Question

Question 1. The following code asks the user to enter the password and check it with the pre-defined password that stored in the system. If the entered password is correct, it will authenticate the user to log-in into the account, otherwise reject!

1. Analyze the following code, how it works?
2. Do you think this code is safe? Justify?
3. Try to overwrite this code and report the outputs?
4. Define any vulnerabilities in this code if exist?
5. What we can do to make this code more secure? Justify by writing a secure version of this code.

#include <stdio.h>

#include <string.h>

#include <stdbool.h>

int main(void)

{

    char buff[8];

    bool pass = true ;

    printf("\n Enter the password : \n");

    gets(buff);

        if(strcmp(buff, "admin") ==0)

    {

        printf ("\n Correct Password \n");

        pass = true;

    }

    else

    {

        printf ("\n Wrong Password \n");

        pass = false;

       

    }

    if(pass)

    {

       /* authorized the user*/

        printf ("\n Permission is given to the user \n");

    }

    return 0;

}

Submission

For this assignment, you need to write a report file of your work. The report should answer each question in details, providing outputs of the code to justify your answer.

Answer 1

Here is the source code in C to validate the username and password. For your convience, I have shared several source codes and each of them is written in C.

Kindly give a Thumbs up/Like if you find this answer helpful. It means a lot to me. God bless you !!

Solution 1:

#include <stdio.h>
#include <termios.h> // in gcc, use < conio.h > in turboc
#include <string.h>
 
#define USERNAME    "user001"
#define PASSWORD    "ok@123"
 
/************************************************
THIS CODE IS USED IN GCC LINUX
because getch() is not defined in library file
************************************************/
 
static struct termios old, new;
 
/* Initialize new terminal i/o settings */
void initTermios(int echo)
{
  tcgetattr(0, &old); /* grab old terminal i/o settings */
  new = old; /* make new settings same as old settings */
  new.c_lflag &= ~ICANON; /* disable buffered i/o */
  new.c_lflag &= echo ? ECHO : ~ECHO; /* set echo mode */
  tcsetattr(0, TCSANOW, &new); /* use these new terminal i/o settings now */
}
 
/* Restore old terminal i/o settings */
void resetTermios(void)
{
  tcsetattr(0, TCSANOW, &old);
}
 
/* Read 1 character - echo defines echo mode */
char getch_(int echo)
{
  char ch;
  initTermios(echo);
  ch = getchar();
  resetTermios();
  return ch;
}
 
/* Read 1 character without echo */
char getch(void)
{
  return getch_(0);
}
 
/* Read 1 character with echo */
char getche(void)
{
  return getch_(1);
}
 
/* function :   getPassword(),
   to get password from keyboard    */
 
void getPassword(char *pass)
{
    int c=0;
    char buff[30]={0},ch;
    int len=0;
    while((ch=getch())!='\n')
    {
        if(ch==0x7f)    // use 0x08 in turboc (WINDOWS)
        {
            if(len==0)  continue;
            printf("\b \b"); len--; continue;
        }
        printf("%c",'*');
        pass[len]=ch;
        len++;
    }
    pass[len]='\0';
 
}
 
int main()
{
 
    char user[30],pass[30];
    printf("Enter User Name :");
    gets(user);
    printf("Enter Password  :");
    getPassword(pass);
     
    if(strcmp(user,USERNAME)==0 && strcmp(pass,PASSWORD)==0)
        printf("\nLOGIN SUCCESS.\n");
    else
        printf("\nLOGIN FAILED.\n");
    return 0;
}

Output

  Enter User Name :user001
    Enter Password  :******
    LOGIN SUCCESS.

Solution 2:

#include<stdio.h>

#include<string.h>

void main()

{

char name[25],pwd[25],ver[25];

int i,a,digi=0,up=0,low=0,schar=0;

printf("Enter your Name: ");

gets(name);

printf("Hello %s, Enter your password:\n",name);

gets(pwd);

a=strlen(pwd);

if(a<5)

{

printf("Error: Password should contain contain minimum 5 characters ");

}

else if(a>12)

{

printf("Error: Password shouldn't exceed 12 characters ");

}

else

{

for(i=0;pwd[i]!=NULL;i++)

{

if(pwd[i]>='A' && pwd[i]<='Z')

up++;

if(pwd[i]>='a' && pwd[i]<='z')

low++;

if(pwd[i]>='0' && pwd[i]<='9')

digi++;

if(pwd[i]=='@'||pwd[i]=='#'||pwd[i]=='$')

schar++;

}

}

if(up==0)

printf("There must be at least one Uppercase\n");

if(low==0)

printf("There must be at least one Lowercase\n");

if(digi==0)

printf("There must be at least one Digit\n");

if(schar==0)

printf("There must be at least one Special Character\n");

else

{

printf("Confirm your Password\n");

gets(ver);

if(strcmp(pwd,ver)==0)

printf("Welcome %s, your is Password Verified",name);

else

printf("Password did not match");

}

getch();

}

Solution3:

#include <stdio.h> 
#include <conio.h> 
#include <string.h> 
 
void main() 
{ 
   
  char username[20]; 
  char userpwd[8]; // for storing password 
  int i; 
   
  printf("Enter your username : "); 
  //gets(username); 
  scanf("%s",username); 
   
  printf("Enter your password : "); 
  /* accept password */ 
 
  for(i=0;i<8;i++) 
  { 
   userpwd[i]=getch(); 
   printf("*");          
  } 
  userpwd[i]='\0'; 
 
/*------------------*/ 
 
  printf("\n\nPress any key to continue"); 
  getch(); 
 
 if(!strcmp(username,"sumitadmin") && !strcmp(userpwd,"sumit123")) 
 { 
  printf("\n\nLogged In Successful"); 
 }else 
 { 
  printf("\n\nIncorrect username or password"); 
 } 
}

Solution 4:

#include <stdio.h>
int main() {
        int pass, x=10; 

        while (x!=0)
        {
        printf("\nInput the password: ");
        scanf("%d",&pass);  
        
        if (pass==1234)
        {
                printf("Correct password");
                x=0;
    }
    else
    {
       printf("Wrong password, try another");       
        }
        printf("\n");
   }
        return 0;
}