In which @Minkovsky applies for a student loan



  • Good thing Dischorse now lets you resize the editor, because boy will I need that.

    Signing up is "easy"

    The signup form only accept National Insurance Numbers* think Social Security Number, but for the UK without spaces but don't tell you about this. Normally, when you get your National Insurance Number it is printed with spaces, of the form AA 99 99 99 A, but good luck using that in the form - it truncates everything after 9 characters so if you add in spaces the last 99 A will be thrown out. What the fuck?! If you don't want spaces in there, remove them your own goddamned self! It's like those home-rolled credit card forms! Jeez!

    Security... what security?

    Password rules: minimum 8 characters (yay!) maximum 16 (boo!), and no special characters (so only things that match \w{8,16} because I guess the fuckers were lazy). WTF! It's a goddamned student loan application, it better have some good fucking security!

    As a bonus WTF, the password creation screen somehow inhibit's Chrome's "It looks like you're creating a password" popup which I quite like, and does not permit me to fucking paste in the password if I generate it somewhere else. WHYYYYY. (You can paste the password in when logging in later, so yay discoursistency?)

    I thought I was through the security WTFness until I noticed this in my console: (yes I check it sometimes for goodies)

    POST https://www.student-finance.service.gov.uk/customer/apply/ft/1516/pages/currentcourseandfees.xhtml net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH
    

    Oops. Looks like their SSL may be shitty anyway so my password may as well have been 0000.

    Also, what kind of dumbass secret answer UI is this?!

    We're clueless!

    Does your course lead to a healthcare profession?

    What part of "COMPUTER SCIENCE WITH INDUSTRIAL EXPERIENCE" screams "healthcare profession" at you? Also they should know this, either from their own goddamned records or from the information the universities sent them.

    I selected a course where 'with industry experience' is in the title and the type is 'sandwich' - which means that as part of my course I will be doing about a year's work somewhere in the industry - but then they seemingly forget about this and ask me if I'll be employed during my course.


    While writing this, I discovered another bug in Discourse. Try typing in a long post, then scrolling in the editor or the preview. Sometimes, when you scroll to the end, the page behind the editor keeps on scrolling, and you can't go back to scrolling the editor. Or maybe that's just what I get from using Chrome from the future on Linux hardware.


    Anyway, there will be more to come...



  • @Minkovsky said:

    Also, what kind of dumbass secret answer UI is this?!

    A fairly common one?


  • sockdevs

    For passwords maybe, but not normally for secret questions. Also, usually textboxes, not dropdowns.



  • One where I have to select the character from a dropdown list. I know I can just focus on it and type it, but many people don't. If they're worried about keyloggers, an on-screen keyboard in JS is not a bad idea either. This should be the fallback in case for some reason the page is viewed with JS disabled.



  • @RaceProUK said:

    For passwords maybe, but not normally for secret questions.

    Eh?

    Every time I've seen this - I've put in a username and password, and then entered 3 'random' characters from a word of some kind. Doesn't matter how you phrase what it is, it's a word, and it wants 3 characters.


  • sockdevs

    Logging into NatWest Online Banking, it's three characters from my password, and three digits from my PIN.



  • @Minkovsky said:

    One where I have to select the character from a dropdown list.

    My bank's website is like that. What's the problem.
    Focus the thing, type the letter, focus the next, type the letter etc. This works whether it's a text box or a dropdown.

    Student Finance are riddled with WTFs but that screen ain't one of them IMHO.



  • @loopback0 said:

    entered

    Into a text box? Not picked 3 characters using goddamned dropdowns?!



  • How many characters are in the dropdown?
    Can the secret answer contain characters that aren't in the dropdown?


  • Discourse touched me in a no-no place

    @Minkovsky said:

    but then they seemingly forget about this and ask me if I'll be employed during my course.

    Perhaps they were enquiring whether you'd be in paid employment while not doing the 3rd year in industry (e.g. part-time bar work etc.)?

    Though given this is gov.uk we're talking about I wouldn't bet on it...



  • @RaceProUK said:

    Logging into NatWest Online Banking, it's three characters from my password, and three digits from my PIN.

    Halifax is username, password, 3 characters from the magic word.

    Unless it's from the app on my mobile which is tied to the phone and only needs a PIN.



  • @Minkovsky said:

    does not permit me to fucking paste in the password

    You can usually get around this stupid "feature" by dragging.



  • @Minkovsky said:

    Into a text box? Not picked 3 characters using goddamned dropdowns?!

    Yes. Dropdowns. I'm still entering the characters.



  • About the entire [a-zA-Z0-9] class, I'd guess; and I didn't dare to try in case something broke horribly. Maybe I should've tried ' OR 1=1; DROP TABLE customers.



  • What I'm trying to get at is that dropdowns are evil and need to die. In most situations that I saw a dropdown, the question could've been framed better as a text field or a radio group.



  • @Minkovsky said:

    What I'm trying to get at is that dropdowns are evil and need to die.

    Why are they evil for this purpose?
    On a computer, the interaction is exactly the same as 3 text boxes.

    @Minkovsky said:

    In most situations that I saw a dropdown, the question could've been framed better as a text field or a radio group.

    I agree that's the case in a lot of other places.



  • @loopback0 said:

    On a computer,

    Not everyone will be using this site on a computer - some might be doing this on a tablet. Why would you do that is another WTF entirely but hey, it's a gov site so they should be accessible to everyone.

    @loopback0 said:

    the interaction is exactly the same as 3 text boxes.

    But not everyone knows this. That's why I think it's badly designed.



  • @Minkovsky said:

    But not everyone knows this

    True, but your average user isn't going to care they have to enter it from 3 dropdowns.



  • I curse thee, Average L. User!



  • Also - if you log into the Student Loan Repayments website, you enter the whole secret answer.

    Consistent :laughing:



  • Which to me says "hey this field is stored in plain text". I wonder what else is.



  • I'm also less than a year from paying my Student Loan off. Hurrah!



  • @Minkovsky said:

    What part of "COMPUTER SCIENCE WITH INDUSTRIAL EXPERIENCE" screams "healthcare profession" at you?

    I don't see that as being particularly weird. Hospitals hire a lot of IT people. (Well, not a lot, but more than, say, a trucking company would have.)



  • @RaceProUK said:

    Logging into NatWest Online Banking, it's three characters from my password, and three digits from my PIN.

    TRWTF


  • sockdevs

    It does imply they store the password in a manner it can be retrieved, true…



  • @RaceProUK said:

    Logging into NatWest Online Banking, it's three characters from my password, and three digits from my PIN

    Lovely to know that both those highly sensitive items are stored in such a way as to make substring comparisons feasible. That's some truly enterprisey hash coding for sure.



  • TRWTF are student loans.

    /me drops :microphone:



  • IT support in a hospital is not a medical profession.



  • @Minkovsky said:

    IT support in a hospital is not a medical profession.

    Ugh! I couldn't do IT support in a hospital. I would run away the minute I had to get on my knees to fix some hardware issue.


  • Winner of the 2016 Presidential Election

    @Eldelshell said:

    I would run away the minute I had to get on my knees to fix some hardware issue.

    :giggity:



  • Don't they keep all the computers on adjustable carts?


  • Winner of the 2016 Presidential Election

    Well that and "Let's take something cryptographically strong (a password) and make it NOT cryptographically strong (3 characters)." Come on guys, seriously?
    Maybe it's an attempt to defeat LastPass et al.



  • Ok well without knowing the definition they are using for medical profession, it doesn't sound weird to me.



  • @sloosecannon said:

    Maybe it's an attempt to defeat LastPass et al.

    Because that was a great contribution by some PM or MBA in the business chain.



  • mg;dr

    Automatic :wtf: bro, k?

    Those who can, do.
    Those who can't, do for government.

    Sorry, we spent all our security budget, on our intelligence departments. People who are concerned about identity theft, can eat cake.


  • Winner of the 2016 Presidential Election

    @xaade said:

    identity theft, can eat cake.

    @trwtfbot that comma



  • that comma is TRWTF

    <!-- Posted by SockBot 0.16 "Hazardous Hera" on Mon, 06 Apr 2015 15:30:36 GMT-->

  • Winner of the 2016 Presidential Election

    Actually...

    @xaade said:

    Sorry, we spent all our security budget, on our intelligence departments. People who are concerned about identity theft, can eat cake.

    @trwtfbot those commas



  • those commas is TRWTF

    <!-- Posted by SockBot 0.16 "Hazardous Hera" on Mon, 06 Apr 2015 15:31:56 GMT-->

  • Winner of the 2016 Presidential Election

    @trwtfbot said:

    those commas isare TRWTF

    <!-- Posted by SockBot 0.16 "Hazardous Hera" on Mon, 06 Apr 2015 15:31:56 GMT-->

    Gotta fix that some time...



  • Not really. TRWTF is people not understanding how to use them and that they shouldn't get them for e.g. an Arts degree if they aren't going to be able to pay it off.

    Current rates are really amazing when you think about how it's an unsecured loan. Granted you can't get rid of them in bankruptcy, but if you tried to get a similar loan anywhere else you'd probably be paying 10+%.

    TRWTF is the overall inflation of the cost of college due to student loans.

    I'm probably going to take the full 10 years to pay them off but that's because I think I can make more for retirement than the rate the loan's at. If I desperately wanted to pay it off now, I could probably do that next year.



  • @sloosecannon said:

    an attempt to defeat LastPass et al

    Quite a few security-clueless outfits do seem to go out of their way to treat password management software as some kind of security threat.

    After getting past the main logon page for my.gov.au, you get a second page that asks you for an answer to one of your "security" questions (you have to create at least five of those during signup). Fortunately they let you write your own security questions. Mine are

    Enter secondary password with .a appended
    Enter secondary password with .b appended
    Enter secondary password with .c appended
    Enter secondary password with .d appended
    Enter secondary password with .e appended

    and the answers are

    wgnot.oklsz.snodg.goncx.nkaba.a
    wgnot.oklsz.snodg.goncx.nkaba.b
    wgnot.oklsz.snodg.goncx.nkaba.c
    wgnot.oklsz.snodg.goncx.nkaba.d
    wgnot.oklsz.snodg.goncx.nkaba.e

    to comply with the requirement that all questions and answers must be unique and that none of the answers can be your user ID or password.

    The end result is that by using a KeePass auto-type string of

    Auto-Type:{USERNAME}{TAB}{PASSWORD}{ENTER}{DELAY 3000}wgnot.oklsz.snodg.goncx.nkaba.

    I only need to type one extra character and hit Enter to log on. But it's still kind of annoying.



  • @JazzyJosh said:

    can't get rid of them in bankruptcy

    Depending in which country. In the UK, if you're earning below £21k/yr you don't have to pay anything at all. OTOH if you step over that, those payments will automatically kick in as a form of tax. Damned if you do, damned if you don't...



  • @sloosecannon said:

    Maybe it's an attempt to defeat LastPass et al.

    Why would you want to defeat password managers? That right there is a total PHB-ism, completely disconnected from security reality...

    @flabdablet said:

    Quite a few security-clueless outfits do seem to go out of their way to treat password management software as some kind of security threat.

    QFT! Is this some sort of new brainworm that we have to start worrying about?



  • I think it's just a mutant of the old brainworm that says it's unsafe to let people paste stuff into the "Enter email address" and "Confirm email address" boxes.

    Filed under: MAKE THE BASTARDS TYPE IT IN AGAIN



  • A platform I have to log in to occasionally seems to have managed to defeat chrome's builtin password manager. If it auto-fills the user/pass, it claims it's wrong. If you enter an extra char in the PW field then delete it again it's OK.

    I suspect they're somehow checking whether the onChange or onKeyDown event ever fired, or something.



  • @PleegWat said:

    I suspect they're somehow checking whether the onChange or onKeyDown event ever fired, or something.
    They're probably doing what Verizon's terrible router firmware does: "encrypting" the password in the browser for shitcurity raisins.



  • Chrome has a security feature where the JS can't read the value property of an autofilled password field until either:

    • you type in it
    • the form is submitted
    • (temporary) it is accessed in an onclick handler

  • sockdevs

    well that explains why SalesForce yells at me every time i log in, but is fine the second time around....


  • mod

    Might explain why Chase doesn't like my autofill unless I click in the boxes first. I've not been quite sure if it's that or it just doesn't like my submitting the form too fast.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.