cimb legacy system, only can handle 8 characters. So to create a front to able to use 20 characters this code was introduced.

But where seven found it?

There's the checking for special characters as well.

Refer to OldSchoolJoke.

Because they need to cater for old password format which is without special characters.

Because they need to cater for new password with special characters.

Thus this retarded logic.

Example if your password is 123456789 without special characters, the stupid logic will take the first 8 characters and log you in. That is why any characters after the first 12345678 does not matter.

Example if your password is 123456789!@, then the system still logs you in because it has special characters, so the length can be up to 20 as long as it has special characters.

its not about conflict, it about the .substring(0, 8) part.

means if it doesn't satisfy the first condition, it will only take the first 8 characters of the password

e.g:

your password is 123456789
since it doesn't satisfy the first condition, it will take first 8 characters which is 12345678

logically, 123456789 is not the same as 12345678. even if you plainly compare it is not the same.
so those who want to attack the site, just need to guess for 8 characters which lessen the time to guess a correct password

what they should do (IMO) is just send the password to server as it is instead of plainly showing to the world the checking.

I noob apa jadi if they use substring?
Anyway changed my password already

I guess this code snippet was lifted off the net today? ie current code, right?

Haven't read all posts here, but remember reading something about a recent change by CIMB to allow longer pw & with special characters?

And because some incompetent coder wrote the above snippet, hence the exploit was created?

Help me understand the logic...

if PW is at least 8char long, and includes special chars, then the entire pw string is passed to encryption function

if PW is at least 8char long, and dun include special chars, then the long pw is truncated & the front 8char string is passed to encryption function

if PW is < 8char long eg 7char or less, irrespective got special characters or not, then what happens? Won't password = password.substring(0, 8) evaluate to #error? Previously, wasn't there a minimum # of characters for passwords ie 8?

PS: i dunno coding. only trying to make sense of the if-then-else which is also used in excel

Thought different system would have different vendors and bank has so many systems

hahaha TQ
Thanks bro, but can pls help explain the IF statement ....

Doesn't the && operator mean that BOTH conditions must be met in order to use the entire string entered by user?

And if "checking for the password length <8 chars is already done before calling this function" then why include the password.length >= 8 condition in this IF statement? Redundant or not?

In se7en's article, he also say "IF password CONTAINS SPECIAL CHARCTERS, ACCEPT WHOLE password," implying length already check b4hand.....

LOL the coder that dumb ka???

PS: once again, hor, me dunno coding