- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
if first ShowFailureBox();
Admin
TRWTF is the CapitalCase method names
Admin
Ingenous. Brillant, even.
Admin
best WTF in months, this one really mademe say it out loud.
Admin
I usually go for the code first so it took me more than a second, but I get it now.
Admin
I guess that's not completely nuts. Annoying, but not actually insane.
Admin
Ahhh, this made my day!
Admin
I wonder if automated password guessing scripts will execute this script before feeding password tries to the server?
Admin
I respectfully disagree --- a real WTF would not be commented. You have to be left wondering "Why??!?".
Admin
The comment just adds to the mystery. Even with the explanation I am left asking "Why??!?" Did the original developer think this was a good idea!
Admin
This looks like a poor mans "two factor authentication" to me.
Admin
Ahh, that's why I have to login into confluence twice!
Admin
this is how some "clever" mail server software works to avoid spam --> Greylisting
Admin
Congratulations!
You won!
https://medium.com/@mad_edward_viii/open-letters-to-mr-david-hogg-v0-0-1-afc797d50cd6
(this is going to work for sure .... #! ;)
Admin
That is at least 2x more secure. But for serious security you have to ask for the password at least 4 times. 'cause some people are lucky.
Admin
It would not be completely insane if at least the code compared the two versions of the password.
Admin
Ops, it probably implicitly does it.
Admin
Here's a guy who (probably from experience driven by his own poor decisions) believes "security" is equivalent to "make things as inconvenient as possible whether the user's legit or not".
Admin
https://github.com/OrbitalEngineers/April-1-Too-Ate-Teen-Committee
Admin
"If at first you don't succeed, try, try again. Then quit. There's no point in being a damn fool about it."
Admin
You of course mean https://twitter.com/olearykm/status/903799623952805889
Admin
Don't click or copy links!
XSS is dangerous!
PS: Google sucks!
Admin
This is lame even for a "wish it was two factor authentication" :)
Admin
No, this is pretty far from anything sane. It is annoying as hell for the user that is constantly being told that he isn't capable of typing his password right the first time. That alone would make people less interested in using this application if they can choose it (congratulations on driving users away!), and they set up easy passwords in the hope that they'll be recognized as typed right the first time (congratulations on ensuring easily crackable passwords like 'qwerty1') .
The other details provided, like preventing password managers from doing their job of making it easy for you to have actually secure passwords, show how much of a moron the original programmer was. This double authentication isn't a simple annoyance. It's another symptom of how much his brain is disconnected from common sense when the subject is security.
Incidentally I have been through something similar from yahoo mail a couple years ago. Eventually through experimentation I discovered that I was authenticated the first time (but still shown a login page) I could just hit mail.yahoo.com in the adressbar and I would be shown my inbox.
It is stupid. It is calling your users a bunch of morons incapable of typing a correct password. Thankfully they changed it after a few months
Admin
https://twitter.com/ha_king_on_hi/status/978271829637894144
I really do like the Dayak people. What noble beauty, untouched by the horrors of technological modernity.
Admin
Two-factor authentication? It is really just the same factor, twice.
Admin
https://twitter.com/one_totem/status/978285719067222016
Admin
Ah, but it is. A fairly common phishing attack is to gather username and password in the black-hat site, then redirect to the actual site.
This trick of demanding the password twice trains users to ignore rejection of correct credentials. That makes phishing easier.
No good. Not at all.
Admin
I think (read: hope) that the Authenticate() function checks to see whether it's the correct password.
So you have to answer the correct password twice, in case you happened to guess the correct password once.
Admin
Funny (not really) thing is -- I once used similar code construction to steal passwords. All you need to do is add a line or two to store the name/password combo on the first try, then on the second try let the user log in.
And for the NSA/FBI/CorporateIT nimwits reading this "confession," maybe I didn't actually deploy the code. Or maybe I did it before it was illegal. Or maybe I don't even exist.
Admin
Funny (not really) thing is -- I once used similar code construction to steal passwords. All you need to do is add a line or two to store the name/password combo on the first try, then on the second try let the user log in.
And for the NSA/FBI/CorporateIT nimwits reading this "confession," maybe I didn't actually deploy the code. Or maybe I did it before it was illegal. Or maybe I don't even exist.
Admin
I have an idea!
Admin
I have an idea!
Let's call up Comey, and tell him to dox everyone at those marches!
Chances are, he did so already!
It's not like it's going to trigger an alien invasion! It's more likely the Communist military that every liberal in silicon valley wacks it to will kidnap us first, carve out our brain, and transplant it in some clone army!
No! Not for invasion! That's just silly! For the foreign aid donations to lie to the UN! That way, we can get all the organs for dear leader and Smart Businessman Xi that is required!
To hell with trade wars! Let's start growing organs in people! I think I can do it with Wifi! Pacemaker or no pacemaker!
Admin
TheRealWTF(tm) is that it says "authorized" when every web developer should know that authentication and authorization are entirely different things.
Admin
Let's give the aliens h i v E mind
https://medium.com/@mad_edward_viii/what-the-smartest-guys-in-the-room-forgot-to-tell-you-1c954dd30afe
Admin
That actually is a fairly brilliant way to screw with brute force attacks...
Admin
The real bonus of this feature is to exercise the "forgot password" system more thoroughly.
Admin
“It's so bad it's not even wrong.” -- Enrico Fermi
Admin
More bonus points if the forgot password functionality is to send a temp password.
Admin
it's called Bazooka and we all used it dude. 2004 is calling it's hacker tools..
Admin
Bazooka ? 2004 is calling and wants it's "hacking" tools back.
Admin
Bazooka ? 2004 is calling and wants it's "hacking" tools back.
Admin
I once did something like this, with a twist: the second time entering the password required a different password. This was for my personal use, I was the only authorized user, and I was concerned about shoulder surfing. Any one seeing my password succeed could try it and it would not work.
So, my system was measurably better than the one in this article.
I was eleven years old.
Admin
somehow this made me think of a silly old comic strip: someone sees a sign that says "will print anything on your t-shirt for one dollar." he takes off his shirt and runs in eagerly...then comes out looking sour-faced with a shirt that says..."anything"!
Admin
Twice-factor?
Admin
Looks like JS. Looks like it's all client side.
Just type "authorized = true;Execute()" in the console. No password needed. Also JS ought to be camelCase, not PascalCase.
Admin
Someone please stop the damn bots!!!