In which @Minkovsky applies for a student loan
-
Good thing Dischorse now lets you resize the editor, because boy will I need that.
Signing up is "easy"
The signup form only accept National Insurance Numbers* think Social Security Number, but for the UK without spaces but don't tell you about this. Normally, when you get your National Insurance Number it is printed with spaces, of the form
AA 99 99 99 A
, but good luck using that in the form - it truncates everything after 9 characters so if you add in spaces the last99 A
will be thrown out. What the fuck?! If you don't want spaces in there, remove them your own goddamned self! It's like those home-rolled credit card forms! Jeez!Security... what security?
Password rules: minimum 8 characters (yay!) maximum 16 (boo!), and no special characters (so only things that match
\w{8,16}
because I guess the fuckers were lazy). WTF! It's a goddamned student loan application, it better have some good fucking security!As a bonus WTF, the password creation screen somehow inhibit's Chrome's "It looks like you're creating a password" popup which I quite like, and does not permit me to fucking paste in the password if I generate it somewhere else. WHYYYYY. (You can paste the password in when logging in later, so yay discoursistency?)
I thought I was through the security WTFness until I noticed this in my console: (yes I check it sometimes for goodies)
POST https://www.student-finance.service.gov.uk/customer/apply/ft/1516/pages/currentcourseandfees.xhtml net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Oops. Looks like their SSL may be shitty anyway so my password may as well have been
0000
.Also, what kind of dumbass secret answer UI is this?!
We're clueless!
Does your course lead to a healthcare profession?
What part of "COMPUTER SCIENCE WITH INDUSTRIAL EXPERIENCE" screams "healthcare profession" at you? Also they should know this, either from their own goddamned records or from the information the universities sent them.
I selected a course where 'with industry experience' is in the title and the type is 'sandwich' - which means that as part of my course I will be doing about a year's work somewhere in the industry - but then they seemingly forget about this and ask me if I'll be employed during my course.
While writing this, I discovered another bug in Discourse. Try typing in a long post, then scrolling in the editor or the preview. Sometimes, when you scroll to the end, the page behind the editor keeps on scrolling, and you can't go back to scrolling the editor. Or maybe that's just what I get from using Chrome from the future on Linux hardware.
Anyway, there will be more to come...
-
-
For passwords maybe, but not normally for secret questions. Also, usually textboxes, not dropdowns.
-
One where I have to select the character from a dropdown list. I know I can just focus on it and type it, but many people don't. If they're worried about keyloggers, an on-screen keyboard in JS is not a bad idea either. This should be the fallback in case for some reason the page is viewed with JS disabled.
-
For passwords maybe, but not normally for secret questions.
Eh?
Every time I've seen this - I've put in a username and password, and then entered 3 'random' characters from a word of some kind. Doesn't matter how you phrase what it is, it's a word, and it wants 3 characters.
-
Logging into NatWest Online Banking, it's three characters from my password, and three digits from my PIN.
-
One where I have to select the character from a dropdown list.
My bank's website is like that. What's the problem.
Focus the thing, type the letter, focus the next, type the letter etc. This works whether it's a text box or a dropdown.Student Finance are riddled with WTFs but that screen ain't one of them IMHO.
-
-
How many characters are in the dropdown?
Can the secret answer contain characters that aren't in the dropdown?
-
but then they seemingly forget about this and ask me if I'll be employed during my course.
Perhaps they were enquiring whether you'd be in paid employment while not doing the 3rd year in industry (e.g. part-time bar work etc.)?
Though given this is gov.uk we're talking about I wouldn't bet on it...
-
Logging into NatWest Online Banking, it's three characters from my password, and three digits from my PIN.
Halifax is username, password, 3 characters from the magic word.
Unless it's from the app on my mobile which is tied to the phone and only needs a PIN.
-
does not permit me to fucking paste in the password
You can usually get around this stupid "feature" by dragging.
-
Into a text box? Not picked 3 characters using goddamned dropdowns?!
Yes. Dropdowns. I'm still entering the characters.
-
About the entire [a-zA-Z0-9] class, I'd guess; and I didn't dare to try in case something broke horribly. Maybe I should've tried
' OR 1=1; DROP TABLE customers
.
-
What I'm trying to get at is that dropdowns are evil and need to die. In most situations that I saw a dropdown, the question could've been framed better as a text field or a radio group.
-
What I'm trying to get at is that dropdowns are evil and need to die.
Why are they evil for this purpose?
On a computer, the interaction is exactly the same as 3 text boxes.In most situations that I saw a dropdown, the question could've been framed better as a text field or a radio group.
I agree that's the case in a lot of other places.
-
On a computer,
Not everyone will be using this site on a computer - some might be doing this on a tablet. Why would you do that is another WTF entirely but hey, it's a gov site so they should be accessible to everyone.
the interaction is exactly the same as 3 text boxes.
But not everyone knows this. That's why I think it's badly designed.
-
But not everyone knows this
True, but your average user isn't going to care they have to enter it from 3 dropdowns.
-
I curse thee, Average L. User!
-
Also - if you log into the Student Loan Repayments website, you enter the whole secret answer.
Consistent
-
Which to me says "hey this field is stored in plain text". I wonder what else is.
-
I'm also less than a year from paying my Student Loan off. Hurrah!
-
What part of "COMPUTER SCIENCE WITH INDUSTRIAL EXPERIENCE" screams "healthcare profession" at you?
I don't see that as being particularly weird. Hospitals hire a lot of IT people. (Well, not a lot, but more than, say, a trucking company would have.)
-
Logging into NatWest Online Banking, it's three characters from my password, and three digits from my PIN.
TRWTF
-
It does imply they store the password in a manner it can be retrieved, true…
-
Logging into NatWest Online Banking, it's three characters from my password, and three digits from my PIN
Lovely to know that both those highly sensitive items are stored in such a way as to make substring comparisons feasible. That's some truly enterprisey hash coding for sure.
-
TRWTF are student loans.
/me drops
-
IT support in a hospital is not a medical profession.
-
IT support in a hospital is not a medical profession.
Ugh! I couldn't do IT support in a hospital. I would run away the minute I had to get on my knees to fix some hardware issue.
-
I would run away the minute I had to get on my knees to fix some hardware issue.
-
Don't they keep all the computers on adjustable carts?
-
Well that and "Let's take something cryptographically strong (a password) and make it NOT cryptographically strong (3 characters)." Come on guys, seriously?
Maybe it's an attempt to defeat LastPass et al.
-
Ok well without knowing the definition they are using for medical profession, it doesn't sound weird to me.
-
Maybe it's an attempt to defeat LastPass et al.
Because that was a great contribution by some PM or MBA in the business chain.
-
mg;dr
Automatic bro, k?
Those who can, do.
Those who can't, do for government.Sorry, we spent all our security budget, on our intelligence departments. People who are concerned about identity theft, can eat cake.
-
-
that comma is TRWTF
-
Actually...
Sorry, we spent all our security budget
,on our intelligence departments. People who are concerned about identity theft,can eat cake.@trwtfbot those commas
-
those commas is TRWTF
-
-
Not really. TRWTF is people not understanding how to use them and that they shouldn't get them for e.g. an Arts degree if they aren't going to be able to pay it off.
Current rates are really amazing when you think about how it's an unsecured loan. Granted you can't get rid of them in bankruptcy, but if you tried to get a similar loan anywhere else you'd probably be paying 10+%.
TRWTF is the overall inflation of the cost of college due to student loans.
I'm probably going to take the full 10 years to pay them off but that's because I think I can make more for retirement than the rate the loan's at. If I desperately wanted to pay it off now, I could probably do that next year.
-
an attempt to defeat LastPass et al
Quite a few security-clueless outfits do seem to go out of their way to treat password management software as some kind of security threat.
After getting past the main logon page for my.gov.au, you get a second page that asks you for an answer to one of your "security" questions (you have to create at least five of those during signup). Fortunately they let you write your own security questions. Mine are
Enter secondary password with .a appended
Enter secondary password with .b appended
Enter secondary password with .c appended
Enter secondary password with .d appended
Enter secondary password with .e appendedand the answers are
wgnot.oklsz.snodg.goncx.nkaba.a
wgnot.oklsz.snodg.goncx.nkaba.b
wgnot.oklsz.snodg.goncx.nkaba.c
wgnot.oklsz.snodg.goncx.nkaba.d
wgnot.oklsz.snodg.goncx.nkaba.eto comply with the requirement that all questions and answers must be unique and that none of the answers can be your user ID or password.
The end result is that by using a KeePass auto-type string of
Auto-Type:{USERNAME}{TAB}{PASSWORD}{ENTER}{DELAY 3000}wgnot.oklsz.snodg.goncx.nkaba.
I only need to type one extra character and hit Enter to log on. But it's still kind of annoying.
-
can't get rid of them in bankruptcy
Depending in which country. In the UK, if you're earning below £21k/yr you don't have to pay anything at all. OTOH if you step over that, those payments will automatically kick in as a form of tax. Damned if you do, damned if you don't...
-
Maybe it's an attempt to defeat LastPass et al.
Why would you want to defeat password managers? That right there is a total PHB-ism, completely disconnected from security reality...
Quite a few security-clueless outfits do seem to go out of their way to treat password management software as some kind of security threat.
QFT! Is this some sort of new brainworm that we have to start worrying about?
-
I think it's just a mutant of the old brainworm that says it's unsafe to let people paste stuff into the "Enter email address" and "Confirm email address" boxes.
Filed under: MAKE THE BASTARDS TYPE IT IN AGAIN
-
A platform I have to log in to occasionally seems to have managed to defeat chrome's builtin password manager. If it auto-fills the user/pass, it claims it's wrong. If you enter an extra char in the PW field then delete it again it's OK.
I suspect they're somehow checking whether the onChange or onKeyDown event ever fired, or something.
-
I suspect they're somehow checking whether the onChange or onKeyDown event ever fired, or something.
They're probably doing what Verizon's terrible router firmware does: "encrypting" the password in the browser for shitcurity raisins.
-
Chrome has a security feature where the JS can't read the
value
property of an autofilled password field until either:- you type in it
- the form is submitted
- (temporary) it is accessed in an onclick handler
-
well that explains why SalesForce yells at me every time i log in, but is fine the second time around....
-
Might explain why Chase doesn't like my autofill unless I click in the boxes first. I've not been quite sure if it's that or it just doesn't like my submitting the form too fast.