• Cidolfas (unregistered)

    So passwords must be a random length and random characters are said to be incorrect?

    I also like the bit where if the user enters, say, 4 characters, they are told the password needs to be at least 5 characters, instead of 7 which is actually the minimum.

  • Robyrt (unregistered)

    Now that's what I call secure!

  • Rottweiler (unregistered)

    Drat!

    wunshine776@

    "The character 's' is not supported in the 4th position"

  • Andrei (unregistered)

    Nice one :)) Better yet, there is the classic #define true false // happy debugging suckers !

  • (cs)

    Man, I've seen bad code, stupid code, ridiculous code, but purposefully fraudulent code? That is special.

  • Swedish tard (unregistered) in reply to Andrei
    Andrei:
    Nice one :)) Better yet, there is the classic #define true false // happy debugging suckers !

    Another old fun thing to find in code is #define private public

  • Doozerboy (unregistered) in reply to Rottweiler
    Rottweiler:
    Drat!

    wunshine776@

    "The character 's' is not supported in the 4th position"

    The character 's' is not supported in the 21th position either!

  • TK (unregistered)

    22th post?

  • flabdablet (unregistered)

    I have recently found out that my current electricity retailer doesn't let me change my web account password. Their "technical support" script monkeys have apparently been instructed to advise people who wish to change their passwords to use the "retrieve forgotten password" function instead - and despite what they tell me, this doesn't actually change the password, merely generates an email containing the current password, in plain text.

    I wonder if Marius's erstwhile coworker is now employed by their web design consultants.

  • Andrei (unregistered) in reply to Swedish tard

    #define private public won't do much harm. If you would have had #define public private That is an entirely different story :P

  • (cs)

    You forgot the first line of that script:

    if( Math.random() <= 0.1)
    {
       window.alert("Smile, you're on candid camera!");
    }
    
    
  • TheSHEEEP (unregistered)

    Wow... just wow. I wouldn't even be able to come up with something that... evil.

  • Rob (unregistered)

    Or, as the late Douglas Adams might have noted...

    #define black white

    (and get yourself killed on the next zebra crossing) :)

    original quote

    Apparently, akismet thinks this is spam because I put a URL in here. Well, I guess I just have to keep typing until akismet likes me... :)

  • (cs) in reply to Andrei
    Andrei:
    #define private public won't do much harm.

    Apart from totally screwing encapsulation.

  • (cs)

    Thanks, I needed a good laugh this morning.

    I would also imagine that ever users initial password is set to something ridiculous to start start with. My guesses would be that the the user.setPassword goes something like this

    if (userName.length < 5) return "*******" else if (userName.length > 5) return "secret" else return null

  • Ben (unregistered) in reply to webrunner
    webrunner:
    Man, I've seen bad code, stupid code, ridiculous code, but purposefully fraudulent code? That is awesome.

    FTFY.

  • Bill's Kid (unregistered)

    **

    Password must be longer than 3 characters!


    Password must be longer than 5 characters!


    Password must be longer than 7 characters!


    but lentgh of 7 gets past that test...

  • x-sol (unregistered)

    I can't make up my mind if this is evil or stupidity in action

  • Paul (unregistered) in reply to x-sol
    x-sol:
    I can't make up my mind if this is evil or stupidity in action
    Just remember folks, you can be evil OR stupid. Nobody said anything about evil XOR stupid
  • (cs)

    Is this really 21th century code?

  • J. (unregistered) in reply to Andrei

    Mind == Blown

    Andrei:
    #define private public won't do much harm.
    It will do plenty of harm if the person debugging assumes that an objects internal state can only be modified by means of its public interface.

    Come to think of it, it would probably be a bit similar to debugging a multi-threaded application that does not make use of any synchronization at all.

  • n_a (unregistered)

    An ultimate form of job security for IT?

  • slywinkle (unregistered)

    GenerateRandomError

    'nuff said.

  • slurm (unregistered)

    while (true) { [...] alert(GenerateRandomError(password)); }

    that's my favourite part

  • Totally my real name (unregistered)

    23th post... would've thought 23rd, but apparently not

    Also, nice trick making the end of the while look like the end of the else... classy

  • Doug (unregistered)

    This code totally changes the playing field. Programming could become a lot more fun. How about after three failures, the input field moves away as soon as the mouse cursor approaches?

    Or the screen could say, Multiple password failures detected. Verify Identity: Social Security Number ______________ Date of Birth (mm/dd/yyyy) ___________ Mother's Maiden Name ______________ ...

  • Buddy (unregistered)

    I know guys that evil. They always happen to be short tubby guys with short fat fingers. These bastards do the absolute minimum: come in at 11:00, check up on their their e-mail (reading any jokes out loud - you wanna hear a joke? you wanna hear a joke? ...), go out for a 90 minute lunch, come back, play games for a couple of hours, burping and farting the whole time, then head home around 3:00.

    Except when the boss is around... These fuckers have an uncanny sense to be in the right place at the right time, to step into high gear to look busy, and make themselves look like some kind of demi-god.

    True story, many years ago, new client coming up, I spent two weeks of work in one week getting the website ready, and needed just one piece of information, some password or security key or something. Of course I didn't have it when it was needed, so at 11th hour the site wasn't working. Butt munch just happens to be there late at night when the boss is freaking, helps him to look through his e-mails, conveniently skipping over my frantic requests, to find whatever. He plugs it in, site works beautifully. Next morning, he looks like a hero, I look like a douche bag. I'm getting angry now just thinking about it.

    They pervade every industry. I remember in many of my non-IT jobs, these short tubby guys who do dick all until the boss is around. God have mercy if they do any work on your projects, you spend twice as much time undoing their shit, then doing it right. Stupid fucks.

  • Bob (unregistered) in reply to Swedish tard
    Swedish tard:
    Andrei:
    Nice one :)) Better yet, there is the classic #define true false // happy debugging suckers !

    Another old fun thing to find in code is #define private public

    Amateurs!

    #define sizeof(x) (rand() % sizeof(x) + 1)

  • anon (unregistered) in reply to java.lang.Chris;
    java.lang.Chris;:
    Andrei:
    #define private public won't do much harm.

    Apart from totally screwing encapsulation.

    That's okay, C++ doesn't have encapsulation anyway.

  • (cs)

    I'm no JS expert, but doesn't this always return 0?

    var error = Math.floor(Math.random() * 1)

    I believe Math.random() returns a random float between 0.0 and 1.0. Calling floor on that will result in 99.99999% of the time to return 0, only when Math.random() returns exactly 1.0, floor() will return 1.0 . Right?

  • UnallowedUsername (unregistered)

    This comment is not allowed in this position. Please refresh page and try a more secure comment!

  • KK (unregistered) in reply to Buddy

    I know exactly what/who you mean...thanks for reminding me...sigh

    ;)

    Buddy:
    I know guys that evil. <snip> Stupid fucks.
  • (cs) in reply to SeySayux
    SeySayux:
    I'm no JS expert, but doesn't this always return 0?
    var error = Math.floor(Math.random() * 1)
    I believe Math.random() returns a random float between 0.0 and 1.0. Calling floor on that will result in 99.99999% of the time to return 0, only when Math.random() returns exactly 1.0, floor() will return 1.0 . Right?

    Of course it does. How else would the following bit of code work?

        switch (error) {
                case 0:
                    return InvalidCharInPosError(password);
                default:
                }
    
    
  • Short Tubby Guy (unregistered) in reply to Buddy
    Buddy:
    I know guys that evil. They always happen to be short tubby guys with short fat fingers. These bastards do the absolute minimum: come in at 11:00, check up on their their e-mail (reading any jokes out loud - you wanna hear a joke? you wanna hear a joke? ...), go out for a 90 minute lunch, come back, play games for a couple of hours, burping and farting the whole time, then head home around 3:00.

    Except when the boss is around... These fuckers have an uncanny sense to be in the right place at the right time, to step into high gear to look busy, and make themselves look like some kind of demi-god.

    True story, many years ago, new client coming up, I spent two weeks of work in one week getting the website ready, and needed just one piece of information, some password or security key or something. Of course I didn't have it when it was needed, so at 11th hour the site wasn't working. Butt munch just happens to be there late at night when the boss is freaking, helps him to look through his e-mails, conveniently skipping over my frantic requests, to find whatever. He plugs it in, site works beautifully. Next morning, he looks like a hero, I look like a douche bag. I'm getting angry now just thinking about it.

    They pervade every industry. I remember in many of my non-IT jobs, these short tubby guys who do dick all until the boss is around. God have mercy if they do any work on your projects, you spend twice as much time undoing their shit, then doing it right. Stupid fucks.

    Laboriously lifts short fat middle finger tl;dr

  • Pointy Haired Minion (unregistered)

    What in the name of Hastur...

    I guess that the aesop is "never attribute to malice what can be attributed to malice and stupidity"?

  • whiskeyjack (unregistered) in reply to Buddy
    Buddy:
    True story, many years ago, new client coming up, I spent two weeks of work in one week getting the website ready, and needed just one piece of information, some password or security key or something. Of course I didn't have it when it was needed, so at 11th hour the site wasn't working. Butt munch just happens to be there late at night when the boss is freaking, helps him to look through his e-mails, conveniently skipping over my frantic requests, to find whatever. He plugs it in, site works beautifully. Next morning, he looks like a hero, I look like a douche bag. I'm getting angry now just thinking about it.

    Ah, yes. I always think of Dennis Nedry (Jurassic Park) when I picture these guys. I knew a guy like that who worked in the same lab with me. One weekend I came in to work and needed something stored on the machine that he usually used. Browsing through the temporary files folder, I realized it was filled with videos of gay porn. I felt the sudden urge to wash my hands when I finished with that keyboard and mouse...

    Anyway, you need to learn to protect yourself from people like that, especially if you suspect they are intentionally withholding information. Your "frantic requests" should have been CC'd to your boss after the first couple don't get a response (or after you talk to him in person and still get nothing). You should make a point of saying things like "Yep, boss, it's all done, all I need is that security key from Joe, as soon as he gets it to me, the site will be live." Bonus points if such an email is timestamped at 11:00pm on a Sunday from your work PC.

    Or start emailing a few other strategic people with things like "The site can't go live until I get the security key. Unfortunately Joe hasn't been able to get it to me yet. Does anyone else know the key so we can get this site live? We need it ASAP."

    The trick is being diplomatic. In your email, give the benefit of the doubt and assume best possible scenarios, that way everyone else can draw their own conclusions about how far off the mark you are, without making you look accusatory.

    e.g. "Joe is being an ass and is ignoring my emails and refusing to give me the key" -- makes YOU look like a whining child.

    "Is Joe sick at home today? Or is he working on a really high priority project? Because I've been trying to get the key from him, and I haven't been able to get a response from him at all." -- makes everyone who has seen Joe in the office, and knows he's not working on anything super high priority, realize that he's being an ass.

  • Anon (unregistered) in reply to Buddy
    Buddy:
    I know guys that evil. They always happen to be short tubby guys with short fat fingers. These bastards do the absolute minimum: come in at 11:00, check up on their their e-mail (reading any jokes out loud - you wanna hear a joke? you wanna hear a joke? ...), go out for a 90 minute lunch, come back, play games for a couple of hours, burping and farting the whole time, then head home around 3:00.

    Hey! I resemble that remark!

    Buddy:
    *Except* when the boss is around... These fuckers have an uncanny sense to be in the right place at the right time, to step into high gear to look busy, and make themselves look like some kind of demi-god.

    {snip}

    They pervade every industry. I remember in many of my non-IT jobs, these short tubby guys who do dick all until the boss is around. God have mercy if they do any work on your projects, you spend twice as much time undoing their shit, then doing it right. Stupid fucks.

    I assume your job, like mine, involves reading TDWTF too then? Because surely you're not dicking around right now as well?

  • airdrik (unregistered) in reply to frits
    frits:
    SeySayux:
    I'm no JS expert, but doesn't this always return 0?
    var error = Math.floor(Math.random() * 1)
    I believe Math.random() returns a random float between 0.0 and 1.0. Calling floor on that will result in 99.99999% of the time to return 0, only when Math.random() returns exactly 1.0, floor() will return 1.0 . Right?

    Of course it does. How else would the following bit of code work?

        switch (error) {
                case 0:
                    return InvalidCharInPosError(password);
                default:
                }
    
    

    What's even better is that Math.random never returns 1.0 (the range of possible values includes 0 but excludes 1), so it is like playing Russian roulette with a anything but a revolver.

  • js (unregistered) in reply to SeySayux
    SeySayux:
    I'm no JS expert, but doesn't this always return 0?
    var error = Math.floor(Math.random() * 1)
    I believe Math.random() returns a random float between 0.0 and 1.0. Calling floor on that will result in 99.99999% of the time to return 0, only when Math.random() returns exactly 1.0, floor() will return 1.0 . Right?
    Math.random() never returns 1.0, it is in fact 0 <= Math.random() < 1. Hence, this is equivalent to

    var error = 0;

  • (cs)
    TFA:
    alert(GenerateRandomError(password));
    Hmm... must be Windows code.
  • (cs) in reply to Pointy Haired Minion
    Pointy Haired Minion:
    What in the name of Hastur...

    I guess that the aesop is "never attribute to malice what can be attributed to malice and stupidity"?

    I salute your Lovecraft reference.

  • JB (unregistered) in reply to frits
    frits:
    SeySayux:
    I'm no JS expert, but doesn't this always return 0?
    var error = Math.floor(Math.random() * 1)
    I believe Math.random() returns a random float between 0.0 and 1.0. Calling floor on that will result in 99.99999% of the time to return 0, only when Math.random() returns exactly 1.0, floor() will return 1.0 . Right?

    Of course it does. How else would the following bit of code work?

        switch (error) {
                case 0:
                    return InvalidCharInPosError(password);
                default:
                }
    
    

    From the "* 1", I'm guessing he was originally intending to return other random errors but was just too lazy to be more evil.

  • (cs) in reply to boog
    boog:
    TFA:
    alert(GenerateRandomError(password));
    Hmm... must be Windows code.
    Nah ... anyone working with the intricate works of Microsoft's "LDAP" (Active Directory and its ilk) knows that MS will only show

    INVALID_ATT_SYNTAX DSE_UNWILLING_TO_PERFORM

    Or simply

    AcceptSecurityContext Error.

    It will never even give you a slight hint of what went wrong.

    Note: The INVALID_ATT_SYNTAX is also given when your password doesn't conform to the password policies. Go figure.

  • Arvind (unregistered) in reply to Swedish tard

    The standard doesn't allow it. Preprocessor cannot alter meanings of keywords.

  • (cs)

    You shall not pass(word)!

  • (cs)

    Do I enter the passoword before or after I enter the password?

  • jimbob (unregistered) in reply to Bob
    Bob:
    Swedish tard:
    Andrei:
    Nice one :)) Better yet, there is the classic #define true false // happy debugging suckers !

    Another old fun thing to find in code is #define private public

    Amateurs!

    #define sizeof(x) (rand() % sizeof(x) + 1)

    +1

  • (cs) in reply to x-sol
    x-sol:
    I can't make up my mind if this is evil or stupidity in action
    Both.
  • (cs) in reply to js
    js:
    Math.random() never returns 1.0, it is in fact 0 <= Math.random() < 1. Hence, this is equivalent to

    var error = 0;

    Which certainly explains why users had no way of changing their passwords; every password generates a "random" error.

    Yep. There's yer problem right there.

  • (cs) in reply to Buddy
    Buddy:
    really angry rant

    Protip: Being confrontational is often better than sitting back and getting really really mad, and then telling others on the internet. Did you ever, you know, do anything about it?

    Re: TFA, TUWTF is that refreshing the page would somehow solve a null reference.

Leave a comment on “The Password Reset Façade”

Log In or post as a guest

Replying to comment #:

« Return to Article