What porridge is just right?



  • This editor isn't working with firefox, so here's some links to the images I want to show (fired up IE to do it):

    WTF kinda shoddy software says a password is too long? "I don't know, this guy is just a little... too secure. We don't want our users getting out of hand with their passwords". It wasn't even all that long, 12 characters (standard "short" I-don't-care-much password).

    So anyway, after I got mad enough to take a screenshot and type here about it, I put in a shorter password

    AGH, what are the requirements? Hello?

    -EJ



  • @EJ_ said:

    AGH, what are the requirements? Hello?
     

    You're supposed to do a binary search for the right length.

    You know, "I tried 12, it was too long. I'll try 6. Nope, too short. Let's try 9. Yeah, that works."



  • The requirements are doing a binary search to find a suitable password length :P 


  • Discourse touched me in a no-no place

     A braindead requirements set for the website of a company I've recently mentioned else-thread had the limits to their 'memorable words' set to "between 8 and 12 characters" Letters and numbers, no spaces IIRC.

      



  • As an application security guy, this kind of thing always sends up a red flag for me. It often means that they're storing the password in plaintext in a fixed-length database field.



  • @rbowes said:

    As an application security guy, this kind of thing always sends up a red flag for me. It often means that they're storing the password in plaintext in a fixed-length database field.

    Maybe they have limited bandwidth and simply don't want more than 64 bytes transmitted per registration. Maybe they still store the password encrypted.

    Okay in that case the would be even less intelligent (and not much more secure), but it sure is a possibility ^.^ 



  • I took a look at that page.

    For every key press in the password input field they check for the Enter key. Then they either give an alert because of empty username or password, or submit the form via form.submit().

    Also, the password is used as an unencrypted URI parameter on some frame.



  • @Zecc said:

    For every key press in the password input field they check for the Enter key. Then they either give an alert because of empty username or password, or submit the form via form.submit().

    And...  ???

    To my knowledge this is the only way to have the Enter key fire the submit on your form.  Not a WTF.  Or it is, but not the responsibility of the site developer.



  • @GalacticCowboy said:

    @Zecc said:

    For every key press in the password input field they check for the Enter key. Then they either give an alert because of empty username or password, or submit the form via form.submit().

    And...  ???

    To my knowledge this is the only way to have the Enter key fire the submit on your form.  Not a WTF.  Or it is, but not the responsibility of the site developer.

     

    Never mind. I assumed there would be an <input type="submit"> somewhere.

    I'd still do it onchange rather than onkeypress, though.



  • @Zecc said:

    @GalacticCowboy said:

    @Zecc said:

    For every key press in the password input field they check for the Enter key. Then they either give an alert because of empty username or password, or submit the form via form.submit().

    And...  ???

    To my knowledge this is the only way to have the Enter key fire the submit on your form.  Not a WTF.  Or it is, but not the responsibility of the site developer.

     

    Never mind. I assumed there would be an <input type="submit"> somewhere.

    I'd still do it onchange rather than onkeypress, though.

     

    How exactly do you detect someone pressing the Enter key in onChange? 



  • @TehFreek said:

    How exactly do you detect someone pressing the Enter key in onChange? 

     

    *sigh* This is what happens when you post without thinking things through.

    What I'd do, really, is add a hidden <input type="submit"> and validate on the form's onsubmit. But then again, maybe not all browsers will fire form submission when you press Enter and all the submit buttons are hidden.

    So, yes, checking for Enter on every key press isn't a WTF.

    I can't take it back, but I apologize for polluting the thread.

     



  • @GalacticCowboy said:

    @Zecc said:

    For every key press in the password input field they check for the Enter key. Then they either give an alert because of empty username or password, or submit the form via form.submit().

    And...  ???

    To my knowledge this is the only way to have the Enter key fire the submit on your form.  Not a WTF.  Or it is, but not the responsibility of the site developer.

     

    Um.

    Forms that contain an input type="submit" will automatically submit when you push enter (save if you're in a multiline control). No javascript required. If you want to validate, you do it on the form's onsubmit.

    I see no valid reason not to include a Submit button, either.



  • Re: listen to the sounds of pride being swallowed

    @Zecc said:

    listen to the sounds of pride being swallowed

    and, from the looks of your icon, it didn't taste very good. 



  • Anyway, back to the password length, I bet that they copied the password requirements off of the back of a cereal box, or failing that, from some other application, assuming that someone had thought about it there so it must be right.

    I'm willing to bet that they're expecting 8 characters. No more, no less, and they require EXACTLY 3 of 4 character types ([A-Z], [a-z], [0-9], [!@#$%^&*()]). I haven't looked at or tried this page, but I'm really really betting that's what it is, for the aformentioned reasons.



  •  If you can understand why porridge burns when you don't stir it, then you may also understand things that happen when volcanoes erupt. It's true.



  • @Sunstorm said:

    Forms that contain an input type="submit" will automatically submit when you push enter (save if you're in a multiline control). No javascript required. If you want to validate, you do it on the form's onsubmit.

    I see no valid reason not to include a Submit button, either.

     

    It's been a long time since I've messed with this stuff, but as I recall from ASP.NET 1.1, this only worked if you had 1 button on the form, and it had to be an "INPUT" control - no asp:LinkButton, asp:ImageButton, etc.  I think they've changed it somewhat in 2.0, but I just used the standard login control that they added in 2.0 rather than rolling my own...  and that control doesn't submit when you hit enter...



  •  class PasswordChecker implements IPorridge throws PorridgeTooHotException



  • @rbowes said:

    As an application security guy, this kind of thing always sends up a red flag for me. It often means that they're storing the password in plaintext in a fixed-length database field.

    I'm all for keeping passwords short and memorable, because the alternative is that users will be forced to make them long, overly-complex, and hard to remember, the inevitable solution for which is to write it down on a post-it note stuck to the monitor or something similar.



  •  The porridge that is just right is bacon, sausage, egg, and tomato.



  • @Jonathan Holland said:

     class PasswordChecker implements IPorridge throws PorridgeTooHotException


     What, no PassWordCheckerFactory?



  • @m0ffx said:

     If you can understand why porridge burns when you don't stir it, then you may also understand things that happen when volcanoes erupt. It's true.

    That also explains why they used porridge with red food dye in it to simulate lava during the volcanic eruption scene in George Pal's film version of H.G. Wells' "The time machine".

     



  • @Joe Luser said:

     The porridge that is just right is bacon, sausage, egg, and tomato.

    I think you'll find that The Real porridge that is just right is spam, spam, spam, bacon, sausage, spam, egg, tomato, spam and file_not_found.

     

    Served on a wooden table. 



  • @belgariontheking said:

    @Zecc said:

    listen to the sounds of pride being swallowed

    and, from the looks of your icon, it didn't taste very good. 

    don't look at it the wrong way; it sorta looks like a penis 


  • @Nether said:

    @Jonathan Holland said:

     class PasswordChecker implements IPorridge throws PorridgeTooHotException


     What, no PassWordCheckerFactory?

     

    If I recall the story of mom, pop, and baby bear, the porridge was either too hot, too cold, or just right. I'm pretty sure that it should throw a PorridgeNotRightException to cover it being too hot(long) or cold(short)...Unless you wanted to throw two different exception types. Then we could wrap it in a dummy try, catch, finaly for good measure. I love java 



  • Porridge should also not contain underscores or ampersands :)



  • @rbowes said:

    As an application security guy, this kind of thing always sends up a red flag for me. It often means that they're storing the password in plaintext in a fixed-length database field.

     

     An application I helped work on had the requirements of passwords being 6-8 characters.  Seriously uggh.  They checked that the front-end checks would validate only passwords in that range, too, so I couldn't just silently override their wishes.

     In our case, the fields are encrypted/encoded - definitely not plain text.  But I did want to ask about your "fixed-length" database field comment...are talking 'char' vs 'varchar'?  Or are you suggesting something else?

    suzilou 



  • @misguided said:

    @belgariontheking said:

    @Zecc said:

    listen to the sounds of pride being swallowed

    and, from the looks of your icon, it didn't taste very good. 

    don't look at it the wrong way; it sorta looks like a penis 
     

    No, that's someone else's (tasteless) avatar. 


Log in to reply