- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
"I totally didn't catch the much bigger WTF of what the error message was saying."
What it says is not important. What matters is what it means. With such code, that text could mean anything, from "you have mail" to (even more likely) "We don't know what we are doing"
Admin
Admin
Not to name names... but Amazon does this. Your Amazon account is made unique by a combination of email address and password. Ergo, I have 3 (or possibly more) Amazon accounts. When I asked them if I could consolidate (or even just kill 2 of them), I was told no. Ugh.
Admin
Of course it's an issue. It's hard to brute-force passwords because eventually most systems (though probably not this one) stop letting a user log in after X failed passwords. But they don't stop you from trying if you're going through usernames one by one trying to brute force the username. Also, usernames aren't obfuscated on the screen -- it's easy to find someone's username while shoulder surfing. Even more, most places have predictable usernames (John Doe is almost always some variant of john_doe, jdoe, doej, etc.). Getting a valid password for an unknown user is far more than half the battle. The likelihood of getting a administrative user by random chance (or some other user with the permissions you're looking to maliciously obtain) isn't as high, but still, this is a big hole.
Admin
Ugh! I now hate the forum software too. I guess I should have quoted the original to which I was responding. It was a post about working at an E-commerce site where the boss or someone demanded that username+password be the unique key for an account.
Admin
Alas, ladies and gentlemen, we're using the latest and greatest version of a leading Java app server running on a Solaris box, hitting an Oracle database. It's running very well now. It just didn't like to deal with exceptions.
Admin
<FONT color=#000099> if</FONT> (errMsg.indexOf(<FONT color=#990000>"Violation of UNIQUE KEY constraint 'UQ__mbrs_pwd'"</FONT>) != -1)
<FONT color=#000099>return</FONT> <FONT color=#990000>"The password entered is already in use. Please enter another."</FONT>;
Unless there's another piece of
crapcode like this:<FONT color=#000099> if</FONT> (errMsg.indexOf(<FONT color=#990000>"Violation of UNIQUE KEY constraint 'UQ__mbrs_usr'"</FONT>) != -1)
<FONT color=#000099>return</FONT> <FONT color=#990000>"The username entered is already in use. Please enter another."</FONT>;
A wily hacker could quite possibly think of some way to kind of iterate through each probable username with the appropriate password; just maybe. [^o)]
Admin
The real WTF is the people that keep posting the same comments over and over. This is obviously a write only forum.
Admin
Like in the following example:
ERROR CODE 69:
Error message while using...
<FONT face="Courier New" color=#ff1493>Microsoft's DDE:
</FONT><FONT face="Courier New" color=#ff1493>"Error Code 69: Sorry, DDE does not exchange data in this fashion."</FONT>
<FONT face="Courier New" color=#ff1493>Microsoft's OLE:
"We apologize, but you cannot link your objects in this way (error 69)"</FONT>
<FONT face="Courier New" color=#ff1493>Microsoft's ActiveX:
"Our condolences. The id {65-22-35-hike} cannot be embedded like that: 00069"</FONT>
<FONT face="Courier New" color=#ff1493>Microsoft's COM:
"Sorry, component not found even though I see it. ERROR 0069."</FONT>
<FONT face="Courier New" color=#ff1493>Microsoft's COM+:
"Oh there it is, but the component doesn't look like it is distributed properly. ERR#69"</FONT>
<FONT face="Courier New" color=#ff1493>Microsoft .NET:
"You silly object. This component or assembly appears to be unmanagable. Please correct as soon as possible. Cheers. (distributed.enterprise.assembly.error.net.level(69)."</FONT>
Ahhhh, got that off my chest. Now back to productively using Microsoft products (gotta luv 'em). [:$]
Admin
Close. It's a right-only forum. Ask anyone here, they'll tell you they're right ...
Admin
You are so right about that...
Admin
walksIn(girl.waist(ittyBitty)) && yourFace.in(girl.thing(round)); [;)]
Admin
Where do you get that from the code snippet?
Admin
Has anyone considered that they *might* be a password history table and that the user is forced to change their password on some time interval and that they are not allow to choose a password they've used previously? Several organization have software that forces you to change your password every quarter and they keep a history of the last X number (5 commonly) of passwords you have used and will prevent you from using those passwords again.
In this case the given constraint is not a WTF, rather the error message and error handling is.
Admin
<ponder>
<FONT style="BACKGROUND-COLOR: #ffff00" face=Garamond color=#a52a2a>So if the password you entered was blank (read "very null"), does that mean the username is "sa"?</FONT>
</ponder>
[8-)]
Admin
The password has a unique key constraint. Unless each account has its own password history table, the constraint requires the password be unique across all rows. So it is most likely not enforcing the reasonable policy you mention.
Admin
You misunderstand.
Error messages for the users - and these may be localized.
Error numbers for the application developers - these are the keys used to retrieve the messages from the localization database for error messages.
The log file gets both, because it can be used by both application developers and users.
For any application, new error numbers may be created during any update - but old error numbers are fixed. If an update prevents an error from ever happening again, the associated error number is still reserved, and may never be used for a future error - unless a later update makes it possible again.
Within a particular company, it is useful to have consistent error numbers between applications - but if you have multiple applications with differing error numbers, don't fix them, except with a major update (major number change), and even in that case, the old numbers are still reserved, and one should provide a translation layer or other means for backward compatability. It's better for a company's products from disseparate sources be different in this regard than to break all of its existing customers.
This way, the users get to understand what's going on, because they get a meaningful error message. Application developers that need to interact with the program can without tying themselves to a specific locale, and with some resistance to being broken due to error message text clarifications.
Admin
There isnt one. Seriously, the system that contains pretty much all the site specific records for the government department I'm employed by does this. No usernames, just a password. The passwords are limited to 8 characters too, and Im pretty sure it's not case-sensitive. Most users have a 3 letter password like cat or dog, and if you attempt to change to one that's in use, it gladly tells you it's in use.... Any valid user could, with a few hours spare, find my admin account's password, and there's nothing I can do about it.
Admin
It is an error, a common EXPECTED error... Not an exception
Admin
Aye! I say bestow onto us, your brethren, the whole WTFery of that software!
Admin
By "any valid user" here you really mean "anyone", right? With passwords like "cat" or "dog", any five year old could become a "valid user" ...
Admin
Sorry, the REAL wtf is that you are judging me by one of my actions on this forum, instead of valuing me for the whole of my apportations to the community :)
And the correct phrase is "By posting that, you behave like a jerk". Otherwise, you are impliying that I behave like a jerk always and everywhere, instead of just when I see a "0 replies" link the The Daily WTF.
That's the kind of details that mark the difference......
Admin
Really, you're a jerk.
sincerely,
Richard Nixon
Admin
Admin
What the hell are you saying? Of course Jesus saves.
[image]Admin
The convention should be to place your apology (or a tag containing your native language) at the TOP of your message so that I have a reason to continue reading it. [Language = BabelFish(Japanese)] at the top of a post would make it quite clear that the issue is a difference of language not a short circuit in the brain.
Admin
You have done a thing that jerks do. That PROVES that you do things which jerks do. Someone who is not opposed to doing those sorts of things is (wait for it)...A JERK!
The real WTF is that you think that performing unrelated beneficial actions gets you off the hook for anything detrimental you do. That kind of attitude works in government, but not here. Jerk.
Admin
That only means that I occasionally act as a jerk. And yes, people is usually more forgiving for jerk-like actions if you only do them occasionally, then recognize them, the action causes no harm and then you behave well the rest of time. I don't think that a "fist" post is "detrimental", anyways.....
Also, if you are the same anonymous from the original post, you still don't understand the difference between saying "You are X" and saying "You behave lika a X". And also, you seem to prefer acting as a TROLL instead of maintaining a meaningful conversation
Admin
Could you just not make those 'fist' posts in the future? Please?
sincerely,
Richard Nixon
Admin
Well, since you ask it that way....
Admin
There isnt one. Seriously, the system that contains pretty much all the site specific records for the government department I'm employed by does this. No usernames, just a password. The passwords are limited to 8 characters too, and Im pretty sure it's not case-sensitive. Most users have a 3 letter password like cat or dog, and if you attempt to change to one that's in use, it gladly tells you it's in use.... Any valid user could, with a few hours spare, find my admin account's password, and there's nothing I can do about it.
Oh, ugh. Half-factor authentication.
This is ripe for an indirect insider attack.
With an account, you can arbitarily change passwords until the system runs out, then nobody can change their passwords anymore.
And while doing that, any passwords that are rejected in the process should be noted as potentially valid accounts.
Too easy to brute force. Hope your sysadmin password is 9.9999e99 characters long.
Admin
I just love those happy endings. :)
I like this whole thread of "jerk/not a jerk". I think this boils down to two scenarios:
1) Being a jerk versus jerk actions. Let's say, mathematically, that any person could be the number 4. A jerk would be a 3+1. But another person, who is at 2+2, is not considered a jerk but is also a number 4. Don't get me started on those 5-1 people! :)
2) Your jerk actions could be construed as a turd in someone's spaghetti and meatballs. That means that no matter what pure acts you've done in the past or intend to do in the future, I still have this "jerk turd" in my spaghetti (fist) which means it has ruined my whole meal.
I think that a #2 (pun?) is what Nixon was talking about. Those "fist" posts just ruin the entire ambiance of TDWTF not to mention any Italian dish.
--
Just hoping to confuse and enlighten while creating an atmosphere of total ambivalence.
Admin
Brilliant! I suppose the only viable alternative strategy would be to allow the system to reuse the password, but force it to notify all users with the identical preexisting password to the fact that a password plaglarizer had just created a new account using identity xyz.
Perhaps the larger "identical password" communities could start a self-help group.
Admin
ofcoz, not menpaulationig ignoring them :D
(...)
catch(Exception ex{} //TODO
(...)
Admin
meh simply a faster acting error message i think you should work on your codeing :)
Admin
Admin