Change your password? $19 please.



  • Recently I found out about KeePass and now I'm in the proccess of centralizing all my 200+ passwords in one place, finding out wich ones are still active, changing the ones used in multiple places, etc. Right now I logged into Netmovies.com.br (Brazilian netflix clone), it accepts my old password and directs me to a "please pay $19 to reactivate your account". There's nothing I can do. I can't access my profile page, or any page at all, if I don't proceed with payment. Isn't it wonderful?



  • I missed the part where you explain why this payment is in error.



  • It isn't. Not allowing me to change my password (or doing anything account-related) prior to paying, however, is.



  • Why?

    I don't get it. If you're not paying them, if you have no stored payment information, what does it matter if you can't change your password? Are you afraid someone's going to break into your account and pay your $19 for you? Are you concerned they'll sell your valuable streaming queue to the black market?



  • @blakeyrat said:

    if you have no stored payment information

    Some things will continue to store that after you stop using them (so it takes less to restart).  No idea if this one does, but it could be.  Of course if the site did so it would help for atipico to have told us this was the case.



  • @blakeyrat said:

    what does it matter if you can't change your password? Are you afraid someone's going to break into your account and pay your $19 for you?

    I'm changing my passwords on every site I can remember to make sure no password is used twice, but it is a tedious and time demanding task and might take a few days, or weeks. I'm slightly concerned in the meantime, if my account info is compromised, the hackers might try to use the same email/password combination somewhere else. What if the passwords are stored in plaintext, easily crackable or something? Not a real threat, I'm just being way too paranoid. No one is that interested in my passwords. I know that.


    TRWTF is not having the ability to change my account info. There are other websites offering paid subscription-based services, where the payment have expired, and I can't access the content, but besides that can navigate and alter my info as a normal user. Isn't this "the right way of doing stuff"?



  • @locallunatic said:

    No idea if this one does, but it could be.

    Unfortunately, I have no idea too. That's been ages since I signed up, used only a couple times and forgot about it. Now I can't check it because, hey, if I click ANYWHERE the only thing I get is that inactive account message. I really mean anywhere. Except logout. I can't even browse their catalog.

    In my opinion, this is a fail because users don't feel welcome, I feel like I'm being punished or something. C'mon, change my password? See if they have my CC info stored? No, I gotta pay first. And I can't even browse the catalog to see if it is worthwhile. (I guess maybe if I logout then I possibly could browse the catalog, but c'mon? Usability?)



  • I'm still confused...

    So you go to the Netflix Brazil site and when you try and change your password there it redirects you to KeePass asking for $19?

    Or you are trying to change your information for this Netflix clone within KeePass and it's asking you to pay?

    If KeePass is involved, I don't really see a WTF here... they provide a service they have decided to charge for and you would need to pay to access data associated with that service they provide.

    Why can't you just go to the Netflix website directly and change your password?



  • @xbigdanx said:

    I'm still confused...

    Are you high or something? Or are you making fun of me?



  • @xbigdanx said:

    I'm still confused...
    You're the only one.



  • @atipico said:

    @xbigdanx said:
    I'm still confused...

    Are you high or something? Or are you making fun of me?

    You are using a service that costs money to use and think it odd when they ask you to pay?



  • @atipico said:

    @xbigdanx said:
    I'm still confused...

    Are you high or something? Or are you making fun of me?

    I get it now.... the fact that its a password management tool was throwing me off. Yes... this is a WTF. Sorry, it's friday, I'm already in shutdown mode



  • While I guess it would be marginally better if they allowed you to update your password without paying, it's not something I would expect.

    Even if they are storing your password in plaintext, there's no reason to assume that updating it will destroy all traces of your old password in their system. What if they have backups?

    And if you have some goal other than destroying your old password, wouldn't it necessarily involve reactivating anyway?



  • @superjer said:

    And if you have some goal other than destroying your old password, wouldn't it necessarily involve reactivating anyway?
    All he wants to do is change the password.  He doesn't want to reactivate the service.  It was a generic password used on multiple systems, he saw the light, and he wants to change it.  Das ist alles.  Ain't no more.  And he can't perform that simple function of changing the password without reactivating the account.



  • @nonpartisan said:

    All he wants to do is change the password.  He doesn't want to reactivate the service.  It was a generic password used on multiple systems, he saw the light, and he wants to change it.  Das ist alles.  Ain't no more.  And he can't perform that simple function of changing the password without reactivating the account.

     

    To what end? The only two possibilities that have been mentioned are:

    • Mine: destroying all traces of the old password
    • Blakeyrat's: preventing someone else from paying the $19 

    Is there anything else? Honest question.

     



  • @superjer said:

    To what end? The only two possibilities that have been mentioned are:

    • Mine: destroying all traces of the old password
    • Blakeyrat's: preventing someone else from paying the $19 

    Is there anything else? Honest question.

    My honest answer is that it should seem obvious as to the problems with hijacking someone else's account.  I know Netflix in the US claims to not have late fees, but do they charge a penalty for ruined disks?  Does this Brazilian company have such charges?  (Don't have Netflix myself, have too many other things to do than sit around watching TV all day, which I readily admit I would do if I had Netflix.)  If so, OP could get other charges racked up on his account.  What if OP does want to reactivate the account at some point after it has been hijacked?  How's he going to prove it wasn't him?

    What if OP's account gets hacked and it ends up being the first step in a systemwide attack?  The first step is getting in the door.

    I applaud OP for wanting to change his password.  Not sure how I feel about the service not allowing a password change on an inactive account, but he should be supported for wanting to change it.



  •  It's not exactly a major WTF, but it certainly is what I would call odd behaviour. I have inactive accounts on several MMO games I don't play any more. On all of those I can log into my account, change my password, change payment or contact details, or any other standard account management functions all without having to re-activate my account. I would expect all similar account systems to behave the same.



  •  What about the "I forgot my password" feature? If it's not too badly coded, it should generate a random password and mail it to you.



  • Just sounds like laziness or "effort conservation" on the developer/company's side.



    Imagine if they allowed that.

    Because then you'd have to have the system designer decide which screens are accessible by inactive logged in users e.g. allow him basic account functions, browsing the catalog too, deny content access... what about trailer videos, those are free, do we allow access... etc etc... add in the testing effort on all those screens to check active logged in acct vs inactive logged in vs logged out, and you have several hundred manhours on your hands... and you still have the risk of a vulnerable page accidentally allowing content to inactive users, either due to a design oversight, or a cowboy developer not following standards.



    So they just said, deny everything to inactive accts, except logout. Just add the code to the universal header include or something.

    Makes some sense, and is SO much easier.

    Not a wtf at all.



  • @nonpartisan said:

    I know Netflix in the US claims to not have late fees, but do they charge a penalty for ruined disks?  Does this Brazilian company have such charges?  (Don't have Netflix myself, have too many other things to do than sit around watching TV all day, which I readily admit I would do if I had Netflix.)
     

     The Brazilian Netflix won't send you disks. By the price transportation costs here, that would not be even viable.

    Anyway, the OP is still doing the wrong thing. We change the password of the sites that we care about to something secure. We just don't care about the sites we don't care about... And he should not use his old password in any important site anyway, so even if Netflix has it, it shouldn't matter.

     @nonpartisan said:

    What if OP's account gets hacked and it ends up being the first step in a systemwide attack?  The first step is getting in the door.

    What? Attack into what? Netflix? What difference does it make if the attacker uses the OP disabled account or creates a new one?

     



  • @blakeyrat said:

    I don't get it. If you're not paying them, if you have no stored payment information, what does it matter if you can't change your password? Are you afraid someone's going to break into your account and pay your $19 for you? Are you concerned they'll sell your valuable streaming queue to the black market?

    I'd have to agree here since in order for any hacker to access your information, they'd have to pay the $19 in order to get at it. Sure, if there's a big "click here to renew without confirming anything" button then it'd be a WTF, but if you're locked out, so are they.



  • @Soviut said:

    I'd have to agree here since in order for any hacker to access your information, they'd have to pay the $19 in order to get at it. Sure, if there's a big "click here to renew without confirming anything" button then it'd be a WTF, but if you're locked out, so are they.

    Ummmm... no. The risk is that NetFlix Brazil doesn't follow proper password storage practices and a site hack allows an attacker to do an offline password crack. The attacker will get his password without paying the $19 and will be able to try to use it on other popular sites.

    It seems to me that the easiest solutions is to simply write that password off. Change every password that is actually important and don't reuse the frozen NetFlix password.



  • Fuck, all this and the problem is "I can't change the password on a site I don't use anymore" which, really, isn't a problem.

    Oh, and if any more of you spectacular retards want to pop up to say "But what if the hacker gets his crusty old password and tries to use it to get into his accounts on other sites?" HE'S CHANGING ALL HIS PASSWORDS! Goddammit, this has been covered. And anyone who goes to the trouble of changing all their passwords and does so in a way that reuses old passwords is a colossal twat who deserves to have their shit stolen.



  • why are you so angry



  • @dhromed said:

    why are you so angry

    Given his name, I'm assuming that someone is or was just on his lawn.



  • @Jaime said:

    Ummmm... no. The risk is that NetFlix Brazil doesn't follow proper password storage practices and a site hack allows an attacker to do an offline password crack. The attacker will get his password without paying the $19 and will be able to try to use it on other popular sites.

    Yes but the whole point of this exercise is that he's changing all of his passwords. So that attack won't work, since the Netflix Brazil password isn't used anywhere else. Duh.

    @Jaime said:

    It seems to me that the easiest solutions is to simply write that password off. Change every password that is actually important and don't reuse the frozen NetFlix password.

    He's already done that! It's in the first flippin' post! THE VERY FIRST POST! Aaaaa



  • @boomzilla said:

    Given his name, I'm assuming that someone is or was just on his lawn.
     

    Holding a purple dildo and winking at him.



  • @blakeyrat said:

    @Jaime said:
    Ummmm... no. The risk is that NetFlix Brazil doesn't follow proper password storage practices and a site hack allows an attacker to do an offline password crack. The attacker will get his password without paying the $19 and will be able to try to use it on other popular sites.
    Yes but the whole point of this exercise is that he's changing all of his passwords. So that attack won't work, since the Netflix Brazil password isn't used anywhere else. Duh. @Jaime said:
    It seems to me that the easiest solutions is to simply write that password off. Change every password that is actually important and don't reuse the frozen NetFlix password.
    He's already done that! It's in the first flippin' post! THE VERY FIRST POST! Aaaaa

    Don't tell me that, tell Soviut.  I was simply reminding him of the very fact that you think I'm not aware of.



  • You should call them on the phone and tell them to close your account.  Don't relent until it stops telling you that you owe money and tells you that you don't have an account.

    Also, your OCD may be showing.  Just let it go.  You're using unique random passwords everywhere else, right?



  • @Medinoc said:

     What about the "I forgot my password" feature? If it's not too badly coded, it should generate a random password and mail it to you.

    This does seem like the obvious fallback.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.