• Erwin (unregistered)

    Public information such as the frist name of a sibling is not very secure, so you can make up anything as long as you can recover from memory or encrypted storage what you answer here.

  • DQ (unregistered)

    I have three siblings and all of their names contain only four characters. I guess I'm in trouble.

  • huppenzuppen (unregistered)

    I don't get the first one. Is 10 characters not enough? What's wrong with 0xdeadbeef, it's exactly 10 characters? Is it that they allow non-numeric input? That's quite common, e.g. my own house number is 10a.

  • Jason Stringify (unregistered)

    Closest sibling: Bob Mother's maiden name: Cox Favourite colour: Red City of birth: Ely Name of first pet: Max

    Looks like I'm not going to be getting through the validation today...

  • Oneway (unregistered)

    The first entry is not really a WTF. It is incredibly difficult to make correct assumptions about your person names and street addresses, expecially when you have to cater to the enormous diversity you find in an international clientele. It seems like the first site was at least trying.

    See also https://github.com/kdeldycke/awesome-falsehood?tab=readme-ov-file . Especially the entries for human identity and postal addresses.

  • (nodebb)

    Was anyone else confused for a moment by Sainsbury/Argos' request that we show their email to a colleague? Why would my coworkers care about my grocery order?

    Even after figuring out that "colleague" likely refers to someone who works at the store, that person still isn't my colleague. It's literally a client-server relationship.

  • Bart (unregistered) in reply to huppenzuppen

    The 0xDEADBEEF indicates memory corruption at the address it's reading...

  • (nodebb)

    @Bart: Not quite. The actual bit pattern represented by the 4 bytes we encode into ascii/unicode as "0xDEADBEEF" indicate memory corruption. The unicode sequence number zero, lower case x, uppercase D, uppercase E, ..., etc. is a completely different bit pattern. And at least 10 bytes long, not 4.

  • OldCoder (unregistered) in reply to huppenzuppen

    The original entry, "12345678901", is in fact 11 characters, so he changed it to 0xDEADBEEF, which is 10.

  • Kleyguerth (github)

    TRWTF are security questions. They are passwords with a hint to the attacker about the its own structure.

    The first one is not a WTF. Even though the real life "house ID" is commonly called a "house number", letters in it are not that uncommon. A limit of 10 seems reasonable, you have to have A limit so that no one submits a 10gb house number and there's no reason to pick the exact real life maximum. I personally know house numbers that are 5 long... 6 doesn't sound absurd, so might as well use the next nice round number: 10.

  • MRAB (unregistered) in reply to huppenzuppen

    Sometimes a house will have a name instead of a number.

  • richarson (unregistered) in reply to Kleyguerth

    Kleyguerth dixit: "TRWTF are security questions. They are passwords with a hint to the attacker about the its own structure."

    And the secnod RWTF would be answering security questions truthfully.

    I really hope Mark T. sibling's name is not Alan...

  • Loren Pechtel (unregistered)

    I've seen addresses with names, no numbers. I've seen complex unit numbers (building/floor/unit). There is only one acceptable format for addresses: a string. You can validate matching stuff against databases but that's it and only suggest answers. We live in a house with a perfectly ordinary address--except some databases validate it to be #### West ***** and some validate it to #### *****. (Omitting the direction does not cause any ambiguity, the street does not exist in the east.)

    And curses upon the constrained security question people. Before I married my wife her longest name was 4 characters and her full name was only 9--or 3 if rendered in her native alphabet. And curses upon the questions that check the values against a list and do not permit a null answer.

  • (nodebb)

    Ah yes, naplam records - home of Scotland's best Pirate Metal band..!

  • (nodebb) in reply to Oneway

    When you try to do cleansed address input and fail this badly (too high likelihood of legitimate addresses not fitting their simplistic format), it /is/ a WTF. >10-character "house numbers" are not unimaginable, I'm sure there are some in the address information I'm currently looking at migrating from one system to another, and this is far from the largest dataset I've ever had to wrangle.

    As for TimR at Sainsbury/Argos, I think there's a good chance that them first element (Collection barcode) is simply a Code-128 barcode for the second element (Collection number), so it's likely not 3FA on the customer. The whole thing might even be reasonable if the 2FA to prevent/reduce theft by employees who can presumably see the collection numbers on the items waiting for collection, if the collection code is something they can't see in system but have to enter correctly to prove that someone other than the employee themselves presented to collect. But that's hopeful optimism, not fact.

    And yes, prefabricated security questions like the examples here are and always will be a WTF, even bigger than forced maximum 30 day lifespans for passwords.

  • (nodebb) in reply to Erwin

    My brother is called dY3VpfA7 and his name changes across each web site.

  • (nodebb) in reply to DJSpudplucker

    And the creators of Scotland's other national anthem, the charming ditty about anchors.

  • Klimax (unregistered) in reply to Kleyguerth

    Reminds me of Irish address that had house number "Stone house"...

  • COBOL Dilettante (unregistered)

    I think the WTF about the address is that the developer has clearly noticed that street address indices are complicated and not always numbers of the expected type - but they haven't worked out the logical conclusion, which is "Why even bother capturing the street 'number' as a separate data item from the rest of the address?"

  • (nodebb) in reply to Bart

    Uninitialized memory on the IBM RS 6000 computer was set to 0xDEADBEEF. Apparently, some IBM engineers had a sense of humor.

  • Patrick (unregistered)

    If you think there is a WTF in the name, think again. Name validation is hard. Extremely hard. Read this: https://shinesolutions.com/2018/01/08/falsehoods-programmers-believe-about-names-with-examples/

  • Loren Pechtel (unregistered)

    Initializing to 0xDEADBEEF is a good safety precaution for languages that don't prohibit referencing unassigned values. It's a value very unlikely to occur in normal operation, thus if you find the value anywhere in your data you probably have an uninitialized variable being used somewhere. As a programmer who has used such languages I would say thank you to said engineers.

  • Neveranull (unregistered)

    We used to use 0XDEADBEEF to indicate uninitialized memory, but some with a sick sense of humor used 0XDEADC0ED.

  • xtal256 (unregistered) in reply to Kleyguerth

    I see this falsehood a lot with programmers. "We want to prevent people from entering 10,000,000,000 bytes/characters/whatever so we'll put a limit on it. 10 should be enough". Why not 100 or 1000? If you're going to pick an arbitrary limit, at least pick one that's at least an order of magnitude larger than you think will be needed.

  • (nodebb) in reply to Kleyguerth

    A limit of 10 seems reasonable,

    No. It might be a name, or you might want to include an apartment block name. My official UK address looks something like this:

    Flat {{number}} {{name of block}} House
{{name of road}} Road
Bristol
{{ post code }}

    The first line, which is significantly more than 10 characters performs the role of house number in most cases. Often, I find it necessary to move {{name of block}} House to the second line because of stupid things like 10 character limits but sometimes developers assume even streets should only be a certain length. Their companies tend not to get my business.

  • (nodebb)

    Note to the editor

    In the address example, I was fairly easily able to identify a street in Malmö that began with H and ended in N that had the same number of characters as the obfuscated example. I just need to figure ut which building is number 0xdeadbeef and I'll have the submitter's home address.

  • (nodebb) in reply to zomgwtf

    My brother is called dY3VpfA7 and his name changes across each web site.

    Interesting: your brother is named after my password.

  • (nodebb)

    @xtal256 ref

    Why not 100 or 1000? If you're going to pick an arbitrary limit, at least pick one that's at least an order of magnitude larger than you think will be needed.

    Because that number is not just a length < whatever input validation constraint. it's also (within reason) the size of the input textbox on every screen. And it's the minimum size of the output display field on every report or label or ... . And it's the size of the database field that holds it. In every database and every backup and ...

  • Mark T. (unregistered) in reply to richarson

    It's not. I just had to pick a name that was short once I saw the limitation to illustrate.

Leave a comment on “Pickup Sticklers”

Log In or post as a guest

Replying to comment #684736:

Log Out

« Return to Article