The phrase "special characters" is a warning sign.



  • A recent Daily WTF got me thinking about this much-abused phrase.

    It seems that 90% of the time, when a programmer or (more typically) PHB uses the term "special characters" when talking about a web app, it's safe to replace the entire containing sentance with "duuuuuuurrrrrrrrhhhhhhh."

    You just don't blacklist arbirtary ASCII characters from user input in web forms, unless you can come up with a really really good reason.  "They will mess up the HTML" is not a reason.  Please, people, don't throw up alerts saying "you can't use < or > in this field!"  Don't punish your users because you don't understand escaping.

    When you see a bunch of bugs reported in a system that refer to "special characters," you can safely assume that the original authors didn't understand the concepts of escaping input in the original development effort.

    /rant 



  • It drives me crazy when places reject my password for having non-alphanumeric characters in them.  What is this, 1996?  And it really blows my mind when it's a financial institution that does it.  American Express does this, and it really pisses me off.


  • Discourse touched me in a no-no place

    @bstorer said:

    It drives me crazy
    My bugbear is the ones that don't accept + in the local part of an email address.



  • Audiosurf doesn't support Japanese or Korean characters. ):



  • @bstorer said:

    It drives me crazy when places reject my password for having non-alphanumeric characters in them.  What is this, 1996?  And it really blows my mind when it's a financial institution that does it.  American Express does this, and it really pisses me off.
     

    I got this recently with Verified By Visa. They didn't even tell me explicitly it just kept repeating must be 8-12 containing both numbers and letters so I kept typing MyP455w0rd! and it kept repeating the instructions until finally I figured out on my own that "!" wasn't flying.

    Thank God for that extra layer of security while making that purchase huh? I feel so much safer now ... 



  •  The worrying thing from the WTF and other people's experiences reading the comments is the fact that this is occuring with 'BIG' companies.

     



  • @dxbmatt said:

     The worrying thing from the WTF and other people's experiences reading the comments is the fact that this is occuring with 'BIG' companies.

    The thing that bothers me is that I just can't figure out how [i]anybody[/i] can follow some bizarre set of logic that reaches the conclusion: "hey, we shouldn't allow things like exclamation marks, hyphens, underscores, or any other sort of punctuation in a password field."

    If I knew why they did it, even if the reason was a WTF in itself (and surely it is), I would feel a little better.  I could at least say "well, they did it because they have misconception X in their minds."  But, alas, I can't.  I just can't figure it out.



  • @djork said:

    If I knew why they did it, even if the reason was a WTF in itself (and surely it is), I would feel a little better.  I could at least say "well, they did it because they have misconception X in their minds."  But, alas, I can't.  I just can't figure it out.
    I used to have that limitation when I first made a validate_password function, for some reason I couldn't remember PHP's version of isPrint so I used isAlNum instead.



  • @djork said:

    The thing that bothers me is that I just can't figure out how anybody can follow some bizarre set of logic that reaches the conclusion: "hey, we shouldn't allow things like exclamation marks, hyphens, underscores, or any other sort of punctuation in a password field."

    There is no frontal lobe involved in this pseudo-decision. It's like muscle memory for thoughts and concepts: you're used to seeing strictly alphanum passwords, so "password" maps back to strict alphanum almost subconsiously.

    Is my assumption anyway. 



  • @djork said:

    The thing that bothers me is that I just can't figure out how anybody can follow some bizarre set of logic that reaches the conclusion: "hey, we shouldn't allow things like exclamation marks, hyphens, underscores, or any other sort of punctuation in a password field."

    If I knew why they did it, even if the reason was a WTF in itself (and surely it is), I would feel a little better. I could at least say "well, they did it because they have misconception X in their minds." But, alas, I can't. I just can't figure it out.

    The only reason I could come up with is they're storing passwords in their database without obfuscating and/or performing some sort of cleaning on the input string, which is the real WTF. Last I checked, there were two basic rules regarding databases and passwords:

    1. NEVER store a password as a plain-text field without obfuscation, and
    2. If you're going to store a password without obfuscation, at the very least strip out the illegal characters to prevent SQL injections -before- sending it to a database.

    Of course, you -could- just run your site's database off flat files. It's what all the cool kids are doing.



  • @LieutenantFrost said:

    Of course, you -could- just run your site's database off flat files. It's what all the cool kids are doing.
     

    I'm thinking of that old gem Ultimate Bulletin Board here ... and the knowledge that huge traffic sites like mp3.com (back in the day) were actually using it. :-)

      



  • @djork said:

    The thing that bothers me is that I just can't figure out how anybody can follow some bizarre set of logic that reaches the conclusion: "hey, we shouldn't allow things like exclamation marks, hyphens, underscores, or any other sort of punctuation in a password field."

    If I knew why they did it, even if the reason was a WTF in itself (and surely it is), I would feel a little better.  I could at least say "well, they did it because they have misconception X in their minds."  But, alas, I can't.  I just can't figure it out.

    My guess is that most languages have different keyboard layouts than the standard US one. Since the characters in password textboxes are usually masked with stars/dots/whatever, sometimes you don't notice that the current keyboard layout is different from the one that is actually phyiscally printed on your keyboard. That, along with the insane security policies of some websites (for example, my bank has the "3 screwed up login attempts in a row means you have to come in to the branch to be able log in again" policy) can be a real pain in the back, so that's why they disable "special" characters.



  • @DrJokepu said:

    My guess is that most languages have different keyboard layouts than the standard US one. Since the characters in password textboxes are usually masked with stars/dots/whatever, sometimes you don't notice that the current keyboard layout is different from the one that is actually phyiscally printed on your keyboard. That, along with the insane security policies of some websites (for example, my bank has the "3 screwed up login attempts in a row means you have to come in to the branch to be able log in again" policy) can be a real pain in the back, so that's why they disable "special" characters.
    Try changing your qwerty (us) layout to dovrak (sp?), qwertz (something like that), ca qwerty (as in French Canadian layout), all of those are different layouts that will actually alter normal letter positions (ca qwerty is the least problematic for this) and suffer from the same problem while retaining the use of Latin characters, alternate keyboard layout issues are not the reason. Nice guess though.


  • Discourse touched me in a no-no place

    @Lingerance said:

    Try changing your qwerty (us) layout to dovrak (sp?),
    Anyone who's done this is probably fully aware of the differences between the virtual and physical layouts of their keyboards. Indeed anyone is usually aware - I've seen repeated requests from UK users demanding where their £ key is or why their @ and " keys are swapped.

    @Lingerance said:

    alternate keyboard layout issues are not the reason. Nice guess though.
    Indeed.

     



  • @medialint said:

    I'm thinking of that old gem Ultimate Bulletin Board here ... and the knowledge that huge traffic sites like mp3.com (back in the day) were actually using it. :-)

     

    Small world.  I was the maintainer of UBB from 6.0.2 through the bitter, under-specified failure of an end.  

    I could write epic essays on the WTFery of those flat files and the stuff I had to do to wrangle some semblance of stability out of the things -- and even then, it's still full of WTFs.  ubb_lib_pntf, anyone? (I'm so, so, so sorry.  I was such a noob...)

    Oh yeah, and sorry about the whole plantext password thing.  I could write yet another huge essay about that mess.  Yay legacy compatability and platform restrictions!

    The worst part was keeping the party line about the whole thing, something that I don't care about now that I don't work there any more and the NDA has expired.  That code was a rotting piece of crap that wouldn't know how to perform if its life was at stake... and yet I'm still proud of the obscene things I made it do.



  • @bstorer said:

    It drives me crazy when places reject my password for having non-alphanumeric characters in them.  What is this, 1996?  And it really blows my mind when it's a financial institution that does it.  American Express does this, and it really pisses me off.
    Not only does my bank do this, but they also restrict passwords to a fixed , small, number of characters. 



  • @Physics Phil said:

    @bstorer said:

    It drives me crazy when places reject my password for having non-alphanumeric characters in them.  What is this, 1996?  And it really blows my mind when it's a financial institution that does it.  American Express does this, and it really pisses me off.
    Not only does my bank do this, but they also restrict passwords to a fixed , small, number of characters. 

     

    That would have been an interesting fact back in February, when I posted.  Now, it's just an unnecessary revival of an old thread. 



  • @bstorer said:

    That would have been an interesting fact back in February, when I posted.  Now, it's just an unnecessary revival of an old thread. 
     

    Sorry, it appeared in the first page of my unread posts list and I didn't think to check the date ont he last post. 



  • @Physics Phil said:

    Sorry, it appeared in the first page of my unread posts list and I didn't think to check the date ont he last post.

    Now you know. And, you can do like I did to clear out the list. click, back, click, back, click, back...



  • @AbbydonKrafts said:

    Now you know. And, you can do like I did to clear out the list. click, back, click, back, click, back...
    Middle click X 40. Right click current tab. Close all other tabs. Refresh. GOTO Middle click X 40.



  • @Lingerance said:

    @AbbydonKrafts said:
    Now you know. And, you can do like I did to clear out the list. click, back, click, back, click, back...
    Middle click X 40. Right click current tab. Close all other tabs. Refresh. GOTO Middle click X 40.
    You can also go to each subsection ("Sidebar," "General Discussion," etc.), click the "More Options" button at the bottom, and mark them all as read.


Log in to reply