• Hacky (unregistered)

    meh, what a boring ending....

    :-p

  • (cs)
    He insisted that further development would come after Enrique's proposed changes to the system and that all proposed changes would require Enrique's approval before implementation.

    If only that happened in real life.

  • Chacal (unregistered)

    That one wins the jackpot. Even my government customers would fall off their chairs.

  • (cs)

    What??!?!?! A boss that's not a PHB?!?!?!!? WTF?!?!? All my life in I.T. as I know it is coming to an end!?!?!?!?

    Captcha: None, just register yourself already you lazy bastads.

  • (cs) in reply to Hacky
    Hacky:
    meh, what a boring ending....

    :-p

    APRIL FOOLS!

  • foo (unregistered)
    Enrique explained the situation, and fortunately his boss was not only reasonable, but had enough technical knowledge to understand the problem. He insisted that further development would come after Enrique's proposed changes to the system and that all proposed changes would require Enrique's approval before implementation.

    The real WTF here is htat Enrique's boss actually listened to him. What planet is that? I'm moving to whereever Enrique lives!

  • Franz Kafka (unregistered) in reply to AbbydonKrafts
    AbbydonKrafts:
    He insisted that further development would come after Enrique's proposed changes to the system and that all proposed changes would require Enrique's approval before implementation.

    If only that happened in real life.

    Well, Alex does change the details before posting the stories here.

  • Sven (unregistered)

    "A lot of words ran through Enrique's head, most of which can't be printed here. His biggest concern, though, was "what if the user wants to change their password?" "

    Wouldn't ON UPDATE CASCADE take care of that? Not that I'm defending this design, but this issue at least needn't be a problem.

  • (cs)

    dang. Thats horribly insecure. I do work on a huge MS Access / MySQL project. The passwords are also stored, in plain text, if I remember correctly, but its not a web application, except for one part of it, so its not a huge deal, that doesn't make the user sign in.

  • (cs)
    "Ohhh... umm... I guess you're right," was all the developer could muster. "But then we'd have to change every table to use a username as the foreign key, maybe even apply constraints on the server, and change the token each user carries throughout the application to be their username!" It was a major change, but Enrique insisted they do the work.

    Wow, nobody tell these people that they could use some other token to identify users... like, oh, I don't know, maybe they could associate each user with a unique positive integer or something? They could call it something like "identifier" or maybe just "id" for short.

    In fact, this is such a revolutionary concept, somebody'd better patent it!

  • Look at me! I'm on the internets! (unregistered) in reply to Sven
    Sven:
    "A lot of words ran through Enrique's head, most of which can't be printed here. His biggest concern, though, was "what if the user wants to change their password?" "

    Wouldn't ON UPDATE CASCADE take care of that? Not that I'm defending this design, but this issue at least needn't be a problem.

    FTFA: "Since referential integrity wasn't preserved, cascading updates were impossible..."

  • (cs) in reply to danlock2
    danlock2:
    dang. Thats horribly insecure. I do work on a huge MS Access / MySQL project. The passwords are also stored, in plain text, if I remember correctly, but its not a web application, except for one part of it, so its not a huge deal, that doesn't make the user sign in.

    Not a huge deal? This is the cascading WTF we all love to see on this site. You do realize that more and more theft of this information is happening from the inside right? Whenever you store uniquely identifying information and the credentials to access that information, this data should be encrypted. The credentials being encrypted in a one-way hash, the data in a two way encryption.

    If companies followed that we would have much less security WTF's to worry about.

  • dolo54 (unregistered) in reply to AbbydonKrafts
    AbbydonKrafts:
    He insisted that further development would come after Enrique's proposed changes to the system and that all proposed changes would require Enrique's approval before implementation.

    If only that happened in real life.

    It doesn't! APRIL FOOLS!

  • Aaron (unregistered)

    It makes me really happy to see situations where the boss isn't a retard and actually listens to the experts s/he hired.

    I think it still qualifies as a WTF, even if there is no PHB -- the developers were still ludicrously ludicrous.

  • Sven (unregistered) in reply to Look at me! I'm on the internets!
    Look at me! I'm on the internets!:
    Sven:
    "A lot of words ran through Enrique's head, most of which can't be printed here. His biggest concern, though, was "what if the user wants to change their password?" "

    Wouldn't ON UPDATE CASCADE take care of that? Not that I'm defending this design, but this issue at least needn't be a problem.

    FTFA: "Since referential integrity wasn't preserved, cascading updates were impossible..."

    Hmm, maybe I should read before I post *bows head in shame*
  • Trinian (unregistered)

    Whoa! An M. Night-style twist ending! Nice.

  • Jake Vinson (unregistered)

    Sorry, that ending was the first draft. Here is the final version.

    Enrique explained the situation, and unfortunately his boss was totally unreasonable, not having enough technical knowledge to understand the problem. He insisted that further development should continue and to disregard Enrique's proposed changes to the system and in fact Enrique would now be in charge of the network and backups. Furthermore, all proposed changes would require Enrique's disapproval before implementation.

  • (cs)

    Am I imagining this thread? No "fist!", no idiots posting their captchas, no "The real WTF is...", no lame wooden table jokes?

    Ahhhhhhh, if only every thread could be this sweet.

  • (cs) in reply to Zylon
    Zylon:
    Am I imagining this thread? No "fist!", no idiots posting their captchas, no "The real WTF is...", no lame wooden table jokes?

    Ahhhhhhh, if only every thread could be this sweet.

    The Real WTF is that I actually had the "Fist" post and to prove it I had a screen shot of my captcha printed out and taped to a wooden table. I took a photo of it to post but I'm waiting for the film to develop so I can scan it in.

    If you want to see it in the meantime, come right over.

  • TheD (unregistered) in reply to kmactane
    kmactane:
    "Ohhh... umm... I guess you're right," was all the developer could muster. "But then we'd have to change every table to use a username as the foreign key, maybe even apply constraints on the server, and change the token each user carries throughout the application to be their username!" It was a major change, but Enrique insisted they do the work.

    Wow, nobody tell these people that they could use some other token to identify users... like, oh, I don't know, maybe they could associate each user with a unique positive integer or something? They could call it something like "identifier" or maybe just "id" for short.

    In fact, this is such a revolutionary concept, somebody'd better patent it!

    But then they'd have to create some sort of script that would check the last inserted "id" and then add one to it. Hey, wouldn't it be great if it incremented automatically? Better add that to the patent request!

  • Dry Erase (unregistered) in reply to TheD
    TheD:
    kmactane:
    "Ohhh... umm... I guess you're right," was all the developer could muster. "But then we'd have to change every table to use a username as the foreign key, maybe even apply constraints on the server, and change the token each user carries throughout the application to be their username!" It was a major change, but Enrique insisted they do the work.

    Wow, nobody tell these people that they could use some other token to identify users... like, oh, I don't know, maybe they could associate each user with a unique positive integer or something? They could call it something like "identifier" or maybe just "id" for short.

    In fact, this is such a revolutionary concept, somebody'd better patent it!

    But then they'd have to create some sort of script that would check the last inserted "id" and then add one to it. Hey, wouldn't it be great if it incremented automatically? Better add that to the patent request!

    Why do that when the "solution" Enrique insisted upon is just as much as WTF as the one before it. Anyone who proposes non-unique, meaningful and changeable data for a primary/foreign key needs to go back to DBA school, or at least stop pretending to be a DBA.

    What happens if the user wants to change her login? Do'oh!

    How much slower is it to match a STRING than an mediumint? Another Do'oh!

  • Hit (unregistered)

    Holy shit.

    If I saw a schema like that, I'd probably run away screaming. This is a WTF in a class of its own.

  • schmitter (unregistered)

    I tried to register at the panasonic website, of course this is required to download device drivers. The required format for a user name required first inital last name or something like that. It would allow no variants and checked against what you had entered as your first name and last name fields. Having the last name of Smith meant that I was unable to create a username. I had to make up a completely fake name in order to register. So I believe this story.

  • AndrewB (unregistered) in reply to TheD
    TheD:
    But then they'd have to create some sort of script that would check the last inserted "id" and then add one to it. Hey, wouldn't it be great if it incremented automatically? Better add that to the patent request!
    But isn't there a bit of a problem with this? All database columns are supposed to be stored VARCHAR(100), right? So how the hell do you perform addition on a text field?

    Are you honestly suggesting that we should write functions to parse the id column into a number, and then increment? And then how the hell do we deal with the possibility of non-numeric data in the ID field?

    Absolutely retarded idea, dude.

  • (cs) in reply to Dry Erase
    Dry Erase:

    Why do that when the "solution" Enrique insisted upon is just as much as WTF as the one before it. Anyone who proposes non-unique, meaningful and changeable data for a primary/foreign key needs to go back to DBA school, or at least stop pretending to be a DBA.

    What happens if the user wants to change her login? Do'oh!

    How much slower is it to match a STRING than an mediumint? Another Do'oh!

    I'm with you on this one. So called natural keys are fine for the user, but internally the system should use meaningless keys to index and relate this data. I don't care if you want to use the autonumber or use GUID keys as long as they are totally disconnected from the data.

    Natural keys can be used for the Human side of things, to optimize indices you can create natural keys based off of birthdate + lastname if you want and allow the user to be able to enter this info. The problem here is that it will not always be unique so you return all matching records, the user picks one and sees the detail. How does the system know what detail to show? By it's internal meaningless guaranteed unique key which the user never has to interact directly with.

  • (cs)

    Wow, at least this one had a happy ending (or so it seems...). I half-expected it to go "Unfortunately, Enrique was let go later that week for insubordination."

  • (cs) in reply to KattMan
    KattMan:
    Zylon:
    Am I imagining this thread? No "fist!", no idiots posting their captchas, no "The real WTF is...", no lame wooden table jokes?

    Ahhhhhhh, if only every thread could be this sweet.

    The Real WTF is that I actually had the "Fist" post and to prove it I had a screen shot of my captcha printed out and taped to a wooden table. I took a photo of it to post but I'm waiting for the film to develop so I can scan it in.

    If you want to see it in the meantime, come right over.

    Niiiiice!

  • (cs) in reply to snoofle
    A lot of words ran through Enrique's head, most of which can't be printed here.
    .

    WTF kind of words can't be printed here ??? I wish to be enlightened; can you print a few?

  • DugzCode (unregistered) in reply to dolo54
    dolo54:
    AbbydonKrafts:
    He insisted that further development would come after Enrique's proposed changes to the system and that all proposed changes would require Enrique's approval before implementation.

    If only that happened in real life.

    It doesn't! APRIL FOOLS!

    You guys work for the wrong guys. Mine listens every day... and has even loaned his Saab to me when my car was in the shop for a week... but we don't hire idiots who would create a bad situation like the one mentioned in the story, so we would never have a begining (let alone an ending) like this.

    Too bad for "Enrique" that he didn't get a job at a decent company.

  • Sam Thornton (unregistered)

    Good God! A company with a technically literate manager? They must be out of business by now.

    In case they're not, email me the name, quick like a bunny.

  • Sgt. Preston (unregistered) in reply to Zylon
    Zylon:
    Am I imagining this thread? No "fist!", no idiots posting their captchas, no "The real WTF is...", no lame wooden table jokes?

    Ahhhhhhh, if only every thread could be this sweet.

    Must have been a VB application.

  • (cs) in reply to AndrewB
    AndrewB:
    TheD:
    But then they'd have to create some sort of script that would check the last inserted "id" and then add one to it. Hey, wouldn't it be great if it incremented automatically? Better add that to the patent request!
    But isn't there a bit of a problem with this? All database columns are supposed to be stored VARCHAR(100), right? So how the hell do you perform addition on a text field?

    Are you honestly suggesting that we should write functions to parse the id column into a number, and then increment? And then how the hell do we deal with the possibility of non-numeric data in the ID field?

    Absolutely retarded idea, dude.

    Simple! Just use objects in your application that support serialization, then store the serialized objects in the VARCHAR(100) fields. Then all we have to do is pull all these "id"s, unserialize them, find the largest, add one to it, serialize the result, and use it as the new "id"! It's almost too easy...

  • Phat Wednesday (unregistered)

    We have vendor software that stores user passwords plaintext in an unencrypted MSAccess database. To make this even more fun, in order for people's work to be shared, this database has to be in a shared network location -- which of course means that everyone can browse all of the user passwords (and the admin password) if they have Access (which they do).

    This is the same company that named a set of hierarchical tables 1,2,3,4,5 & 6 where 1 has 1..n 2s and 2 has 1..n 3s. Of course, 5 and 6 are many to many with no xref.

    How did I learn this? Their own support staff couldn't figure out why we were duplicate posting some transactions and (as it turns out) I'm a masochist. This is also how I learned that no good deed goes unpunished.

  • (cs)

    Dupe.

    I can't believe I'm the only one who saw this one here before.

  • A very, very angry man (unregistered) in reply to AbbydonKrafts
    AbbydonKrafts:
    He insisted that further development would come after Enrique's proposed changes to the system and that all proposed changes would require Enrique's approval before implementation.

    If only that happened in real life.

    To everyone who cannot believe that such a thing could really happen: your idiot boss is your own damned fault! If you work for an incompetent boss, leave. There are plenty of jobs out there, so if you cannot find one, it is not the job market that doesn't measure up.

    Somehow a rumor was started that all software managers (and all customers, and all salespeople, and just about everyone else) are drooling morons and we IT drones just have to put up with it because there are not other options. Listen carefully: That is a lie. The people with idiot bosses are understandably the most vocal, but somehow people of questionable intellect themselves have decided that they must be a representative cross section of IT. I am afraid that just isn't the case. There are plenty of companies that treat the technical staff with respect, pay them well, and give them the authority and autonomy to do their jobs well. Unfortunately for many, they also tend to hold the technical staff accountable for the choices they make, so a design like the one described in the article would get you fired or reassigned to toilet brush duty. Isn't funny that this site is filled with bad code, bass ackwards designs, and blood curdling abuses of innocent technology, but somehow it is always a PHB's fault.

    If your boss is a dolt, get a new job. If the only people who will hire you are dolts, ask yourself why that might be.

  • (cs) in reply to Hacky
    Hacky:
    meh, what a boring ending....

    :-p

    Maybe that's why we repeat the bad mistakes - they're more amusing (and thus memorable) than the happy endings. :)

  • Fabio (unregistered)

    I think the old VAX from Digital had a problem similar to this. If another user had the same password, the system won't let you use it.

  • (cs) in reply to AbbydonKrafts
    AbbydonKrafts:
    He insisted that further development would come after Enrique's proposed changes to the system and that all proposed changes would require Enrique's approval before implementation.

    If only that happened in real life.

    Yeah, this part that made me say "WTF?"

  • Name (unregistered)
    Enrique explained the situation, and fortunately his boss was not only reasonable, but had enough technical knowledge to understand the problem.

    This is worse than failure how exactly?

  • (cs) in reply to A very, very angry man
    A very:
    To everyone who cannot believe that such a thing could really happen: your idiot boss is your own damned fault! If you work for an incompetent boss, leave. There are plenty of jobs out there, so if you cannot find one, it is not the job market that doesn't measure up.

    Somehow a rumor was started that all software managers (and all customers, and all salespeople, and just about everyone else) are drooling morons and we IT drones just have to put up with it because there are not other options. Listen carefully: That is a lie. The people with idiot bosses are understandably the most vocal, but somehow people of questionable intellect themselves have decided that they must be a representative cross section of IT. I am afraid that just isn't the case. There are plenty of companies that treat the technical staff with respect, pay them well, and give them the authority and autonomy to do their jobs well. Unfortunately for many, they also tend to hold the technical staff accountable for the choices they make, so a design like the one described in the article would get you fired or reassigned to toilet brush duty. Isn't funny that this site is filled with bad code, bass ackwards designs, and blood curdling abuses of innocent technology, but somehow it is always a PHB's fault.

    If your boss is a dolt, get a new job. If the only people who will hire you are dolts, ask yourself why that might be.

    When you come back to reality, please let us know.

    I have been in this business for nearly twenty years now and I can say that the understanding of analytical process is lacking in the upper echelon of many companies, that is not the problem. The problem is that they tend to refuse to listen to those they hired or allow them to make the appropriate decisions.

    The reason is two fold. First, they do not want to give up their own power, if they do they make themselves worthless in their own eyes when in truth it should show their worth by hiring the right people for the job. Second, when we do screw up, it is big, it costs a lot of money, and the risks are high, risk management states that you leave that responsibility in the hands of the execs.

    Now before you start saying I am not worth it let me explain. I have worked for two companies where the higher powers gave this type of power to the development teams. Things went well, very well. I stayed there for many years and even after the company got sold (which inevitably happens) I was able to consult back with them many times. So why do I stay at jobs with a lesser standard? It is because they are the norm, they are the ones that make most of us the money. Jumping ship due to bad management is an option and one I have taken in the past but then when you try for that good job they see a series of shorter term employments and begin to wonder if you will stay for the long haul.

    Due to this, you have to remain at the current place, keeping that place working and never really able to make a difference. The model appears to work by the higher execs because they don't see the details, nor should they. So before you say that someone can only get hired by places like this due to their own faults you need to remember, there are other factors involved.

    You may be lucky to have found a good shop that isn't to bogged down with the "big company attitude" and have remained there for some time. Eventually this will come to an end either by a change above you or by a simply life changing event in your own life. When that time happens I wish you the best.

  • (cs)

    I bought the whole thing EXCEPT the last paragraph.

  • (cs)

    hmm. A happy ending? on a WTF? riggghhhhttttt....

  • James (unregistered)

    I think you guys are reacting to the "boring" ending wrong: the guy goes and reports the problems of a horrific program architecture, and his "reward" is that he is (for all intents and purposes) put in charge of it. I can't remember how it is supposed to be worded exactly, but there's an old maxim that I live by:

    Those who solve problems well will be rewarded with more of them.

    That is, if you fix one problem, when they see how good you are at it, they'll ask you to fix the whole system. I doubt Enrique wanted to be saddled with getting this system up to code. I'm not saying you should keep your mouth shut, but you've got to be sure there's somebody else to fob the grunt work off on ;-)

  • (cs) in reply to KattMan
    KattMan:
    The reason is two fold. First, they do not want to give up their own power, if they do they make themselves worthless in their own eyes when in truth it should show their worth by hiring the right people for the job. Second, when we do screw up, it is big, it costs a lot of money, and the risks are high, risk management states that you leave that responsibility in the hands of the execs.

    Thank you for clarifying it for them. That's exactly the position our company is in. When we were a privately-held "mom & pop" shop, I was able to gain power quickly. Whatever I said pretty much went. I was almost free to do whatever I wanted. However, once we merged with a multi-national conglomerate (we were the mergee and are now the lesser of the two), the head of Engineering (the one over the supervisors) has the only say so (you can't debate with this guy). I told my therapist what the head's MO is, and he told me that he's basically exerting his power and that's it.. that it would be just as effective, but less intrusive, for him to send an e-mail twice a day that says "My name is Bob, and I'm the boss."

    And ditto on the job-hopping thing. My supervisor lets me look over resumes. For one of them, she even commented that "this guy can't seem to hold a job"

  • (cs) in reply to James
    James:
    I think you guys are reacting to the "boring" ending wrong: the guy goes and reports the problems of a horrific program architecture, and his "reward" is that he is (for all intents and purposes) *put in charge of it*. I can't remember how it is supposed to be worded exactly, but there's an old maxim that I live by:

    Those who solve problems well will be rewarded with more of them.

    That is, if you fix one problem, when they see how good you are at it, they'll ask you to fix the whole system. I doubt Enrique wanted to be saddled with getting this system up to code. I'm not saying you should keep your mouth shut, but you've got to be sure there's somebody else to fob the grunt work off on ;-)

    I've been begging the uppers to let me fix some of the WTF stuff around here, but they won't let me. I find it a fun challenge over this small, but insanely irritating, stuff that I've been doing recently. Alas, I get told that I have "more important things to do". Time saved in support obviously doesn't count as "important".

  • Enrique (unregistered)

    Hello everyone. I'm the guy from the story... the real Enrique.

    I'd like to add some info to solve several doubts from other posts:

    No, this is not an April fools. Unfortunately, it really happened. To me. The "happy" ending included.

    I'm an application developer, not a DBA. I was asked to review the application, and while reviewing I noticed some funny stuff going on in the registration page, which led me to review the database design and found this stuff. Maybe it's better to use sequences instead of usernames as the primary key for users, but anyway, letting the user change their login wasn't a priority for me when I saw that the password was being used as key.

    It was a WebObjects application, written in Objective-C, so it's even more of a WTF if you consider that we were using EOF, one of the first object-relational mappers. The EOModel had to be changed as well, not just the database foreign keys. That's why the devs were whining so much.

    My boss listened to me because he had been a developer at some point. I had studied the same career as he did, but I liked more being on the technical side of things and he liked more the business side (it was his company at the time). The company almost went under a couple of times until it was sold to another company and became a large consulting firm in Mexico.

    The WTF of this story happened in 1997; those people left that same year, but I stayed and worked there until it was sold; then I worked at the new firm until early 2004 when I left for a better job after they finally decided to abandon all NeXT/OSX stuff and become an MS shop and by that time the boss of the story had become more and more PHB so there was no point in staying there.

    I think those were the main doubts I saw. If I see any more I might come back and write a little more about it.

  • sol (unregistered)

    WTF this could not be a real boss...

  • A very, very angry man (unregistered) in reply to KattMan
    KattMan:
    A very:
    To everyone who cannot believe that such a thing could really happen: your idiot boss is your own damned fault! If you work for an incompetent boss, leave. There are plenty of jobs out there, so if you cannot find one, it is not the job market that doesn't measure up.

    Somehow a rumor was started that all software managers (and all customers, and all salespeople, and just about everyone else) are drooling morons and we IT drones just have to put up with it because there are not other options. Listen carefully: That is a lie. The people with idiot bosses are understandably the most vocal, but somehow people of questionable intellect themselves have decided that they must be a representative cross section of IT. I am afraid that just isn't the case. There are plenty of companies that treat the technical staff with respect, pay them well, and give them the authority and autonomy to do their jobs well. Unfortunately for many, they also tend to hold the technical staff accountable for the choices they make, so a design like the one described in the article would get you fired or reassigned to toilet brush duty. Isn't funny that this site is filled with bad code, bass ackwards designs, and blood curdling abuses of innocent technology, but somehow it is always a PHB's fault.

    If your boss is a dolt, get a new job. If the only people who will hire you are dolts, ask yourself why that might be.

    When you come back to reality, please let us know.

    I have been in this business for nearly twenty years now and I can say that the understanding of analytical process is lacking in the upper echelon of many companies, that is not the problem. The problem is that they tend to refuse to listen to those they hired or allow them to make the appropriate decisions.

    I may be a young 'un with only fifteen years in the field in four companies (two consultancies, so I saw a number of others), but I am as real as you will find.

    In those fifteen years, I have come to the conclusion that techies are disrespected to exactly extent that they allow themselves to be disrespected. Other professions don't allow this. For example, my sister is a lawyer a large multinational bank. You will not find an organization more stratified and status-driven than a bank. The executives there are no happier "giving up their power" than in other companies. However, when she advises them on a legal issue, they listen. They don't berate her for getting in the way and not being a team player. They may not like her advice, but they accept that they hired her to be the legal expert and listen. If they treated the legal staff (or the accountants or the risk analysts or even the tellers) as poorly as many people here believe is par for the course for IT, they would be "exercising their power" in an empty room as the bank went down the tubes. Sure, I have had customers who did not like what I had to say, but I would just remind them that they hired me to be the technical expert. If they want a different answer, they are free to find someone who will give it to them but that does not change the reality. Amazingly, they did not berate me for taking their power. Instead, they paid me even more to help them solve the problem.

    We have specialized knowledge and skills that are absolutely necessary for running any business in the 21st century. Working for an idiot is not they way it has to be.

  • rdez (unregistered)

    If the design was so poor, i wouldn't be surprised if SQL injection was a larger concern..

  • Enrique (unregistered) in reply to rdez

    EOF (an object-relational mapper) was being used so no custom SQL statements were being coded, so it wasn't a problem.

Leave a comment on “Really Unique Passwords”

Log In or post as a guest

Replying to comment #:

« Return to Article