One time use passwords
-
Continuing the discussion from Password issue:
One time use passwords
just type in arbitrary characters like G%fd67$-hEW, log in and do your stuff.
The next time you want to log in simply ask for another password-reset email.
There is one particular shopping site that I have to use this way. The site has no stated restrictions on password length or allowed characters. The password-reset page happily accepts the strong passwords generated by Keepass. Fortunately, the reset process leaves me logged in, because the login page absolutely refuses to accept the same password pasted from Keepass. The next time I need to log in, I need to do another reset. I have no idea how they're mangling the password, but it does not encourage me to purchase from them.
-
This is usually an indication that they're truncating your password in one place but not another.
-
Yeah, either truncating or stripping forbidden characters, but I don't know the rules, because they don't say what they are. And CBA to experiment enough to figure them out.
-
This is usually an indication that they're truncating your password in one place but not another.
Yep, and it is a special type of WTFery when you notice something like that. At least it is better than them emailing your password that you used back to you. BTW, this happens on basically all of our state websites and I know for certain that it happens on all of them that pertain to local/sales tax.
Yeah, either truncating or stripping forbidden characters, but I don't know the rules, because they don't say what they are.
Use a shorter, simpler password.
-
Cool story bro, http://username:password@site.com gets hairy if the user has a : in his user ID and/or password. Would be nice if secure password generators stopped using that one.
-
This post is deleted!
-
What about
p@ssword
?
-
in b4 hunter2
-
-
Cool story bro, http://username:password@site.com gets hairy if the user has a : in his user ID and/or password. Would be nice if secure password generators stopped using that one.
You have to %-encode them (same for @). Wish I didn't know this the hard way.
-
All asterisk usually doesn't meet minimum entropy (read a..z) checks though for caps, lowercase, number. ...
-
I don't know about Keepass since I stopped using it before I needed this feature, but LastPass lets me adjust how it generates passwords at generation time, so I can tell it to not use special characters, limit it to X characters, "make pronounceable" if it's going to be needed over the phone for some reason, and avoid ambiguous characters like l or 1 in case I need to type it someplace.
-
I don't know about Keepass since I stopped using it before I needed this feature, but LastPass lets me adjust how it generates passwords at generation time, so I can tell it to not use special characters,
Yes, including specific sets of or individual special characterslimit it to X characters,
Yes"make pronounceable"
Noavoid ambiguous characters like l or 1
YesI could make KeePass generate a password with whatever arbitrary, stupid, security-reducing rules the website imposes — if the site told me what those rules are.
-
My suggestion would be make a 6-character password with no special characters if you get tired of the one-time-password thing.
-
But then I would have no reason to
bitch atencourage them to fix their broken web site. As they say at work, "fix the problem; workarounds are not acceptable." (If only they actually followed that dictum...)
-
I usually do both. I just don't tell the person I'm complaining to that I have a workaround, so they prioritize it higher, but I'm not frustrated while I'm waiting for them to get their shit together and fix it.
I also tend to leave bug reports when I decide to move from one library to another because something's broken, for example.
-
It often pays to make the workaround that you offer obviously awful, possibly breaking something else they think is important. Focuses minds…
-
. Fortunately, the reset process leaves me logged in, because the login page absolutely refuses to accept the same password pasted from Keepass. The next time I need to log in, I need to do another reset.
I had to do that with my car loan bank's website. Couldn't be bothered to remember the rules, so once a month, I'd generate a new password. Learned the hard way not to bother changing it, because it had ridiculous no-reuse rules.
Also: Fuck you Discourse. Don't show me this topic as a new topic and then complain that the last post was 12 days old so do I really want to reply.
-
Let me guess: in your preferences you have "Consider topics new when" set to "I haven't read them yet".
-
I think that's it, and I blame @codinghorror for suggesting it, and not myself at all for thinking it might be a good idea.
-
As do I.
-
The password-reset page happily accepts the strong passwords generated by Keepass. Fortunately, the reset process leaves me logged in, because the login page absolutely refuses to accept the same password pasted from Keepass.
The same website that does this also does this:
For USPS first class and priority mail only, the tracking numbers have recently change and are beyond our system ability to automatically send you a complete number. You will not be able to track this type of service,
The USPS tracking number is 22 digits, but they only show the first 20.
We are working to resolve this.
For over a year, and they still can't make the field 2 digits wider.
Bonus WTFs:
The tracking number appears only in the invoice attached to the email, not the email itself. The invoice is a PDF — containing only an embedded image, so you can't select the number to paste it into the carrier's tracking web site; you have to type a long string of pseudo-random numbers.
For your convenience we have included links to the UPS and the FedEx web sites below.
Except that they aren't links; they're just text, and they don't include "http://", so your email client won't necessarily linkify them.
Â
They're a good vendor, with (usually) good prices on good products, but their online presence leaves something to be desired.
-
For over a year, and they still can't make the field 2 digits wider.
Are they these guys?
-
The USPS tracking number length thing caused mass fucking chaos in my industry (print, mailing and product fulfillment). As did the similar lengthening of FedEx tracking numbers soon beforehand. It's astonishing how many idiotic fixed width data interchange formats there are.
Recent attempts by the USPS to make us put more, better barcodes on more packages so they can have a tracking system that is less god fucking awful have been met with fierce congressional lobbying (and Congress has chosen to interpret "put a barcode on that or pay retail rate" as a postage increase) and kiboshed.
Mainly because nobody wants to change the fucking formats again, because we didn't use a reasonable format the last two times.
-
Are they these guys?
No.
@PaulaBean said:Jack worked for a company that had built a goods-declarations system for freight-forwarders
This company is a wholesaler/retailer. I don't find any indication on their website of who did their site design; other than the password problem (and the way some products are categorized, but that's a more a business issue than design issue), it's pretty decent, so it probably wasn't the president's nephew. The back-end is probably some off-the-shelf product.
-
It's astonishing how many idiotic fixed width data interchange formats there are.
-
-
This is why I have Salesforce on my resume, but will not work with it. Interviewers can bring it up, I'll use my technical knowledge to explain the WTFs, and why I refuse to work on it, and that will help show my competance.
"competence" SIC on purpose
-
-
Just make sure it's an oral demonstration.
Nominated for whoosh.
This is why I have Salesforce on my resume, but will not work with it. Interviewers can bring it up, I'll use my technical knowledge to explain the WTFs, and why I refuse to work on it, and that will help show my competance.
<small><small><small><small><small><small><small><small><small><small><small><small><small><small><small><small><small><small><small><small><small><small><small><small>"competence" SIC on purpose
-
Nominated for whoosh.
No you didn't. I'll cop to not looking at the source. But you messed this up, too:
"competence" SIC on purpose
Should have been more like:
"competance" sic
So I'll stick to my original assessment.
-
-
â„–