- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
One would think that, in a system designed to monitor speed of a vehicle, monitoring for a race condition would be considered core functionality.
Additionally, 10:30 was driving my bus the other day, and he was only going juan... it was taking forever. I told him to speed up, at least to go two or three...
Admin
Had an odd one just yesterday. Signing up for an account on a site, I put in a password (for sake of argument, let's call it R1v!9m). It rejected it telling me it required a minimum of 6 characters. After some playing around, it turns out that "characters" means alphanumeric characters because R1v!9mK works, where R1v!9m is apparently less than 6 characters. :)
Admin
The real WTF is showing a 'caching' dialog instead of just bloomin' well getting on with it.
Admin
Admin
My method for best browsing on firefox
use Adblock plus, but only enabling the advertising part I use the "easylist USA". this will block nearly all 3rd party advertising including banners, text ads, and most importantly flash ads.
add sites to the Adblock plus whitelist that you want to contribute ad revenue to or that don't function correctly such as CNN.com video or Hulu (right click on the stop ADP icon -> click "disable adblock on this domain"
Install "QuickJava" which gives you a disable javascript button that you can use on a per site basis. I usually leave it on until I need to use a web application or AJAX web site.
But remember, many websites use javascript just for visitor analytics, and so it is nice to leave it on for them. Also, please remember to turn off ad blockers on sites that you use frequently or that provide a useful service so you are not blocking their ad reveneue and ability to exist in the first place.
Admin
That "Caching" dialog is from Hummingbird DM. It's a huge source of wtfs. For example, if NX bit is enabled and you try to open the explorer extension, explorer crashes. And from what I have heard, the database layout could use serious rescheming (I want to protect my sanity by not checking it).
And the Office integartion is something that if it happens to work, it's quite nice. But if it doesn't, say hello to Windows reinstall and pray God it will work after that.
Admin
Admin
Hmmm, no I think it's more likely what TarquinWJ said... someone has made a complex (I assume) method to parse the password, and can't handle multiple (separate) numbers...
Of course, that begs the questions how do they know that you have created a valid password....??
Admin
The link you cite has a different explanation for the bodgey display....
Admin
You don't cancel the operation, you cancel the Display Window, that is, "We have finished the operation, so you probably don't need this displayed anymore. Press Cancel to get rid of it".
Personally, I think it a really (really) weird thing to do, but I can sort of understand the thinking behind it. Quite possibly created by a non-English speaker who struggles with Cancel and Close....
Admin
In fact, it doesn't make sense to try to exclude such values.
While the substitutions are not always as secure as people think, they are as (or probably more secure) than FooBar01 - which is what they are effectively encouraging people to do assuming your suppositions that they want to stop number substitution for letters is correct...
I'm not sure who is stupider, them for having such a requisite, or all of you who try to justify it (and come up with irrational reasons for why they would have done that). Perhaps one of you wrote the code, that you know so well what the intentions of the coder must have been?
Admin
People seemed obsessed with secure passwords with little justification. No matter how insecure your password is, most accounts will lock after fewer than 10 mistakes - I've never seen more than 5 allowed (although some only lock temporarily), so dictionary attacks are not a major threat.
Hopefully, these days developers are reasonably aware of Rainbow Tables and salt passwords (with, say, userID and some unique Site code) before hashing to make a rainbow table attack infeasible.
Minimising the password space by adding excessive restrictions seems a little counter-intuitive. Of course, I would avoid any password that appears in the top 100 of any most popular password list, but this is something that needs to be drummed into the user, not forced into the program.
Forcing people to frequently change passwords is an attempt to re-secure accounts that may have unknowingly been compromised. There is possibly a case for disallowing sequential password changes in this case, however a compromised account may already have measures in place to be able to quickly get your new password anyway. Irrespective, I can accept that sequential passwords are bad, but what about password05 becomes password7 or password5 or password07 - is this such a bad thing? Even if your account has been compromised, how many variations on a theme can the Other Party try before they lock your account?
People seem unnecessarily obsessed with weird means to force people to create weird passwords - but (on well built systems) a weak password should be adequate (provided there are secure means to allow you to unlock your account).
Frankly, even bank passwords don't need to be all that secure. My bank will lock when a combination of login ID, password and account pin (not the one used for associated cards) don't match on 5 successive occasions. Someone would have to know how regularly I use banking (and hope I don't make mistakes myself) to be able to gradually try a brute force (ie try 4 passwords, then wait for me to log on and off, then try again). The count of errors should not be reset after an arbitrary amount of time (I'll have to check whether my bank does this), but rather ONLY after the details have been correctly entered. If someone has hacked my bank and can see hashes, a Rainbow Table attack is useless, because I'm sure there are far more interesting things in the bank's site than my account (and I trust my bank to salt). If someone has a keylogger (or similar) on my computer, then no matter how secure I think my password is, they can get it (ie a more secure password would not protect here).
It bothers me that people are so obsessed with security without really understanding what they are obsessing over...
It is the user's responsibility to choose a sensible password. It is the developer's responsibility to ensure that possibility of attack through the system is minimised (ie Don't allow brute force attacks by locking accounts. Program against simple hashes for passwords. etc). It is the owner's responsibility, to ensure that users are sufficiently well educated to choose a secure password. If someone is stupid enough to use PA$sw.Rd69 - so be it. How many hackers will guess this in fewer than 5 goes? Ultimately, if they can, it is the user's fault, and their problem, too.
Here endeth this soliloquy
Admin
Thank's I'll try that!!
Admin
Agreed - I quickly abandoned any secure password (that kept getting rejected for obscure reasons) in favour of Summer11 which seemed to pass anything....
Guess I'll have to change it now, I wonder what word I should use now....
Admin
I know - Let's add a lock out after 5 attempts to create a password, so you have to keep changing the username you want too ;)
Admin
This is one thing I never understood. How do you prevent this? Is this a matter of incrementing/decrementing the number and comparing the hash?
Admin
You can always enquire about the Scottish Widows payment by calling 0800 032 0947. Sadly, calling this number from your landline will cost the same as the amount you owe....
Admin
Think so (although I'm sure some IDIOTS out there somewhere might store in plaintext). It's the only thing that would make sense. Of course, the ones that kick up a stink about lots of similar characters to a previous password probably store them in plaintext (or encrypted rather than hashed, I guess).
Admin
I agree that the caching dialog is from Hummingbird DM.
The integration with the Office suite works well but does need to be configured properly; something which isn't that hard to do if you know what you're doing. Reinstalling Windows and praying would be a sign that you don't.
Also, the database schema, while having a few quirks that have resulted from the product evolving, is far from a total WTF. I'd be interested to know what you've heard in that respect.
Admin
Admin
Apple do this with there iPhone app management website. To make a change to your application, you select the save button, or cancel to not save the changes. Once you have saved the changes, it informs you at the top of the page, and only way to go back to the App page is to then select cancel. It doesn't seem very intuitive, and is possible that selecting that button may cancel the saved changes. That is why is a WTF, people don't like having to select cancel to proceed, there is the though in peoples heads that it may undo what you have just done.
Admin
The eBay reputation is clearly written in binary. The guy only has 36% positive feedback, and is trying to make it look better than it is, by writing it in binary.
Admin
After hitting the kids a few times with it, they usually stay quiet for a while.
Addendum (2009-05-27 06:25): I managed to quote to wrong post. Need more caffeine
Admin
The cancel button thing reminds me of a classic UI wtf we learned about at school:
The setting is a travel agency. A customer wants to cancel his holiday. The person who has to process the cancelation presses the 'Cancel vacation' button on the screen and gets the following dialog:
Are you sure you wish to cancel this vacation? OK CANCEL
Which one would you pick?
Admin
Clearly, the choices should be:
[Yes] [No] [File not found]
Admin
My point was that that is the (approximate) extent to which it reduces the total number of possible passwords. Look up the term "key space".
Admin
Admin
I'm pretty sure that if they cared about security so much, they wouldn't stop people from using special characters.
As mentioned, it is clearly due to programmers lack of ability.
Admin
The worst part is that it takes 30 years to get from 32K to 4GB, and you have to change busses like six times.
Admin
verbero < verberare to beat, whip or drub, so I suppose transverbero might mean 'I'm beating him into the middle of next week' or more briefly 'I'm kicking his ass good'.
Admin
Yes, you press cancel to proceed...but the question is if the cancel button lets you proceed, how do you cancel?
Admin
Having also worked in the Big Black Hexagon, I don't think it was likely your fault. That looks like a mainframe error, not an output error. There was a massive queue of policies waiting to be fixed when I was there, and the fix method was to suspend the policy until maturity and then calculate the value by hand.
Admin
It would be funnier if it read HAMMERTIME!!!
CAPTHA: abigo. What?