• Morgan (unregistered) in reply to bstorer
    bstorer:
    AndrewB:
    TheD:
    But then they'd have to create some sort of script that would check the last inserted "id" and then add one to it. Hey, wouldn't it be great if it incremented automatically? Better add that to the patent request!
    But isn't there a bit of a problem with this? All database columns are supposed to be stored VARCHAR(100), right? So how the hell do you perform addition on a text field?

    Are you honestly suggesting that we should write functions to parse the id column into a number, and then increment? And then how the hell do we deal with the possibility of non-numeric data in the ID field?

    Absolutely retarded idea, dude.

    Simple! Just use objects in your application that support serialization, then store the serialized objects in the VARCHAR(100) fields. Then all we have to do is pull all these "id"s, unserialize them, find the largest, add one to it, serialize the result, and use it as the new "id"! It's almost too easy...

    Oh man. You're probably joking, but I actually took over responsibility a system that was even worse than that. Let's just say that the fields were TEXT instead of VARCHAR(100) and the guy who developed it wasn't serializing objects, per se; he decided that he didn't really like the whole relational part of relational databases.

    It was pretty unbelievable. I'll have to submit it sometime.

  • Lockejaw (unregistered) in reply to A very, very angry man
    A very:
    For example, my sister is a lawyer a large multinational bank. You will not find an organization more stratified and status-driven than a bank. The executives there are no happier "giving up their power" than in other companies. However, when she advises them on a legal issue, they listen. They don't berate her for getting in the way and not being a team player. They may not like her advice, but they accept that they hired her to be the legal expert and listen.
    How many managers really understand legal issues and how important they are? All managers with business or legal degrees, along with some others. How many managers really understand technical issues and how important they are? All managers with tech or engineering degrees, along with some others. Which category has more?
  • A very, very angry man (unregistered) in reply to Lockejaw
    Lockejaw:
    A very:
    For example, my sister is a lawyer a large multinational bank. You will not find an organization more stratified and status-driven than a bank. The executives there are no happier "giving up their power" than in other companies. However, when she advises them on a legal issue, they listen. They don't berate her for getting in the way and not being a team player. They may not like her advice, but they accept that they hired her to be the legal expert and listen.
    How many managers really understand legal issues and how important they are? All managers with business or legal degrees, along with some others. How many managers really understand technical issues and how important they are? All managers with tech or engineering degrees, along with some others. Which category has more?

    So your claim is that the executives defer to the legal experts on legal decisions because they themselves understand law, but they want to make the technical decisions themselves because they don't understand technology.

    And the companies that do treat the technical staff with respect can't exist because... Ah, to hell with it. You are right. We all deserve to be mistreated and should just put up with it. If your boss is an idiot, stay there and complain because it could not possibly be any better elsewhere.

  • Jon (unregistered)

    "Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem, detailing the life and works of seven mythical Norse heroes."

    http://geekz.co.uk/schneierfacts/fact/27

    Captcha: tacos (now I know what I'm having for dinner)

  • AndrewB (unregistered) in reply to Morgan
    Morgan:
    Oh man. You're probably joking, but I actually took over responsibility a system that was even worse than that. Let's just say that the fields were TEXT instead of VARCHAR(100) and the guy who developed it wasn't serializing objects, per se; he decided that he didn't really like the whole relational part of relational databases.

    It was pretty unbelievable. I'll have to submit it sometime.

    Well... I wish that I found this unbelievable, because...

    I'm currently in charge of a .NET project that uses an Access database with 7 tables and about 30 columns that are nothing but TEXT fields (except for the ones that I added) and no relationships whatsoever.

    My predecessor's rationale? "I didn't see any reason to go to that extra level of complexity."

    Needless to say, I've spent the majority of my time employed here solving lurking, popping-up problems rather than working on new features.

  • SomeCoder (unregistered) in reply to A very, very angry man
    A very:

    And the companies that do treat the technical staff with respect can't exist because... Ah, to hell with it. You are right. We all deserve to be mistreated and should just put up with it. If your boss is an idiot, stay there and complain because it could not possibly be any better elsewhere.

    There are more reasons than just "you're an idiot and can't get a job elsewhere" that people put up with dumbass bosses. I think that simply blanketing the entire IT profession and saying that everyone who has a PHB deserves it is VERY short sighted.

    Your opinion of those who have the PHB deserve it is probably a correct one in a small percentage of cases but I would definitely not say it's the norm.

    I continue to work for a PHB, not because I couldn't get a job elsewhere with a better boss (I've been offered several), but because all the perks and benefits I get are fantastic and currently outweigh my PHB. That doesn't mean I won't complain about him, but it's why I continue to stay.

    Obviously there are additional reasons I won't get in to here, but this is a good example of why your logic doesn't apply to the entire IT industry.

  • Lockejaw (unregistered) in reply to A very, very angry man
    A very:
    So your claim is that the executives defer to the legal experts on legal decisions because they themselves understand law, but they want to make the technical decisions themselves because they don't understand technology.
    The execs know enough about law to be well aware of what they don't know. They don't know as much about technology, and they are less likely to realize that some conclusion reached through speculation is just wrong. This is known as "knowing enough to be dangerous." To a non-technical person, "automatically check programs for infinite loops" sounds like a low- to medium-difficulty task.
    A very:
    And the companies that do treat the technical staff with respect can't exist because...
    I'm curious as to how you read that into my comment.
  • A very, very angry man (unregistered) in reply to SomeCoder

    [quote user="SomeCoder"][quote user="A very, very angry man"] There are more reasons than just "you're an idiot and can't get a job elsewhere" that people put up with dumbass bosses. I think that simply blanketing the entire IT profession and saying that everyone who has a PHB deserves it is VERY short sighted. [/quote]

    You are absolutely right. It was not fair of me, and there are many reasons for putting up with a bad boss. Where I took exception was that so many people claimed that it could be no other way in the industry today.

    If you look back through the comments on this article, you will see several comments that the boss listening to Enrique's concerns and holding up development to fix them was unrealistic and that any company that did listen to the technical staff would go out of business. Frankly, that annoys me because it holds back our entire profession.

    It also annoys me that some (but certainly not all) techies make no effort to understand why the boss makes certain...questionable decisions and instead just assumes that management must be a bunch of monkeys. Seeing their motivations makes it much easier to figure out how to point them in the right direction and whether it is worth doing so.

  • (cs) in reply to A very, very angry man
    A very:
    I may be a young 'un with only fifteen years in the field in four companies (two consultancies, so I saw a number of others), but I am as real as you will find.

    In those fifteen years, I have come to the conclusion that techies are disrespected to exactly extent that they allow themselves to be disrespected. Other professions don't allow this. For example, my sister is a lawyer a large multinational bank. You will not find an organization more stratified and status-driven than a bank. The executives there are no happier "giving up their power" than in other companies. However, when she advises them on a legal issue, they listen. They don't berate her for getting in the way and not being a team player. They may not like her advice, but they accept that they hired her to be the legal expert and listen. If they treated the legal staff (or the accountants or the risk analysts or even the tellers) as poorly as many people here believe is par for the course for IT, they would be "exercising their power" in an empty room as the bank went down the tubes. Sure, I have had customers who did not like what I had to say, but I would just remind them that they hired me to be the technical expert. If they want a different answer, they are free to find someone who will give it to them but that does not change the reality. Amazingly, they did not berate me for taking their power. Instead, they paid me even more to help them solve the problem.

    We have specialized knowledge and skills that are absolutely necessary for running any business in the 21st century. Working for an idiot is not they way it has to be.

    I think you have missed the point: there really aren't lots of better programming jobs out there. There are actually very few where this treatment doesn't exist.

    A legal advisor, in contrast, is much more likely to find an environment where legal advisors' expertise is highly respected.

    The prevailing impression of practicing lawyers is that they have gone through a lot of schooling and work. The prevailing impression of programmers is that any idiot could throw together a program (because, apparently, all software is equal regardless of quality).

    If you've been around, you know technically competent managers exist in microscopic proportions.

  • htg (unregistered) in reply to TheD
    TheD:

    But then they'd have to create some sort of script that would check the last inserted "id" and then add one to it. Hey, wouldn't it be great if it incremented automatically? Better add that to the patent request!

    Oh don't talk to me about such craaazy things. Just this year I've had to integrate with another company's database that didn't have primary keys / auto increment IDs, but application assigned IDs, on all the tables. Then again that database schema was so full of WTFs, but they were a Bangalore based company doing contract work and thus they didn't give a damn or have any sense of professionalism. Their documentation for the system was written on demand as we requested it. Clear text passwords throughout. Zero scalability (their system broke when having to handle anything slightly out of the original spec they were given, and their main client actually had cases outside that spec).

    It was a shame to see our scalable system have to integrate with such a crapfest.

  • Frustrated with our architecture (unregistered) in reply to bstorer
    bstorer:
    Simple! Just use objects in your application that support serialization, then store the serialized objects in the VARCHAR(100) fields. Then all we have to do is pull all these "id"s, unserialize them, find the largest, add one to it, serialize the result, and use it as the new "id"! It's almost too easy...

    That's pretty close to what we do. Except we use the XML datatype in SQL server 2005

  • AnonCoder (unregistered) in reply to KattMan
    KattMan:
    The problem is that they tend to refuse to listen to those they hired or allow them to make the appropriate decisions.
    In my experience this stops happening after the second time you're proven right. For one of three reasons: Your boss gets smart (less stupid) and realises it's in his interest to listen to you. Or your boss is canned. Or you realise that neither of the previous will happen and you move on.

    I take your point about having many short jobs on a CV but personally my attitude is that I'd rather not work for the company where PHBs can exist or the one that disregards candidates based on assumptions about their career history. There are always other jobs, my sanity is too precious.

    KattMan:
    The reason is two fold. First, they do not want to give up their own power, if they do they make themselves worthless in their own eyes when in truth it should show their worth by hiring the right people for the job.
    I've only ever encountered managers like this in the largest of companies and generally they are rare, and stick out like a sore thumb because their entire department has stopped giving a toss.

    They are usually the first ones stuck on gardening leave when the new overlord is appointed in the bi-annual re-organisations these big firms like to have.

    The only time I've ever seen a manager like this exist for any serious length of time is in a small->medium business when the owner has even less of a clue than the PHB, and that's not a place I want to work either!

    KattMan:
    Second, when we do screw up, it is big, it costs a lot of money, and the risks are high, risk management states that you leave that responsibility in the hands of the execs.
    Never seen a technical screw up more expensive than a management one, just that the management ones for some strange reason don't get highlighted quite as much.

    And risk management states nothing of the sort, in fact you can't do any sort of risk management until you've identified and assessed the risks and any business that takes it seriously that assessment comes from the people who know.

    Most PHBs will be only to happy to take a techie's risk assessment on board because they look at it like a big can of CYA. The most likely pitfall is that they'll do this and then forget to carry out the mitigating /reduction steps and it'll be your fault. Or they'll pick a strategy that is worse than the problem.

  • (cs)

    Sounds just like the system my workplace uses to store asset, financial and customer information. It only asks for a password to log in, no usernames. Wouldn't take a rocket scientist to sit there and try "cat", "dog", etc until they got in, especially given the 8 char limit it has. From what I've seen, most people use either their name, a family member's name, or a phone number.

  • Opie (unregistered) in reply to AndrewB
    AndrewB:
    I'm currently in charge of a .NET project that uses an Access database with 7 tables and about 30 columns that are nothing but TEXT fields (except for the ones that I added) and no relationships whatsoever.

    There's a big difference between the Access TEXT type and the MSSQL Text type... The Access TEXT type is exactly like the VARCHAR(n) type in SQL.

  • (cs)

    Based on the last few lines of this story, I now know that it is a fairy tale...with a happy ending like that, what else could it be? I was glad though, because this one actually made me say WTF? and I shivered a little too.

  • (cs) in reply to ObiWayneKenobi
    ObiWayneKenobi:
    Wow, at least this one had a happy ending (or so it seems...). I half-expected it to go "Unfortunately, Enrique was let go later that week for insubordination."
    ...and, as expected, the company lasted three more months before going tits up.
  • James (unregistered) in reply to Lockejaw

    Brings to mind one of my favourite quotes: "It is the tragedy of the world that no one knows what he doesn't know; and the less a man knows, the more sure he is that he knows everything" -Joyce Cary (1888-1957)

  • noobman (unregistered) in reply to AbbydonKrafts
    AbbydonKrafts:
    He insisted that further development would come after Enrique's proposed changes to the system and that all proposed changes would require Enrique's approval before implementation.

    If only that happened in real life.

    yes, i think this was planed as a April 1st post.

    ;)

  • Watson (unregistered) in reply to AnonCoder
    AnonCoder:
    Never seen a technical screw up more expensive than a management one, just that the management ones for some strange reason don't get highlighted quite as much.
    Now I'm wondering if there is a site analogous to this one for management/executive WTFailures. Outside the corporate collapse post mortems you see in the business sections of daily newspapers, of course.
  • (cs)

    The bit that made me laugh out load was

    asked about referential integrity ... "Oh, we had that problem the first time, so we removed all of the foreign key constraints in the database and it works now."
    I am amazed by the mentality of people who make bugs go away by deleting all the assertions or disabling all those irritating warning messages. As when Homer Simpson put a piece of black tape over the light in his car that told him something was wrong with the engine, and told Lisa not to worry as it was fixed.
  • (cs)

    Nice one, saving the real WTF to the last part! I've heard too many stories about stupid storage/processing of passwords on this site before to be too surprised, scarily ... but never before has a WTF ended with the boss agreeing to get the problem sorted!

  • totolamoto (unregistered)

    [i]I am amazed by the mentality of people who make bugs go away by deleting all the assertions or disabling all those irritating warning messages. As when Homer Simpson put a piece of black tape over the light in his car that told him something was wrong with the engine, and told Lisa not to worry as it was fixed.[i]

    Funny, that is exactly how modern medicine works.

    • You have high blood pressure, take a pill to force it down, but don't look where it came from.
    • You have high cholesterole, take a statin pill to inhibit its synthesis in the liver, but don't look at what causes the elevation in the first place. etc.

    Don't believe me? Read following sites: http://www.cholesterol-and-health.com/Whats-New.html http://www.thincs.org/ http://www.thegreatcholesterolcon.com/ http://weightoftheevidence.blogspot.com/ http://www.proteinpower.com/drmike/ and many more

  • (cs) in reply to A very, very angry man
    A very:
    Lockejaw:
    How many managers really understand legal issues and how important they are? All managers with business or legal degrees, along with some others. How many managers really understand technical issues and how important they are? All managers with tech or engineering degrees, along with some others. Which category has more?

    So your claim is that the executives defer to the legal experts on legal decisions because they themselves understand law, but they want to make the technical decisions themselves because they don't understand technology.

    And the companies that do treat the technical staff with respect can't exist because... Ah, to hell with it. You are right. We all deserve to be mistreated and should just put up with it. If your boss is an idiot, stay there and complain because it could not possibly be any better elsewhere.

    No you misunderstand, he is claiming the exact opposite. Most managers and execs do NOT understand the law and they know they don't. The think the understand technology because after all they run a PC at home, high school kids are writing programs so how hard can it be? You won't find a 14 year old practicing law would you? You will find one writing cool applications.

    Yes we as techs do not receive the proper respect, but that is part of the field, I deal with it. Until there is a more measurable form of certification it will remain that way. The problem is that enforcing that certification will simply force more off-shoring to places that do not require it for the savings in revenue. Remember, even though we are the manufacturers of the product or service sold we are considered an expense, not an asset.

  • Yazeran (unregistered) in reply to totolamoto
    totolamoto:
    [i]I am amazed by the mentality of people who make bugs go away by deleting all the assertions or disabling all those irritating warning messages. As when Homer Simpson put a piece of black tape over the light in his car that told him something was wrong with the engine, and told Lisa not to worry as it was fixed.[i]

    Funny, that is exactly how modern medicine works.

    • You have high blood pressure, take a pill to force it down, but don't look where it came from.
    • You have high cholesterole, take a statin pill to inhibit its synthesis in the liver, but don't look at what causes the elevation in the first place. etc.
    Well I gues it's because it's unpopular in the US (or elseware) to require people to 1) Execrise daily (OUTSIDE) 2) Skip any Mc'D or other junk food and cook their own food (using almost no fat, low meat, high fibres etc) 3) Sell thier car and by a bicycle instead (makes you verry unpopular with Halliburton etc). 4) Reduce alcohol intake. 5) Stop smoking! (pisses off the tobaco industry bigtime) 6) Stop eating snaks and candy. If people followed the above rules, a large part of the 'life-style' ilnesses would dissapear.

    Yours Yazeran.

    Plan: To go to Mars one dya with a hammer (likely i have to with this message on the public record.. :-)

  • Xpovos (unregistered)

    The real WTF is that the boss got it.

  • (cs) in reply to totolamoto
    MET:
    ...as when Homer Simpson put a piece of black tape over the light in his car that told him something was wrong with the engine, and told Lisa not to worry as it was fixed.
    I have similar, but only because it would cost too much to rip out the entire dashboard just to fix the passenger airbag which, if the accident was severe enough to make it necessary to deploy (after getting through the entire-front-of-car-is-a-crumple-zone), wouldn't make the slightest bit of difference anyway.

    IT gets short shrift (especially for Web projects) simply because PHBs think that it is as easy to make / fix as it is easy for them to use. They haven't the slightest notion that you're probably using at least 3 different languages just to present them with a pretty box of current news items on a page as all they do is click on what appears to be plain text. And they don't care, either.

  • (cs)

    Couple of weird things...

    1. They say "first we check if the password is in use, then we run sp_update_passwords"... so sp_update_passwords doesn't check first to see if the "new password" is already in use? WOW!

    2. If the manager is so technically adept, how in the world did this get built in the first place?

  • totolamoto (unregistered) in reply to Yazeran
    Yazeran :
    Well I gues it's because it's unpopular in the US (or elseware) to require people to 1) Execrise daily (OUTSIDE) 2) Skip any Mc'D or other junk food and cook their own food (using almost no fat, low meat, high fibres etc) 3) Sell thier car and by a bicycle instead (makes you verry unpopular with Halliburton etc). 4) Reduce alcohol intake. 5) Stop smoking! (pisses off the tobaco industry bigtime) 6) Stop eating snaks and candy. If people followed the above rules, a large part of the 'life-style' ilnesses would dissapear.

    Agreed, except for the using almost no fat, low meat, high fibres etc part. Dietary fat especially saturated fats are not bad (trans-fats and polyunsaturated are bad), animal protein are the basis of our regimen since paleolithic times (the start of agriculture was the curse) and about high fiber read what Dr.Eades had to say about http://www.proteinpower.com/drmike/?p=274

  • sgtrock (unregistered)

    I've got nearly 30 years experience in IT, going back to a 6 year stint in the US Navy as an electronic tech. Over that time I've had a variety of bosses. By far the worst from a geek's perspective were in the military; thieves, drunks, and simple incompetents. It's why I got out. I figured if I was going to be asked to risk my life for my country, I'd much rather have a boss that I could trust to spend it well. Kinda puts a different spin on what makes a true PHB, eh? :)

    Anyhow, I would argue that most techies who can't stand their bosses probably get what they deserve. It's not because the geeks are incompetent, it's because they never learned to communicate in terms that their bosses could understand.

    As a civilian I've had a wide variety of bosses. By and large, I was allowed to do what I wanted/needed to get the job done. Why? Because I took enough business courses while I was on active duty to understand how to structure my arguments in ways that made it clear why things needed to be done.

    My first such success was convincing my CEO and CIO to spend several million dollars on a complete network overhaul. This was a big deal for a company with about 1,200 employees at the time. We migrated from direct serial links to the backs of PDP-11s and Unix boxes hauled over dedicated circuits to a multi-protocol network supporting TCP/IP, bridged LAT, AppleTalk, and Netware. It still ran over dedicated circuits, but at least we didn't have to run dedicated serial channels. The entire network supported 25 sites in three countries. The entire thing was designed, installed, maintained, and managed by just two of us. The initial concept and the base design were mine, though.

    This was back in the '80s when nearly everyone was doing multi-protocol nets. I migrated the whole thing to just IP over frame relay once I persuaded all the various sysadmins to drop their desire to remain completely native.

    I was able to accomplish this even though I had no paper credibility. Even though I've spent my entire career as a geek, my most advanced formal degree is only an A.A. in Business Management.

    I'm currently an enterprise architect at a company with 50,000+ employees. I can't say that I've pushed bits around in quite some time. OTOH, I can safely say that I got to where I am because I've always been able to sell my concepts to my peers, my management, and my end users. Knowing how to shape your message for your audience is not just a platitude, it's critical to doing your job as a tech.

  • Franz Kafka (unregistered) in reply to Watson
    Watson:
    AnonCoder:
    Never seen a technical screw up more expensive than a management one, just that the management ones for some strange reason don't get highlighted quite as much.
    Now I'm wondering if there is a site analogous to this one for management/executive WTFailures. Outside the corporate collapse post mortems you see in the business sections of daily newspapers, of course.

    fucked company did that for a while. I'm not sure if they ran out of steam or what - there was a lot of grist for that mill during the dotcom bubble.

    AnonCoder:
    Most PHBs will be only to happy to take a techie's risk assessment on board because they look at it like a big can of CYA. The most likely pitfall is that they'll do this and then forget to carry out the mitigating /reduction steps and it'll be your fault. Or they'll pick a strategy that is worse than the problem.

    It's still not the tech's fault - the PHB was informed of the risks. If he chooses to ignore them, then it's his fault. This is what offsite backups are for.

  • Andrew (unregistered)

    I find it amazing that they don't use an integer sequence to set the USER_ID. sure, declare USERNAME & PASSWORD as UNIQUE NOT NULL, but use integer keys!

    That provides many security & performance features. It can be the PRIMARY KEY & FOREIGN KEY. It hides the USERNAME & PASSWORD, since it is the KEY passed through the application. Integer keys also are more easily indexed than char-strings (...WHERE USER_ID = ? is a common query).

    Database designs often have WTF built-in.

  • Stanley Szoctziczsky (unregistered) in reply to schmitter
    schmitter:
    I tried to register at the panasonic website, of course this is required to download device drivers. The required format for a user name required first inital last name or something like that. It would allow no variants and checked against what you had entered as your first name and last name fields. Having the last name of Smith meant that I was unable to create a username. I had to make up a completely fake name in order to register. So I believe this story.

    How strange.. this never happens to me.

  • (cs)

    ALTER TABLE users ADD (the_real_password tinytext); #done.

  • ox (unregistered) in reply to AbbydonKrafts
    If only that happened in real life.

    Seriously, this is clearly a fairy tale...

  • mike (unregistered) in reply to Dry Erase
    Why do that when the "solution" Enrique insisted upon is just as much as WTF as the one before it. Anyone who proposes non-unique, _meaningful_ and changeable data for a primary/foreign key needs to go back to DBA school, or at least stop pretending to be a DBA.
    i think you need to stop letting DHH tell you how to build database schemas.

    are you familiar with ON UPDATE CASCADE ?

    http://blogs.ittoolbox.com/database/soup/archives/primary-keyvil-part-i-7327

  • Nicholas Whelan (unregistered)

    I seem to recall many websites at the beginning of the internet (pre 2000), had this issue. I'm pretty sure xoommail was one. I also want to say Neopets had this issue, but that just doesn't seem right.

  • Franz Kafka (unregistered) in reply to mike
    mike:
    Why do that when the "solution" Enrique insisted upon is just as much as WTF as the one before it. Anyone who proposes non-unique, _meaningful_ and changeable data for a primary/foreign key needs to go back to DBA school, or at least stop pretending to be a DBA.
    i think you need to stop letting DHH tell you how to build database schemas.

    are you familiar with ON UPDATE CASCADE ?

    http://blogs.ittoolbox.com/database/soup/archives/primary-keyvil-part-i-7327

    Meaningful PKeys are a hassle, but they aren't horrible. Still, if you're going to do a table, meaningful data shouldn't be in the PK - changes on complex schemas get expensive. Much simpler if you only need an index rebuild.

  • mike (unregistered) in reply to Franz Kafka
    Franz Kafka:
    Meaningful PKeys are a hassle, but they aren't horrible. Still, if you're going to do a table, meaningful data shouldn't be in the PK - changes on complex schemas get _expensive_. Much simpler if you only need an index rebuild.

    agreed, i tend to use surrogate keys just because of path of least resistance. but certainly, if you want to go the meaningful keys route, to me that makes you maybe a little too idealistic or noble, but certainly qualified.

  • flabdablet (unregistered)

    That scheme would be brilliant if it weren't for those pesky usernames. Get rid of those, call it One-Factor Authentication, patent it and market the hell out of it. This thing could be even bigger than One-Click Ordering.

  • db_architect (unregistered)

    Is this story for real?

    I can't imagine the reasoning behind using a password as a unique identifier, and a foreign key.

    It is all too common for application developers to be ignorant of elementary database design principles, and secure data access. I deal with this kind of ignorance every day (well, maybe not to the same degree of ignorance detailed in this story, but ignorance nonetheless). The worst part about it is that when I purpose intelligent solutions to database problems, my team of application developers look at me with that "deer in headlights" look, because they don't follow my line of reasoning (and no, it's not because I don't know how to explain myself either).

    For something as fundamentally important, and as pervasive, as a database, it is surprising how many remain developer ignorant of the concepts of proper design of a schema. I would hazard a guess that they're understanding of how to design and implement an object oriented solution would be at the same level as their understanding of the design an application schema.

  • Myyz (unregistered)

    http://support.microsoft.com/kb/276304

    That's not a bug, that's a security feature dammit.

    If the application in question had used microsoft's limitations on password, that would have reduced the chance of clashes significantly. Personally I think 18770 or something is a bit aggressive though, especially with database limited column sizes.

  • I can top this story (unregistered)

    A few years ago I had a client call me in to help with their credit card ecommerce app. On the first day of looking at the current situation, I found he was taking credit card information without SSL, and then storing inside a Microsoft Access database, which was in the web root!!!!!

  • seebs (unregistered)

    The Citadel BBS program, a popular dialup BBS system, used passwords for login.

    So, you'd create an account, and then pick a password. After this, you entered your password, and ONLY your password, to log in.

    This was the case for years, and every so often, someone would ask, but the Citadel developers were adamant that the marginal security advantages of requiring you to at least guess whose password you had before logging in were far, far, outweighed by the convenience of not having to remember your user name.

    At one point, we had a user named "Dark Thief" on a BBS I ran, and one day, I pranked him by editing the user table to show his name as "Dark Theif". He logged in and got, predictably, quite mad.

    Captcha: "bathe", which reminds me of why no one liked him. :P

  • Jim Langston (unregistered)

    I once had a supervisor who wanted me to make a list of everyone's passwords, because people forgot their passwords then we could tell them to them. I told him, if they forget their password, I set it to something, tell the system they have to change their password at next login, and no problem.

    He didn't want this, insisted I make a list of people's passwords. He said the old programmer used to maintain a list of passwords. I searched around and, sure enough, found a list of people's passwords.

    I went to about 5 people, asked for their passwords, explained why, then went onto the system and made it so they had to change their password on the next login and gave him the list of the (now defunct) passwords.

    I don't know what he actually wanted with the passwords but I would tell people not to give anyone their password, including me.

  • Zaphod Beeblebrox (unregistered) in reply to snoofle

    Belgium, Ford, Belgium!

  • Mette (unregistered) in reply to Sgt. Preston

    No surely only Java people could be this ignorant !!

  • Don (unregistered) in reply to Fabio

    No, that is not true. The VAX had very good security.

  • mark (unregistered)

    The real wtf here is the fairy tale ending!

  • millsa (unregistered)

    i need passwords for neopets and fast!

  • dfkmndvfxmkvfmvsd (unregistered) in reply to millsa

    I need neopets passwords!! Just post them already!!

Leave a comment on “Really Unique Passwords”

Log In or post as a guest

Replying to comment #:

« Return to Article