Another bank WTF



  • I tried to register on the site of my new credit card. But I got the message: "The username must be composed of English letters and digits only", even though my username was "levbor". I searched the javascript and found this function, which was supposed to check the condition "the string is composed of English letters and digits only":

    function isOnlyEngAndNum(checkStr) {
    var letters = false;
    var numbers = false;
    var flag = false;
    for(var i = 0; i < checkStr.length && !flag; i++) {
    var char = checkStr.charCodeAt(i);
    if ((char >= ASCII_A && char <= ASCII_Z) || (char >= ASCII_CAPITAL_A && char <= ASCII_CAPITAL_Z)) {
    letters = true;
    } else if (char <= ASCII_9 && char >= ASCII_0) {
    numbers = true;
    }
    if (letters && numbers){
    flag = true;
    }
    }
    return flag;
    }

    I guess nobody registers on that site because most people don't figure out what the real condition is. Or maybe they call tech support, and support tells them to add a digit to the username?

    Anyway, I didn't register either. And there are more WTFs on that site, but this one is the best.


  • Discourse touched me in a no-no place

     Smells like HSBC. I had one of their cards briefly. I cancelled it in protest of the "you must have a number in your username" rule.



  • @levbor said:

    I tried to register on the site of my new credit card. But I got the message: "The username must be composed of English letters and digits only", even though my username was "levbor". I searched the javascript and found this function, which was supposed to check the condition "the string is composed of English letters and digits only":

     

    What part of "and" don't you understand?

     



  • @da Doctah said:

    What part of "and" don't you understand?

    You don't think it's a WTF that they require digits in a username? I note your username here "da Doctah" doesn't have any digits in it.


  • Discourse touched me in a no-no place

    @da Doctah said:

    What part of "and" don't you understand?
    The apparent stupidity of the actual requirement. It's bad enough that they force this sort of crap in passwords without starting on usernames as well.



  • I was about to add this to my "the word 'only' is surprisingly ambiguous" file when I noticed that A1';DROP TABLE 'USER'; is a valid username. So it's just a bug, not a poorly documented extra requirement.



  • @da Doctah said:

    What part of "and" don't you understand?
     

    I hadn't thought of it this way. I guess the author of the spec meant "Every character must be a letter of a digit, the developer understood "There must be at least one letter and one digit", and QA... probably didn't exist.

    [quote user="HonoreDB"]A1';DROP TABLE 'USER';[/quote]

    Now I only need someone else's credit card number to try this out.



  • You mean that you don't know of any abandoned houses that you can sign up with?



  •  I wouldn't say that was too much of a WTF. After all, one of the companies I've work for in the past was afraid of two people having the same name, so your login name for the network was "<firstname>.<lastname>.<employee reference number>". Your email was the same with just @somecompany.com appended. The ERN, as they called it, was always 6 digits, and so mine started with '00'. 



  • Problems are using javascript, instead of SSH (secure shell)



  • @da Doctah said:

    @levbor said:

    I tried to register on the site of my new credit card. But I got the message: "The username must be composed of English letters and digits only", even though my username was "levbor". I searched the javascript and found this function, which was supposed to check the condition "the string is composed of English letters and digits only":

     

    What part of "and" don't you understand?

    What part of grammar don't you understand?



  • @zzo38 said:

    Problems are using javascript, instead of SSH (secure shell)

    No way, he should totally be using ymodem.

    Um...what?



  • @PJH said:

    @da Doctah said:
    What part of "and" don't you understand?
    The apparent stupidity of the actual requirement. It's bad enough that they force this sort of crap in passwords without starting on usernames as well.
     

     

    there is a reason to force it in passwords.  called SECURITY.



  • @PJH said:

    @da Doctah said:
    What part of "and" don't you understand?
    The apparent stupidity of the actual requirement. It's bad enough that they force this sort of crap in passwords without starting on usernames as well.
     

    Crap it may well be, but it's crap someone asked for demanded. Probably a "someone" who signs the paychecks. So you make sure there's exactly the same amount and type of crap in the system as in the requirements they give you.


  • Discourse touched me in a no-no place

    @Kazan said:

    there is a reason to force it in passwords.  called SECURITY.
    No it's not, unless you're prefixing that with "A FALSE SENSE OF." There's nothing inherently more secure about requiring at least "one number and one upper and one lower case character in your password that must be at least 6 characters and no more than 8," over allowing total freedom over the choice of password.



    You'll find that companies that pull this sort of shit actually make the passwords LESS secure, by reducing the search space due to their poorly thought out rules (and if they're specifying the class of characters you MUST use, then it's likely they'll disallow other classes completely in any part of the password. Like spaces, or apostrophes or letters with diacriticals)



  • @PJH said:

    @Kazan said:
    there is a reason to force it in passwords.  called SECURITY.
    No it's not, unless you're prefixing that with "A FALSE SENSE OF." There's nothing inherently more secure about requiring at least "one number and one upper and one lower case character in your password that must be at least 6 characters and no more than 8," over allowing total freedom over the choice of password.



    You'll find that companies that pull this sort of shit actually make the passwords LESS secure, by reducing the search space due to their poorly thought out rules (and if they're specifying the class of characters you MUST use, then it's likely they'll disallow other classes completely in any part of the password. Like spaces, or apostrophes or letters with diacriticals)

    I never understood that; it's one thing to limit the size of the password (albeit, any limit less than 20 is a WTF unto itself), but to say that you cannot use certain ASCII characters (though to be fair, ANY readable character should count) is TRWTF. I agree with you that total freedom over the choice of password should be the standard, not the exception.



  • @dohpaz42 said:

    I never understood that; it's one thing to limit the size of the password (albeit, any limit less than 20 is a WTF unto itself), but to say that you cannot use certain ASCII characters (though to be fair, ANY readable character should count) is TRWTF. I agree with you that total freedom over the choice of password should be the standard, not the exception.
     

    Hackers use non-ASCII charactes to hack HTML pages, so you shouldn't let them input such dangerous, loaded characters into an HTML page.

    Also, non-ASCII characters will sometimes break the code when you concatenate them to the SQL string variable. Sure, it's a developer's rule that every variable that goes into the SQL string has to have a .Replace() for every bad character we've thought of, but sometimes the developer forgets. Coding for non-ASCII characters is hard.

    And finally, some non-ASCII characters don't sit well in the database. If someone puts in a weird character, what if it breaks the database? Or worse, what if it makes the value of the password field unreadable? How is support supposed to read a user their password over the phone if it has weird characters that don't show up on screen? The support guy already has enough problems to worry about since he's also the developer and QA guy and still hasn't picked up my new ergo keyboard from Best Buy yet. I'll send him to do it on his lunch. 


  • Discourse touched me in a no-no place

    @Lorne Kates said:

    Hackers use non-ASCII charactes to hack HTML pages, so you shouldn't let them input such dangerous, loaded characters into an HTML page. <snip>
    I do hope you were kidding with that post.



  • @PJH said:

    @Lorne Kates said:
    Hackers use non-ASCII charactes to hack HTML pages, so you shouldn't let them input such dangerous, loaded characters into an HTML page. <snip>
    I do hope you were kidding with that post.
     

    Yes and no. Yes because it's a string of fucking stupid ass ideas.

    No, because those are actually reasons given for not allowing non-standard characters in a password. =(



  • @Lorne Kates said:

    Also, non-ASCII characters will sometimes break the code when you concatenate them to the SQL string variable. Sure, it's a developer's rule that every variable that goes into the SQL string has to have a .Replace() for every bad character we've thought of, but sometimes the developer forgets. Coding for non-ASCII characters is hard.

    Heh. TRWTF?

    Though I suppose that when hashing or whatever, you could get into trouble with non-ASCII encodings. Maybe? I'm a unicode retard, and I don't know other encodings either, so maybe that's a non-issue, but it seems like at least a potential for trouble under some circumstances, like later logging in from a different machine / browser that is set up differently?



  • @Lorne Kates said:

    Hackers use non-ASCII charactes to hack HTML pages, so you shouldn't let them input such dangerous, loaded characters into an HTML page.
     

    Also, hackers are not sophisticated enough to try passwords that contain non-alphanumeric characters and capitals. That's why passwords like "123456Aa" are the best.

    And hackers still haven't figured out that in dictionary attacks, they could try to replace lowercase L's with 1's and O's with zeros...



  • @Kazan said:

    there is a reason to force it in passwords.  called SECURITY.
     

    I once worked at an organization where when the sysadmins reset a password, they changed it to "123456Aa". Then on first login the user had to change it, so some people changed it to  "123456Bb". Guess what they did when that password expired.

    The problem is not that requiring at least one digit narrows search space. It's that the search space is much less than "all strings consisting of letters only" to begin with.



  • @levbor said:

    The problem is not that requiring at least one digit narrows search space. It's that the search space is much less than "all strings consisting of letters only" to begin with.

    The rainbow table already has everything in the search space that users are likely to pick as passwords. This is not an excuse for services to not allow all characters in the password, I'm just sayin'... it probably doesn't make a lot of difference to the vast majority of users.



  • @blakeyrat said:

    The rainbow table already has everything in the search space that users are likely to pick as passwords.
     

    Maybe the requirement should be to pick passwords that are missing from the rainbow table.



  • @levbor said:

    @blakeyrat said:

    The rainbow table already has everything in the search space that users are likely to pick as passwords.
     

    Maybe the requirement should be to pick passwords that are missing from the rainbow table.

    "Your password must be between 5 and 10 characters, contain at least 1 uppercase letter, 1 lowercase letter, and 1 digit, and not be any of the following 40,000,000 already-compromised passwords:

    password

    password12

    124password

    pas123sword

    etc."



  •  @zzo38 said:

    Problems are using javascript, instead of SSH (secure shell)
    What the fuck are you bitches babbling about?



  • @Mole said:

     I wouldn't say that was too much of a WTF. After all, one of the companies I've work for in the past was afraid of two people having the same name, so your login name for the network was "<firstname>.<lastname>.<employee reference number>". Your email was the same with just @somecompany.com appended. The ERN, as they called it, was always 6 digits, and so mine started with '00'. 

    My company uses a "First letter of the name, plus as many letters of the surname to make a unique login (at least 2)" rule. You can imagine how well it works when Tony Ng has to receive an account aften Tranh Nguyen did.
    I think the first-level emergency measure of "first name initial, middle name initial, then two or more from last name" haven't failed yet, but it's just a matter of time.

    Said that, some of the acronyms that happened in logins are snickerworthy to everyone. Except, I guess, the user.



  • @bannedfromcoding said:

    My company uses a "First letter of the name, plus as many letters of the surname to make a unique login (at least 2)" rule. You can imagine how well it works when Tony Ng has to receive an account aften Tranh Nguyen did.

    I think the first-level emergency measure of "first name initial, middle name initial, then two or more from last name" haven't failed yet, but it's just a matter of time.


    Yes, those schemes are pretty common. Usually, numbers start showing up eventually.



  • @bannedfromcoding said:

    My company uses a "First letter of the name, plus as many letters of the surname to make a unique login (at least 2)" rule. You can imagine how well it works when Tony Ng has to receive an account aften Tranh Nguyen did.
     

    I don't have to imagine.  They made lookahead-completion of e-mail addresses automatic when sending stuff internally.  Every time I wanted to pop off a note to my buddy Mike Palmisano, I had to go all the way through the last name, then to the first initial, and it still sent it to his sister Mary instead.

    Glad they included this time-saving feature.



  • @boomzilla said:

    @bannedfromcoding said:

    My company uses a "First letter of the name, plus as many letters of the surname to make a unique login (at least 2)" rule. You can imagine how well it works when Tony Ng has to receive an account aften Tranh Nguyen did.

    I think the first-level emergency measure of "first name initial, middle name initial, then two or more from last name" haven't failed yet, but it's just a matter of time.


    Yes, those schemes are pretty common. Usually, numbers start showing up eventually.

     

    We have a client whose usernames are a string of digits with an N at the beginning. Some kind of employee ID number. But it makes it look like everyone who logs into our system is really an airplane.



  • @Someone You Know said:

    We have a client whose usernames are a string of digits with an N at the beginning. Some kind of employee ID number. But it makes it look like everyone who logs into our system is really an airplane.
     

    It was like that at my uni: everyone's usernames began with a q or a d (depending on how the student was initially enrolled: "QTAC" or "direct") then 7 numbers, the first two being the year of enrollment. So I had Q98xxxxx. The student number was 9 characters - the same plus a check digit on the end. But for some reason Q00 couldn't work so students enrolling in 2000 had a Q10 prefix. About then they also added a W prefix, presumably for "web enrollment". Interestingly I was friends with the Q99 and Q10 studens with the same "xxxxx". :-)

    And student email addresses included the "mail" of the mail server, like "q98xxxxx@mail.something.example.edu.au"

     



  • You are so lucky I don't have "cool story bro" on my web server.



  • @blakeyrat said:

    You are so lucky I don't have "cool story bro" on my web server.

    You mean, this one?


    Super Cool Story Bro.



  • @blakeyrat said:

    You are so lucky I don't have "cool story bro" on my web server.
     




  • I prefer the original Hercules one:


    (Hotlinked, don't hit me!)

    It's even funnier in-context.

    I still don't get why anybody would type a detailed description of how their school created usernames and assigned email servers, and think any of us would give a flying fuck.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.