Using "string" to store a password makes it vulnerable to attack
Summary
Vulnerability Details
string private s_password;
https://github.com/Cyfrin/2023-10-PasswordStore/blob/856ed94bfcf1031bf9d13514cb21b591d88ed323/src/PasswordStore.sol#L14
function setPassword(string memory newPassword) external {
s_password = newPassword;
emit SetNetPassword();
}
https://github.com/Cyfrin/2023-10-PasswordStore/blob/856ed94bfcf1031bf9d13514cb21b591d88ed323/src/PasswordStore.sol#L26-L27
Using alphabets alone (which a string represent) to write a password make it susceptible to a hack.
If we consider a brute force attack, where the attacker systematically tries every possible combination of letters, it's possible to crack a password made of only "string" very fast.
For example:
A password with 1 lowercase letter (26 possibilities) can be cracked almost instantly.
A password with 2 lowercase letters (26 * 26 = 676 possibilities) may take a few minutes to crack.
A password with 3 lowercase letters (26 * 26 * 26 = 17,576 possibilities) could take hours.
Though as the length of the password increases, the time required to crack it becomes significantly longer.
Impact
Password may be easily cracked by an attacker
Tools Used
Manual review
Recommendations
Use bytes instead of string to declare s_password and newPassword variables
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.