Banking password verification WTF



  • Doing some music shopping, I ran into this Verified by Visa check that seems to have been executed in concert with my bank. It wants me to a create a password, fine. But I keep getting:

    Your password does not conform to the Password Policy. Please try again.

    So, what? Too short, too long? Not enough numbers, too many numbers?

    I dig into the JavaScript to try to figure out what it wants from me, and find a link to this: WTF Arcot/Compass form verification 

    There are a number of fun things going on here (IsNetscapeOnSolaris()?!?) but the cake probably goes to the anyNumbers() function,  or the anyLetters() function that looks almost exactly like it:

    //checks for numbers
    function anyNumbers()
    {
    var isbad1="err";
    var str=document.passwdForm.pin1.value;
    //alert("str="+str);
    var numbers=new Array("1","2","3","4","5","6","7","8","9","0");
    //str=str.toString();
    //var isbad1=true;
    //alert("about to loop");
    for(i=0;i<=str.length;i++){
    //alert(str.substring(i,i+1));
    for(j=0;j<=numbers.length;j++){
    if(str.substring(i,i+1)==numbers[j]){
    isbad1="pass";
    }
    }

    }
    //alert("isbad1 " + isbad1);
    return isbad1;


  • Wow. Just... wow. Nothing like getting paid to learn as you go!



  •  That's actually a security feature.  Since password verification is such an infrequent action for normal users, and passwords aren't all that long, the massive inefficiency of those nested for loops vs. regexp is hardly noticeable.  However, if a bot were to come in and attempt batch creation, they would be significantly slowed down by that javascript.



  •  @vt_mruhlin said:

     That's actually a security feature.  Since password verification is such an infrequent action for normal users, and passwords aren't all that long, the massive inefficiency of those nested for loops vs. regexp is hardly noticeable.  However, if a bot were to come in and attempt batch creation, they would be significantly slowed down by that javascript.

    I hit your sarcasm tag... However I just ran into form software that did this:

    Solve the equasion: 5 + 2 = <answer here>, no not a jpeg, no not obfuscated, just 4 little chars showing an easily parseable formula. Because computers can't add...



  • @dlikhten said:

    Solve the equasion: 5 + 2 = <answer here>
     

    Ah yes, mathematics. The perfect Turing test. Unless it's a "you must be at least this smart to use these services" thing. 



  • newegg.com always hurls that crap at you I respond by hitting "cancel" the order goes through and one extra step to give thieves a chance to steal your data is avoided.

     



  • @dlikhten said:

    However I just ran into form software that did this:

    Solve the equasion: 5 + 2 = <answer here>, no not a jpeg, no not obfuscated, just 4 little chars showing an easily parseable formula. Because computers can't add...

    Computers can add quite well, yes, but only if they're expecting to add. Unless you're a high-value target like Hotmail or Gmail, the best captcha in the world is one that nobody else is using. It doesn't matter what it is, or how bad it is, so long as you've got the only site using it.



  • @Carnildo said:

    @dlikhten said:

    However I just ran into form software that did this:

    Solve the equasion: 5 + 2 = <answer here>, no not a jpeg, no not obfuscated, just 4 little chars showing an easily parseable formula. Because computers can't add...

    Computers can add quite well, yes, but only if they're expecting to add. Unless you're a high-value target like Hotmail or Gmail, the best captcha in the world is one that nobody else is using. It doesn't matter what it is, or how bad it is, so long as you've got the only site using it.


    I'm almost certain it's part of some forum software. I ran into it once too, and I don't think the web is small enough for me and dlikthten to run into that specific same thing.


  • Discourse touched me in a no-no place

    @vt_mruhlin said:

    However, if a bot were to come in and attempt batch creation, they would be significantly slowed down by that javascript.
    Is that being slowed down by the time the bot author spends thinking "WTF?!" when he reads that code?



  • @dtech said:

    I'm almost certain it's part of some forum software. I ran into it once too, and I don't think the web is small enough for me and dlikthten to run into that specific same thing.
    If I recall correctly it was one of the twenty to thirty mods (alternative captas) available for phpbb to stem forum spam, it hit really hard about a year ago (by which I mean bots out numbered real users 40:1 and bot posts were just as frequent as normal posts (would be more but many bots weren't expecting to have to activate through email)).


Log in to reply