What hash function?



  • While I don't really speak perl, I was trying to fix a minor bug in our long term archives management utility. This function, found deep in the encryption system made my blood run cold.

    #
    # Create and return a password.
    # Parms:    Seed (number or string)
    #           Number of chars in password
    # Return:   String of random characters
    sub makePassword($;$) {
            my $seed = shift;
            my $length = shift;
            my ($pascode, $code, $range, @chars);
            if (not $length) {
                    $length = 8;
            }
            @chars = (('a'..'z'),('A'..'Z'),(0..9));# Select from these
            $range = scalar(@chars);                                # Count of characters
            $pascode = '';                                                  # Clear the password
            $seed =~ tr/[A-Za-z]/[0-90-90-50-90-90-5]/;             # Change letters to numbers
            srand($seed);                                                   # Password based on volume id
            while (length($pascode) < $length) {
                    $code = int(rand($range));                      # Select a character
                    if ($code >= 0 && $code <= $range) {
                            $pascode .= $chars[$code];              # Add it to the code
                    }
            }
            return $pascode;
    }
    

    Now I'm curious, how deep does this rabbit hole go?

    printf("%s\n", makePassword("012345") );
    • Windows98: oKWPlSZk (heh TrWTF, this is the utilitys native system)
    • OpenBSD 5.1: n4mST4v1


  • Ouch.  As a nice side effect, by calling srand it clobbers the global random seed, making any random numbers generated after calling it depend only on its input.  That'll be a nice surprise for someone.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.