a job at a fun (and profitable) company, visit http://www.cryptography.com/company/careers.html.]
I would laugh but I found a small variation on that code in a project I was working on.
It was only a tad more secure because it used strcmp and the original coder added a NULL check to prevent it from crashing on an empty password
Unfortunatly you still only needed to get the first letter right.
strcmp unfortunatly seems to be the logical eqivelant of strncmp(string1,string2, strlen(string1)) And many coders think at first glance that it will not return a match if the strings aren't the same length.
For the security-lingo disadvantaged... (Score:1, Troll)
Re:For the security-lingo disadvantaged... (Score:2)
An empty password will pass this check because the code uses the length of the user entry, not the length of the correct password. Other potential problems (buffer overflows, etc.) are left as an exercise for the reader. [Shameless plug: If you enjoy problems like this, have strong security experience, communicate well, and want a job at a fun (and profitable) company, visit http://www.cryptography.com/company/careers.html.
Re:For the security-lingo disadvantaged... (Score:2)
It was only a tad more secure because it used strcmp and the original coder added a NULL check to prevent it from crashing on an empty password
Unfortunatly you still only needed to get the first letter right.
strcmp unfortunatly seems to be the logical eqivelant of strncmp(string1,string2, strlen(string1)) And many coders think at first glance that it will not return a match if the strings aren't the same length.
I've s
Re:For the security-lingo disadvantaged... (Score:2)
int main(void)
{
const char *a = "hello";
const char *b = "hello there";
printf("%d\n", strcmp(a, b));
}
This prints -1 as you'd expect (a comes before b). Change both strings to "hello" and it prints 0.