I had this happen to me. The program was only used internally but it was possibly the worst code that would compile. My personal favorite was the “login”. When launching the program it accessed a local sql server. On that server was a table named “login” which you would assume had a list of all users and their passwords right?

Now that would be bad because you could launch ssms directly and just look at the table but when you did that there was 1 entry user “admin” password “admin”.

But that’s not all… When you look at the code these values are hard coded in. There is a linq query to check the login table for an entry with username “admin” and password “admin” and return the values in password. Now you might be thinking what the hell but here’s the kicker…when it got the response back it checked len(password) => 5

Yup… Didn’t check if password was correct just that the length of the password was equal to or greater than 5.

The actual username entry box? Yeah it didn’t validate anything. You could just bang your hand on the keyboard and log in… Really you didn’t even have to do that. You had to click or tab into the field and then click login. It didn’t require you to enter anything just that the username field was active at some point.