Autocomplete



  • From requirements...


    "For v1.0, there will be no Windows logins, generic usernames/passwords, or CACs. Each individual user/instructor will be required to have his or her own unique username and password. The login box will feature autocomplete to aid in username entry and also contain the last 10 usernames used on the system in a dropdown available for selection. For v1.0, there will be no way to close or exit from the login box without logging in."


    Autocomplete on a 'secure' login? Yeeeahhhh... that seems like a GREAT idea!


    I'm not even going to go into the password/username recovery mode, which apparently just requires you to enter in your name, rank, and birthday to get it displayed in plain text on the screen.


    This is all stuff found in the first three paragraphs of the requirements document, which is quite large. I'm not looking forward to reading through the rest of it. :(



  • @CodeNinja said:

    From requirements...


    "For v1.0, there will be no Windows logins, generic usernames/passwords, or CACs. Each individual user/instructor will be required to have his or her own unique username and password. The login box will feature autocomplete to aid in username entry and also contain the last 10 usernames used on the system in a dropdown available for selection. For v1.0, there will be no way to close or exit from the login box without logging in."


    Autocomplete on a 'secure' login? Yeeeahhhh... that seems like a GREAT idea!


    I'm not even going to go into the password/username recovery mode, which apparently just requires you to enter in your name, rank, and birthday to get it displayed in plain text on the screen.


    This is all stuff found in the first three paragraphs of the requirements document, which is quite large. I'm not looking forward to reading through the rest of it. :(

    You should send a note to Compliance or Legal departments, this will come handy during the trial...



  • You should totally tell them about a solution a boss of mine throught up so that you could log in even if you only vaguely remember your password. Then let them make a mashup of both solutions and see what happens. From a safe distance, of course.



  • @Requirements said:

    For v1.0, there will be no way to close or exit from the login box without logging in.

    I like this part, personally. NO WAY to close or exit from the login box. EVER!

    Edit: I also like how they summarize "dialog box" with "box" and not "dialog".



  • @blakeyrat said:

    @Requirements said:
    For v1.0, there will be no way to close or exit from the login box without logging in.

    I like this part, personally. NO WAY to close or exit from the login box. EVER!

    Edit: I also like how they summarize "dialog box" with "box" and not "dialog".



    Because in v1.1 you actually can close the login box and the application will continue to function, it just won't write to the database. It will, however, still read from it.

    Also, oddly enough, the login dialog shouldn't pop up at application startup. I've yet to actually find where and when it should, I think they forgot that part.


  • @CodeNinja said:

    Because in v1.1 you actually can close the login box and the application will continue to function, it just won't write to the database. It will, however, still read from it.
     

    Wut?

    Some breach of data protection there, shirley?



  • @Cassidy said:

    @CodeNinja said:

    Because in v1.1 you actually can close the login box and the application will continue to function, it just won't write to the database. It will, however, still read from it.
     

    Wut?

    Some breach of data protection there, shirley?





    Just a little! But it's OK, we won't tell anyone.



  • @CodeNinja said:

    @Cassidy said:

    @CodeNinja said:

    Because in v1.1 you actually can close the login box and the application will continue to function, it just won't write to the database. It will, however, still read from it.
     

    Wut?

    Some breach of data protection there, shirley?





    Just a little! But it's OK, we won't tell anyone.



  • @Cassidy said:

    @CodeNinja said:

    Because in v1.1 you actually can close the login box and the application will continue to function, it just won't write to the database. It will, however, still read from it.
     

    Wut?

    Some breach of data protection there, shirley?

    that's how "anonymous" gets access to all kinds of data



  • @CodeNinja said:



    Because in v1.1 you actually can close the login box and the application will continue to function, it just won't write to the database. It will, however, still read from it.

    Also, oddly enough, the login dialog shouldn't pop up at application startup. I've yet to actually find where and when it should, I think they forgot that part.

    So v1.1 is the current version and v1.0 is the next version... are you working on Minecraft?



  • @MiffTheFox said:

    @CodeNinja said:


    Because in v1.1 you actually can close the login box and the application will continue to function, it just won't write to the database. It will, however, still read from it.

    Also, oddly enough, the login dialog shouldn't pop up at application startup. I've yet to actually find where and when it should, I think they forgot that part.

    So v1.1 is the current version and v1.0 is the next version... are you working on Minecraft?





    It's asinine the way they came up with these version numbers.


    What they are calling 'v1.1' is actually what was originally supposed to be the initial release, 'v1.0' if you will. However, do to constantly changing requirements and the person who wrote the software quitting last month, they've decided that our project is in 'Critical Risk of not meeting it's target'. This decision was made even though the 'target' is an internal-only deadline and they decided we were 'Critical Risk' without any input from the software team or software leads, it was the hardware, QA, and Project Managers who decided Software was way behind (we aren't). So they moved the goalposts, what I'd consider 'v0.8' is now 'v1.0' and our old goal is 'v1.1'.


    What's funky is half the stuff they cut out of 'v1.0' already is completed, so it didn't actually cut time back. In fact, some of the things they want for v1.0 is a step backwards from v1.1, so now we have to take time to undo it.



  • @CodeNinja said:

    The login box will feature autocomplete to aid in username entry
     

    Not a WTF, it's the username that is autocompleted, not the password.

    It's not worse than a modern Windows/Linux graphical login box that displays a list of usernames.



  • @Medinoc said:

    It's not worse than a modern Windows/Linux graphical login box that displays a list of usernames.
     

    .. which is one of the first things I disabled when managing an NT network.[1]

    I still think disclosure of such information is a security risk, particularly if the dialogue was on public-facing applications.

    [1] not for security reasons, but because users would type in their password in without checking the login field and attempt to login as the last person wrongly three times, locking THAT account out. Clearing the MRU list meant they were forced to put in their username.



  • @Cassidy said:

    @Medinoc said:

    It's not worse than a modern Windows/Linux graphical login box that displays a list of usernames.
     

    .. which is one of the first things I disabled when managing an NT network.[1]

    I still think disclosure of such information is a security risk, particularly if the dialogue was on public-facing applications.

    [1] not for security reasons, but because users would type in their password in without checking the login field and attempt to login as the last person wrongly three times, locking THAT account out. Clearing the MRU list meant they were forced to put in their username.

    This. Having a dictionary of valid usernames is half the battle... See Reverse Brute Force attack.



  • Please don't undo your work if it is actually ready!
    Isn't there someone you can talk to about time lost by holding the changes back?



  • @Medinoc said:

    @CodeNinja said:

    The login box will feature autocomplete to aid in username entry
     

    Not a WTF, it's the username that is autocompleted, not the password.

    It's not worse than a modern Windows/Linux graphical login box that displays a list of usernames.



    Which is odd, because the military requires us to disable that kind of login on all the systems. They have to know their username and password there. Since this is a semi-public facing system (insomuch as random recruit Bob can use it, or a General), it has a pretty large throughput of users.

    Keep in mind that all you need to know to reset the password is your user name and DOB or military ID number... and that it lets you do it through the UI, it's not like it emails you a confirmation link to a registered email address. It's just like, "What's your user name and one of these two things... OK, those match, what do you want to change the password too?" and it lets you do it.



  • @CodeNinja said:

    Which is odd, because the military requires us to disable that kind of login on all the systems. They have to know their username and password there. Since this is a semi-public facing system (insomuch as random recruit Bob can use it, or a General), it has a pretty large throughput of users.

    Keep in mind that all you need to know to reset the password is your user name and DOB or military ID number... and that it lets you do it through the UI, it's not like it emails you a confirmation link to a registered email address. It's just like, "What's your user name and one of these two things... OK, those match, what do you want to change the password too?" and it lets you do it.
     

    Wait, so-- If I combine m.dempsey@military.gov with March 14, 1952, I can launch a nuke?

     



  • @Lorne Kates said:

    Wait, so-- If I combine m.dempsey@military.gov with March 14, 1952, I can launch a nuke?


    Probably not, I'd hope that software had better security on it. This is for training records.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.