CodeSOD: Confession: The Coin-Flip Hash

There are certain problems in computing that you generally shouldn't tackle unless you're planning to make it your life's work. Don't write your own date handling logic. Don't write your own encryption. If you do, you'll probably screw it up, so use something developed by someone who knows what they are doing.

Handling passwords is a subset of encryption, in many ways. Samuel sends this to us as a confession- he hopes to unburden himself of his sins. It's bad enough that he's passing passwords in the clear, but he goes a step farther:

if(isset($_POST["pass"])){ $r=rand(0,1); if( ($r==0 && md5($_POST["pass"])=="7e843964cca0fe3c3adc1d3f8605554b") || ($r==1 && sha1($_POST["pass"])=="92f5d9410b62c8a35da15d64cacce9db13d15277") ){ //render successful login content, set cookie }else{ //render login error }}else{ //render "no password" error}

If the user has supplied a password, this utterly bizarre logic will flip a coin. Based on the flip, it will compare the hash of the input password using either MD5 or SHA-1, and for bonus points, the hashes are hard-coded in, which I guess "solves" the problem of storing them someplace.

One of Samuel's co-workers spotted this, saw his name on the commit, and asked him, "What were you thinking?"

Samuel could only answer, "I wasn't."

[Advertisement] Use NuGet or npm? Check out ProGet, the easy-to-use package repository that lets you host and manage your own personal or enterprise-wide NuGet feeds and npm repositories. It's got an impressively-featured free edition, too!