• bvs23bkv33 (unregistered)

    if first ShowFailureBox();

  • megamit (unregistered)

    TRWTF is the CapitalCase method names

  • Little Bobby Tables (unregistered)

    Ingenous. Brillant, even.

  • henk (unregistered)

    best WTF in months, this one really mademe say it out loud.

  • Omego2K (unregistered)

    I usually go for the code first so it took me more than a second, but I get it now.

  • Robert Morson (google)

    I guess that's not completely nuts. Annoying, but not actually insane.

  • W (unregistered)

    Ahhh, this made my day!

  • LCrawford (unregistered)

    I wonder if automated password guessing scripts will execute this script before feeding password tries to the server?

  • dpm (unregistered)

    I respectfully disagree --- a real WTF would not be commented. You have to be left wondering "Why??!?".

  • William F (unregistered) in reply to dpm

    The comment just adds to the mystery. Even with the explanation I am left asking "Why??!?" Did the original developer think this was a good idea!

  • Bob (unregistered)

    This looks like a poor mans "two factor authentication" to me.

  • My Name (unregistered)

    Ahh, that's why I have to login into confluence twice!

  • giammin (unregistered)

    this is how some "clever" mail server software works to avoid spam --> Greylisting

  • veetle (unregistered)

    Congratulations!

    You won!

    https://medium.com/@mad_edward_viii/open-letters-to-mr-david-hogg-v0-0-1-afc797d50cd6

    (this is going to work for sure .... #! ;)

  • A Robot (unregistered)

    That is at least 2x more secure. But for serious security you have to ask for the password at least 4 times. 'cause some people are lucky.

  • Maurizio (unregistered) in reply to Robert Morson

    It would not be completely insane if at least the code compared the two versions of the password.

  • Maurizio (unregistered) in reply to Maurizio

    Ops, it probably implicitly does it.

  • Chronomium (unregistered)

    Here's a guy who (probably from experience driven by his own poor decisions) believes "security" is equivalent to "make things as inconvenient as possible whether the user's legit or not".

  • howdilyho (unregistered)

    https://github.com/OrbitalEngineers/April-1-Too-Ate-Teen-Committee

  • Trust Me I'm Not a Robot (unregistered)

    "If at first you don't succeed, try, try again. Then quit. There's no point in being a damn fool about it."

    • W .C. Fields
  • dpm (unregistered) in reply to Chronomium

    You of course mean https://twitter.com/olearykm/status/903799623952805889

  • howdilyho (unregistered)

    Don't click or copy links!

    XSS is dangerous!

    PS: Google sucks!

  • Pista (unregistered) in reply to Bob

    This is lame even for a "wish it was two factor authentication" :)

  • Smash (unregistered) in reply to Robert Morson
    I guess that's not completely nuts. Annoying, but not actually insane.

    No, this is pretty far from anything sane. It is annoying as hell for the user that is constantly being told that he isn't capable of typing his password right the first time. That alone would make people less interested in using this application if they can choose it (congratulations on driving users away!), and they set up easy passwords in the hope that they'll be recognized as typed right the first time (congratulations on ensuring easily crackable passwords like 'qwerty1') .

    The other details provided, like preventing password managers from doing their job of making it easy for you to have actually secure passwords, show how much of a moron the original programmer was. This double authentication isn't a simple annoyance. It's another symptom of how much his brain is disconnected from common sense when the subject is security.

    Incidentally I have been through something similar from yahoo mail a couple years ago. Eventually through experimentation I discovered that I was authenticated the first time (but still shown a login page) I could just hit mail.yahoo.com in the adressbar and I would be shown my inbox.

    It is stupid. It is calling your users a bunch of morons incapable of typing a correct password. Thankfully they changed it after a few months

  • you_belong_to_me_now (unregistered) in reply to howdilyho

    https://twitter.com/ha_king_on_hi/status/978271829637894144

    I really do like the Dayak people. What noble beauty, untouched by the horrors of technological modernity.

  • (nodebb) in reply to Bob

    Two-factor authentication? It is really just the same factor, twice.

  • you_belong_to_me_now (unregistered)

    https://twitter.com/one_totem/status/978285719067222016

  • Oliver Jones (google) in reply to Robert Morson

    I guess that's not completely nuts.

    Ah, but it is. A fairly common phishing attack is to gather username and password in the black-hat site, then redirect to the actual site.

    This trick of demanding the password twice trains users to ignore rejection of correct credentials. That makes phishing easier.

    No good. Not at all.

  • tbo (unregistered) in reply to Maurizio

    I think (read: hope) that the Authenticate() function checks to see whether it's the correct password.

    So you have to answer the correct password twice, in case you happened to guess the correct password once.

  • Carl Witthoft (google)

    Funny (not really) thing is -- I once used similar code construction to steal passwords. All you need to do is add a line or two to store the name/password combo on the first try, then on the second try let the user log in.
    And for the NSA/FBI/CorporateIT nimwits reading this "confession," maybe I didn't actually deploy the code. Or maybe I did it before it was illegal. Or maybe I don't even exist.

  • Carl Witthoft (google)

    Funny (not really) thing is -- I once used similar code construction to steal passwords. All you need to do is add a line or two to store the name/password combo on the first try, then on the second try let the user log in.
    And for the NSA/FBI/CorporateIT nimwits reading this "confession," maybe I didn't actually deploy the code. Or maybe I did it before it was illegal. Or maybe I don't even exist.

  • you_belong_to_me_now (unregistered)

    I have an idea!

  • death_by_bots (unregistered)

    I have an idea!

    Let's call up Comey, and tell him to dox everyone at those marches!

    Chances are, he did so already!

    It's not like it's going to trigger an alien invasion! It's more likely the Communist military that every liberal in silicon valley wacks it to will kidnap us first, carve out our brain, and transplant it in some clone army!

    No! Not for invasion! That's just silly! For the foreign aid donations to lie to the UN! That way, we can get all the organs for dear leader and Smart Businessman Xi that is required!

    To hell with trade wars! Let's start growing organs in people! I think I can do it with Wifi! Pacemaker or no pacemaker!

  • TheRealWTF(tm) (unregistered)

    TheRealWTF(tm) is that it says "authorized" when every web developer should know that authentication and authorization are entirely different things.

  • comey (unregistered)

    Let's give the aliens h i v E mind

    https://medium.com/@mad_edward_viii/what-the-smartest-guys-in-the-room-forgot-to-tell-you-1c954dd30afe

  • ZZartin (unregistered) in reply to Little Bobby Tables

    That actually is a fairly brilliant way to screw with brute force attacks...

  • Tim! (unregistered) in reply to ZZartin

    The real bonus of this feature is to exercise the "forgot password" system more thoroughly.

  • FormalWare (unregistered)

    “It's so bad it's not even wrong.” -- Enrico Fermi

  • ZZartin (unregistered) in reply to Tim!

    More bonus points if the forgot password functionality is to send a temp password.

  • duplex (unregistered) in reply to Carl Witthoft

    it's called Bazooka and we all used it dude. 2004 is calling it's hacker tools..

  • duplex (unregistered) in reply to Carl Witthoft

    Bazooka ? 2004 is calling and wants it's "hacking" tools back.

  • duplex (unregistered) in reply to Carl Witthoft

    Bazooka ? 2004 is calling and wants it's "hacking" tools back.

  • Lorens (unregistered)

    I once did something like this, with a twist: the second time entering the password required a different password. This was for my personal use, I was the only authorized user, and I was concerned about shoulder surfing. Any one seeing my password succeed could try it and it would not work.

    So, my system was measurably better than the one in this article.

    I was eleven years old.

  • eric bloedow (unregistered)

    somehow this made me think of a silly old comic strip: someone sees a sign that says "will print anything on your t-shirt for one dollar." he takes off his shirt and runs in eagerly...then comes out looking sour-faced with a shirt that says..."anything"!

  • Ipsum (unregistered) in reply to Nutster

    Twice-factor?

  • JSMan (unregistered)

    Looks like JS. Looks like it's all client side.

    Just type "authorized = true;Execute()" in the console. No password needed. Also JS ought to be camelCase, not PascalCase.

  • bot invasion (unregistered)

    Someone please stop the damn bots!!!

Leave a comment on “Authentication Failure”

Log In or post as a guest

Replying to comment #:

« Return to Article