• monkeyPushButton (unregistered)

  • Patrick (unregistered)

    This may be the first comment, but I predict that some smartass will post "*****" in the few seconds before I hit "submit".

    In any case, doesn't this mean that anyone can log in with any password just as long as it has the same number of characters?

  • Patrick (unregistered) in reply to monkeyPushButton
    monkeyPushButton:
    *******
    Your originality astounds me. Like, no-one else could possibly have thought of trying this joke. It was just so funny, I forgot to laugh. Away with ye, before I taunt you some more.
  • ******* (unregistered)

    **************!!1!

  • Remy Porter (cs)

    Actually, TDWTF's comment system is pretty clever. If you type your password into the message box, like this "*************", you can still see it, but any other user reading the comments just sees stars. Really! Try it!

    //I have to point out: don't actually do this. I pulled the same gag in another forum and somebody actually did fall for it.

  • Jumble (unregistered)

    The get method is really misleading. What if their password isn't "hunter2"?

  • anoldhacker (unregistered) in reply to Remy Porter
    Remy Porter:
    Actually, TDWTF's comment system is pretty clever. If you type your password into the message box, like this "*************", you can still see it, but any other user reading the comments just sees stars. Really! Try it!

    //I have to point out: don't actually do this. I pulled the same gag in another forum and somebody actually did fall for it.

    wuss

  • bash (unregistered) in reply to monkeyPushButton
    monkeyPushButton:
    hunter2
    Yes, we only see ******
  • anonymous (unregistered) in reply to Jumble
    Jumble:
    The get method is really misleading. What if their password isn't "*******"?

    hmm, good point.

  • dkf (cs) in reply to Patrick
    Patrick:
    In any case, doesn't this mean that anyone can log in with any password just as long as it has the same number of characters?
    So long as they use more than the minimum number, they'll be fine. The real question is whether any code (outside the set) can see the password as it really is; if not, everyone's using “hunter2” whether they like it or not…
  • PASSW0RD (unregistered)

    0******789

    CAPTCHA: ******

  • SR (unregistered) in reply to Patrick
    Patrick:
    Your originality astounds me. Like, no-one else could possibly have thought of trying this joke. It was just so funny, I forgot to laugh. Away with ye, before I taunt you some more.

  • DjFm (cs)

    Yes hangman!

    F?

  • woohoo (unregistered)

    User.MIN_USER_LENGTH

    What is the height requirement to use their system then?

  • Anonanon (unregistered) in reply to DjFm
    DjFm:
    Yes hangman!

    F?

    F*** FF *** F***** *******

  • SilverEyes (unregistered) in reply to Anonanon

    K, C, O, and U.

  • Some guy (unregistered) in reply to Anonanon
    Anonanon:
    DjFm:
    Yes hangman!

    F?

    F*** FF *** F***** *******

    Can I buy a U?

  • DjFm (cs)

    B?

  • frits (cs) in reply to Anonanon
    Anonanon:
    DjFm:
    Yes hangman!

    F?

    F*** FF *** F***** *******

    OK, Wheel of Fortune style:

    RSTLN E

    F*** FF *** FN *SSLE

  • Anonymous (unregistered)

    So wait, their business objects return "*******" for the password property? How does calling code work with the real value? Any why the hell is there GUI code (System.Windows.Forms.MessageBox calls) in the business objects? And is that a changed event? Why do you need a changed event if the changed value is a big secret that can't even be exposed to other parts of the code? I guess what I'm asking is, in summary, what on Earth is this steaming pile of crap?! Why create an n-tiered application if you're just going to piss all over the fundamental principles therein?

  • BentFranklin (unregistered)

    Why do they use try/catch around String.Format? Does this really generate exceptions?

    Captcha: uxor -- unsigned xor?

  • Anon (unregistered) in reply to woohoo
    woohoo:
    User.MIN_USER_LENGTH

    What is the height requirement to use their system then?

    MIN_USER_LENGTH is not the user's height, unless horizontal, if you know what I mean.

  • frits (cs)

    Of course you don't send unvalidated data to a MessageBox. It's expecting button clicks, or maybe the space, tab, or enter key.

  • wasn't me (unregistered) in reply to Some guy
    Some guy:
    Anonanon:
    DjFm:
    Yes hangman!

    F?

    F*** FF *** F***** *******

    Can I buy a U?

    And I buy an O.

    Lemme guess the result:

    FU** OFF OU FU**** **O

    ;oP

  • Anonymous (unregistered) in reply to BentFranklin
    BentFranklin:
    Why do they use try/catch around String.Format? Does this really generate exceptions?

    Captcha: uxor -- unsigned xor?

    Yes, pretty much what you'd expect really - you get an ArgumentNullException if the argument is null (surprise) and you get a FormatException if the given format is invalid.
  • Mike (unregistered)

    Without commenting on the code itself, I've seen this type of thing before. It wasn't all that uncommon at my previous place of employment. We would get code from an offshore contract that was this bad and would do things like log passwords to text files, and when we cried foul they would "fix" it in a manner eerily similar to this. I'm betting that's exactly what happened here.

  • Megatron (unregistered) in reply to Anonymous
    Anonymous:
    I guess what I'm asking is, in summary, what on Earth is this steaming pile of crap?!

    Well said!

  • Steve (unregistered) in reply to monkeyPushButton
    monkeyPushButton:
    *******
    Patrick:
    This may be the first comment, but I predict that some smartass will post "*****" in the few seconds before I hit "submit".

    In any case, doesn't this mean that anyone can log in with any password just as long as it has the same number of characters?

    QFPA (quoted for personal amusement)

  • Cad Delworth (cs)

    Well, at least you can tell if the event handler failed: that's the only case where you'd get ****** passed back instead of ********!

    Hangman: FUCK OFF YOU FUCKING ASSHOLE! Have I won the car, Vanna?!!

  • SOLID Man (unregistered)

    So really its a Separation of Concerns (SoC) WTF, or is that Single Responsibility Principle (the 'S' in SOLID)?

  • java.lang.Chris; (cs)

    On a related note, we had an interesting customer complaint about a password recently. The guy was trying to log in, and sent us a profanity laden email when he couldn't. For reasons known only to my predecessor, passwords are stored in our database in plain text rather than being hashed, so I took a look at this guys password in order to attempt a log in. His password was:

    ●●●●●●●●●●●

    It turns out he'd cut and pasted his favourite password from a web form in his web browser, which had been set to store passwords.

  • Brompot (unregistered) in reply to Anon
    Anon:

    MIN_USER_LENGTH is not the user's height, unless horizontal, if you know what I mean.

    My horizontal height tends to increase under the influence of beer. Given enough nights of drinking I may yet be allowed into their system.

  • re:me (unregistered) in reply to Patrick
    Patrick:
    monkeyPushButton:
    *******
    Your originality astounds me. Like, no-one else could possibly have thought of trying this joke. It was just so funny, I forgot to laugh. Away with ye, before I taunt you some more.

    You've got mad taunting skillz!

  • Anon (unregistered) in reply to java.lang.Chris;
    java.lang.Chris;:
    On a related note, we had an interesting customer complaint about a password recently. The guy was trying to log in, and sent us a profanity laden email when he couldn't. For reasons known only to my predecessor, passwords are stored in our database in plain text rather than being hashed, so I took a look at this guys password in order to attempt a log in. His password was:

    ●●●●●●●●●●●

    It turns out he'd cut and pasted his favourite password from a web form in his web browser, which had been set to store passwords.

    Unfortunately our system uses plain test passwords too, except this is by design. It turns out people in the motor trade are too fucking retarded to remember a password, even if it's the same as their name, and they call up constantly wanting their password. We tried implementing hashed passwords with two step reset password setup, but their knuckles dragging across the keyboards meant it didn't work. In the end we went back to the original system that makes me cry when ever I look at it. For what it's worth, we don't store anything other than their name, email address and vehicle preferences.

  • ForcedSterilizationsForAll (unregistered) in reply to wasn't me
    wasn't me:
    Some guy:
    Anonanon:
    DjFm:
    Yes hangman!

    F?

    F*** FF *** F***** *******

    Can I buy a U?

    And I buy an O.

    Lemme guess the result:

    FU** OFF OU FU**** **O

    ;oP

    FUME OFF YOU FUNERAL MERLOCK?

    What the hell does that mean? Is a Merlock something like a Grue?

  • Bosshog (unregistered) in reply to monkeyPushButton
    monkeyPushButton:
    *******
    This is the same as the combination on my luggage.
  • Crash Magnet (unregistered) in reply to Anon
    Anon:
    Unfortunately our system uses plain test passwords too, except this is by design. It turns out people in the motor trade are too fucking retarded to remember a password, even if it's the same as their name, and they call up constantly wanting their password. We tried implementing hashed passwords with two step reset password setup, but their knuckles dragging across the keyboards meant it didn't work. In the end we went back to the original system that makes me cry when ever I look at it. For what it's worth, we don't store anything other than their name, email address and vehicle preferences.

    Then why not get rid of the name and password requirement and just ask for their email address? Is vehicle preference really such a sensitive bit of information?

  • Jaime (cs)

    Why does a middle tier project even reference System.Windows.Forms???? That's so much of a WTF that Microsoft added a new feature to Visual Studio 2010 called "Layer Validation" that allows the system to fail builds when stupid things are referenced.

  • java.lang.Chris; (cs) in reply to Crash Magnet
    Crash Magnet:
    Anon:
    Unfortunately our system uses plain test passwords too, except this is by design. It turns out people in the motor trade are too fucking retarded to remember a password, even if it's the same as their name, and they call up constantly wanting their password. We tried implementing hashed passwords with two step reset password setup, but their knuckles dragging across the keyboards meant it didn't work. In the end we went back to the original system that makes me cry when ever I look at it. For what it's worth, we don't store anything other than their name, email address and vehicle preferences.

    Then why not get rid of the name and password requirement and just ask for their email address? Is vehicle preference really such a sensitive bit of information?

    My guess: it's probably because the name is a "user name" or "screen name" - something that, unlike an email address, doesn't need change when the account holder changes ISP or free email provider.

  • Helix (cs) in reply to re:me
    re:me:
    Patrick:
    monkeyPushButton:
    *******
    Your originality astounds me. Like, no-one else could possibly have thought of trying this joke. It was just so funny, I forgot to laugh. Away with ye, before I taunt you some more.

    You've got mad taunting skillz!

    smack-dab

  • Helix (cs) in reply to Helix
    Helix:
    re:me:
    Patrick:
    monkeyPushButton:
    *******
    Your originality astounds me. Like, no-one else could possibly have thought of trying this joke. It was just so funny, I forgot to laugh. Away with ye, before I taunt you some more.

    You've got mad taunting skillz!

    smack-dab

    sorry i meant to say: smack-dab and ball-slap

  • java.lang.Chris; (cs) in reply to Jaime
    Jaime:
    Why does a middle tier project even reference System.Windows.Forms???? That's so much of a WTF that Microsoft added a new feature to Visual Studio 2010 called "Layer Validation" that allows the system to fail builds when stupid things are referenced.

    I wish I could find an off the shelf Java tool or IDE plugin that does that kind of layer validation. Instead, I have a script that looks for imports from JDBC and GUI related packages or JDBC and Servlet (actually a framework abstraction package, but the principle is the same) packages in the same class.

  • Anonymous (unregistered) in reply to java.lang.Chris;
    java.lang.Chris;:
    Jaime:
    Why does a middle tier project even reference System.Windows.Forms???? That's so much of a WTF that Microsoft added a new feature to Visual Studio 2010 called "Layer Validation" that allows the system to fail builds when stupid things are referenced.

    I wish I could find an off the shelf Java tool or IDE plugin that does that kind of layer validation. Instead, I have a script that looks for imports from JDBC and GUI related packages or JDBC and Servlet (actually a framework abstraction package, but the principle is the same) packages in the same class.

    I have an automated tool just like this. If anyone puts GUI logic into the business layer it triggers a task that drafts their letter of dismissal and fires their incompetent ass. It works well although you need to be careful if you have the "dismiss on warnings" option enabled. But hey, real coders treat warnings like errors so it's all good.
  • usitas (unregistered) in reply to java.lang.Chris;
    java.lang.Chris;:
    Jaime:
    Why does a middle tier project even reference System.Windows.Forms???? That's so much of a WTF that Microsoft added a new feature to Visual Studio 2010 called "Layer Validation" that allows the system to fail builds when stupid things are referenced.

    I wish I could find an off the shelf Java tool or IDE plugin that does that kind of layer validation. Instead, I have a script that looks for imports from JDBC and GUI related packages or JDBC and Servlet (actually a framework abstraction package, but the principle is the same) packages in the same class.

    This is why you set hard application boundaries so that the DB layer is safely protected in its own jar

  • Herby (unregistered)

    After we are done playing with wheel of fortune, I wonder why (is there ay other type of wonder) there isn't a built in language property (not some lame library) that does password stuff. Given the multitude of times this is REALLY screwed up, it probably wouldn't be a bad idea. Nice and normal.

    Then again, given the user population it would be screwed up badly anyway, so it wouldn't matter. Oh, well.

  • SR (unregistered) in reply to Cad Delworth
    Cad Delworth:
    Well, at least you can tell if the event handler failed: that's the only case where you'd get ****** passed back instead of ********!

    Hangman: FUCK OFF YOU FUCKING ASSHOLE! Have I won the car, Vanna?!!

    Close but no car. The 4th word was JOYLESS.

    JOYLESS

  • usitas (unregistered) in reply to SR
    SR:
    Close but no car. The 4th word was JOYLESS.

    JOYLESS

    That still doesn't explain what a MERLOCK is...

  • Jay (unregistered) in reply to Crash Magnet
    Crash Magnet:
    Then why not get rid of the name and password requirement and just ask for their email address? Is vehicle preference really such a sensitive bit of information?

    Apparently you don't live near a GM factory. If you did, you'd know that having a vehicle preference that is NOT GM results in making you a social pariah far worse than if you admitted to being a pedophile or a terroist-sympathizer. If you actually OWN a non-GM car, you are liable to find it routinely vandalized.

  • Dr Otter (unregistered)

    So setting the password to null is okay, is it? Lovely; I'll do that then.

    Captcha: esse n. What a Mexican child does for homework.

  • ullamcorper (unregistered) in reply to frits
    frits:
    F*** *FF *** F****N* *SS**LE

    Fret iff not finding assmole?

Leave a comment on “Don't Pass The Password”

Log In or post as a guest

Replying to comment #:

« Return to Article