So a user reported they couldn't login to our site, so I reset their password to:

uI+ffRT7M2NAzo8uOqzf4QxO3I9tj8PJ4TS0n8zDV7I

And sent them back an email with the updated password. A few minutes later, they replied and said that password didn't work. They even tried a different web browser, etc. I tried it myself, and sure enough, it didn't work.

I spent the next several hours trying to figure out why the password didn't save properly, or why the logic didn't compare them correctly. Perhaps it was some sort of caching issue? Oh the horror.

As it turns out, the problem was a maxlength of 28 on the login form field:

<input type="password" name="password" value="" maxlength="28"/>

I don't know who wrote that code, but it sure wasn't me.

One week, and it turned out to be worse than that.

I was put on a project for a COVID-19 program in America (The CARES Act). The financial team came to us on Monday morning and said they need to give away a couple thousand dollars.

No big deal. All they wanted was a single form that people could submit with some critical info. Didn't need a login/ registration flow or anything. You could have basically used Google Forms for this project.

The project landed in my lap just before lunch on Monday morning. I was a junior in a team with a senior and another junior on standby. It was going to go live the next Monday.

The scope of the project made it seem like the one week deadline wasn't too awful. We just had to send some high priority emails to get some prod servers and app keys and we were fine.

Now is the time where I pause the rant to express to you just how fine we were decidedly **not**: we were not fine.

Tuesday rolls around and what a bad Tuesday it was. It was the first of many requirement changes. There was going to need to be a review process. Instead of the team just reading submissions from the site, they needed accept and reject buttons. They needed a way to deny people for specific reasons. Meaning the employee dashboard just got a little more complicated.

Wednesday came around and yeah, we need a registration and login flow. Yikes.

Thursday came and the couple-thousand dollars turned into a tens of millions. The amount of users we expected just blew up.

Friday, and they needed a way for users to edit their submissions and re-submit if they were rejected. And we needed to send out emails for the status of their applications.

Every day, a new meeting. Every meeting, new requirements that were devastating given our timeframe.

We put in overtime. Came in on the weekend. And by Monday, we had a form that users could submit and a registration/ login flow. No reviewer dashboard. We figured we could take in user input on time and then finish the dashboard later.

Well, financial team has some qualms. They wanted a more complicated review process. They wanted roles; managers assign to assistants. Assistants review assigned items.

The deadline that we worked so hard on whizzed by without so much as a thought, much less the funeral it deserved.

Then, they wanted multiple people to review an application before it was final. Then, they needed different landing pages for a few more departments to be able to review different steps of the applications.

Ended up going live on Friday, close to a month after that faithful Monday which disrupted everything else I was working on, effective immediately.

I don't know why, but we always go live on a Friday for some reason. It must be some sort of conspiracy to force overtime out of our managers. I'm baffled.

But I worked support after the launch.

And there's a funny story about support too: we were asked to create a "submit an issue" form. Me and the other junior worked on it on a wednesday three weeks into the project. Finished it. And the next day it was scrapped and moved to another service we already had running. Poor management like that plagued the project and worked in tandem with the dynamic and ridiculous requirements to make this project hell.

Back to support.

Phone calls give me bad anxiety. But Friday, just before lunch, I was put on the support team. Sure, we have a department that makes calls and deal with users. But they can't be trained on this program: it didn't exist just a month ago, and three days ago it worked differently (the slippery requirements never stopped).

So all of Friday and then all of Saturday and all of Monday (...) I had extended panic attacks calling hundreds of people. And the team that was calling people was only two people. We had over 400 tickets in the first two days.

And fuck me, stupid me, for doing a good job. Because I was put on the call team for **another** COVID project afterwards. I knew nothing about this project. I have hated my job recently. But I'm a junior. What am I gonna say, no?

The Orange Juice Saga ....

I've just come off one of the stupidest calls ever.

Firstly, I am not in tech support, I'm a software developer - read the below with this in mind.

My client called up to say the system I created as been compromised. When he attempts to login, he is logged off his Windows machine.

He'd also apparently taken his PC to ***insert large UK computer superstore here***, who took £100 plus to look at the machine and conclude his needs to buy a new PC.

I remoted into his computer to see WTF was going on.

As he described, visiting my login form did log you out. In fact, whenever you pressed the "L" key you were logged out. Press the "M" key, all windows were minimized. Basically, all Windows hotkeys appeared to be active, without the need to press the Windows key.

Whilst connected to his PC I spent a good 30 minutes checking keyboard settings and came up short.

After asking all the normal questions (has anything changed on your PC, have you installed stuff lately etc.) without any useful answers I got nothing.

I then came across an article stating several presses of the Windows in quick succession will solve the issue.

I got the client to try this, pressed the "L" key (which would have logged me off previously) and the issue was resolved.

Basically, the Windows key was "stuck", which oddly makes your PC kind of useless.

I asked the client if they'd split anything on the keyword whilst working. His exact word were simply lol:

"Oh yer, yesterday, I was trying to drink a glass of orange quickly and split some in the corner of keyboard. I did clean it up quickly though".

Yep, the issue was due to the client spilling orange juice on their keyboard , which in turn made the Windows key stick.

Disaster averted.

A call that started with the client stating I made a system that was easily compromised (i.e. my fault), morphed into a sorry saga of cold drinks.

The client did ask why the ***superstore name*** charged him money for that and recommended a new machine. That is a good question and demonstrated some the questionable tech support practices we see nowadays, even at very large stores.

To be fair to the client, he told me to bill him for half a days work as it was his own fault.

When I'm able to stop myself involuntarily face palming, I'm off for a swim to unwind :)

Fuck the incompetent and "pretentious psuedo devs" !!

I have been developing a web portal for a student club for this really big company (as intern) and then they assign this fuckin group of these 4 stupid intern devs to work with me !

The fuckin tweked my code and redirected the CONTACT FORM to the fuckin LOGIN CONTROLLER !!

Then these sons of Einstein inserted dummy users without a username and password into the fuckin production site !!

Now each fukin time someone submits contact form is redirected into some random user account !!

Who the fuck needs Hackers when we have these legendary coders -_-

I wonder why banks are always so terribly insecure, given how much money there's for grabs in there for hackers.

Just a while ago I got a new prepaid credit card from bpost, our local postal service that for some reason also does banking. The reason for that being that - thank you 'Murica! - a lot of websites out there don't accept anything but credit cards and PayPal. Because who in their right mind wouldn't use credit cards, right?! As it turns out, it's pretty much every European I've spoken to so far.

That aside, I got that card, all fine and dandy, it's part of the Mastercard network so at least I can get my purchases from those shitty American sites that don't accept anything else now. Looked into the manual of it because bpost's FAQ isn't very clear about what my login data for their online customer area now actually is. Not that their instruction manual was either.

I noticed in that manual that apparently the PIN code can't be changed (for "security reasons", totally not the alternative that probably they didn't want to implement it), and that requesting a forgotten PIN code can be done with as little as calling them up, and they'll then send the password - not a reset form, the password itself! IN THE FUCKING MAIL.

Because that's apparently how financial institutions manage their passwords. The fact that they know your password means that they're storing it in plain text, probably in a database with all the card numbers and CVC's next to it. Wouldn't that be a treasure trove for cybercriminals, I wonder? But YOU the customer can't change your password, because obviously YOU wouldn't be able to maintain a secure password, yet THEY are obviously the ones with all the security and should be the ones to take out of YOUR hands the responsibility to maintain YOUR OWN password.

Banking logic. I fucking love it.

As for their database.. I reckon that that's probably written in COBOL too. Because why wouldn't you.

I used to work as an all-in-one IT guy in a company. One day I got a call from our HR team and the HR said "my Internet banking account has been hacked! It's logging in automatically!!" So I went to see the issue, and the so called "hack" was because she allowed Mozilla Firefox to save her login credentials, and because of that the login form was automatically filled. Such a stupid ass

*MOTHER OF FACEPALM *

I was filling up some university entrance exam form for my sister AND THEY SENT THE LOGIN CREDENTIALS IN PLAIN TEXT VIA A FUCKING SMS. The password that I JUST set myself. What the FUCK!

Me: *spends 4+ hours refactoring existing spaghetti, ensuring components are modular, easier to test and fault tolerant*

Project manager: ...

Also me: *adds pre-loader image to register and login buttons when user submits form*

Project manager: *All excited* Awesome work. 🙌That's some nice improvement..

Like wtf dude 😳..

My takeaway: These noobs only care about what they can directly interact with

3 rants for the price of 1, isn't that a great deal!

1. HP, you braindead fucking morons!!!

So recently I disassembled this HP laptop of mine to unfuck it at the hardware level. Some issues with the hinge that I had to solve. So I had to disassemble not only the bottom of the laptop but also the display panel itself. Turns out that HP - being the certified enganeers they are - made the following fuckups, with probably many more that I didn't even notice yet.

- They used fucking glue to ensure that the bottom of the display frame stays connected to the panel. Cheap solution to what should've been "MAKE A FUCKING DECENT FRAME?!" but a royal pain in the ass to disassemble. Luckily I was careful and didn't damage the panel, but the chance of that happening was most certainly nonzero.
- They connected the ribbon cables for the keyboard in such a way that you have to reach all the way into the spacing between the keyboard and the motherboard to connect the bloody things. And some extra spacing on the ribbon cables to enable servicing with some room for actually connecting the bloody things easily.. as Carlos Mantos would say it - M-m-M, nonoNO!!!
- Oh and let's not forget an old flaw that I noticed ages ago in this turd. The CPU goes straight to 70°C during boot-up but turning on the fan.. again, M-m-M, nonoNO!!! Let's just get the bloody thing to overheat, freeze completely and force the user to power cycle the machine, right? That's gonna be a great way to make them satisfied, RIGHT?! NO MOTHERFUCKERS, AND I WILL DISCONNECT THE DATA LINES OF THIS FUCKING THING TO MAKE IT SPIN ALL THE TIME, AS IT SHOULD!!! Certified fucking braindead abominations of engineers!!!

Oh and not only that, this laptop is outperformed by a Raspberry Pi 3B in performance, thermals, price and product quality.. A FUCKING SINGLE BOARD COMPUTER!!! Isn't that a great joke. Someone here mentioned earlier that HP and Acer seem to have been competing for a long time to make the shittiest products possible, and boy they fucking do. If there's anything that makes both of those shitcompanies remarkable, that'd be it.

2. If I want to conduct a pentest, I don't want to have to relearn the bloody tool!

Recently I did a Burp Suite test to see how the devRant web app logs in, but due to my Burp Suite being the community edition, I couldn't save it. Fucking amazing, thanks PortSwigger! And I couldn't recreate the results anymore due to what I think is a change in the web app. But I'll get back to that later.

So I fired up bettercap (which works at lower network layers and can conduct ARP poisoning and DNS cache poisoning) with the intent to ARP poison my phone and get the results straight from the devRant Android app. I haven't used this tool since around 2017 due to the fact that I kinda lost interest in offensive security. When I fired it up again a few days ago in my PTbox (which is a VM somewhere else on the network) and today again in my newly recovered HP laptop, I noticed that both hosts now have an updated version of bettercap, in which the options completely changed. It's now got different command-line switches and some interactive mode. Needless to say, I have no idea how to use this bloody thing anymore and don't feel like learning it all over again for a single test. Maybe this is why users often dislike changes to the UI, and why some sysadmins refrain from updating their servers? When you have users of any kind, you should at all times honor their installations, give them time to change their individual configurations - tell them that they should! - in other words give them a grace time, and allow for backwards compatibility for as long as feasible.

3. devRant web app!!

As mentioned earlier I tried to scrape the web app's login flow with Burp Suite but every time that I try to log in with its proxy enabled, it doesn't open the login form but instead just makes a GET request to /feed/top/month?login=1 without ever allowing me to actually log in. This happens in both Chromium and Firefox, in Windows and Arch Linux. Clearly this is a change to the web app, and a very undesirable one. Especially considering that the login flow for the API isn't documented anywhere as far as I know.

So, can this update to the web app be rolled back, merged back to an older version of that login flow or can I at least know how I'm supposed to log in to this API in order to be able to start developing my own client?

So, the HR has made it mandatory to fill a Google form,
fill in info about yourself (name, employee ID),
your family (name, address),
and select radio buttons for symptoms like fever,cough, cold.

You must fill this form DAILY, and if you miss filling the google form, it will be Loss of pay for whole day.

Yes, so if I have contracted coronavirus, and am running a high fever, first thing I'll do is login, open a shitty ass google form and select a bunch of stupid radio buttons.

And if I'm not ill, I'll still go and fill this form every single day.

Because fuck logic.

User: “I’ve tried hundreds of different names. How come all the usernames are registered?!😤”
Developer: ”I’m quite confident about my code. Can’t find any issue in this login form.🤔”
QA: “It passed all unit tests. We did a comprehensive testing on live server by registering all the possible names. What can go wrong?🙀”

Warning: long read....

I got a call this morning from a client who was panicking about not being able to login to his web panel.

So I went to the web panel and tried to login and was just redirected back to the login page. No errors or anything (at least visible on the page). Went looking for an error_log file and found it.

It turns out there was an error was showing: Disk quota exceeded.

So I went into the cPanel and checked, he used about 16GB out of 100GB and that got me confused. So I looked around and found out he was using about 510000/500000 inodes.

Went looking trough FTP to see where he has so many files and try and remove some.

Well it turns out that there were about 7 injected websites (warez, online casino, affiliate one etc) and a full hacking web panel on his FTP. After detailed analysis some who actually built the site (I just maintain some parts) made an upload form available to public with any checks on it. Meaning anyone could upload whatever they wanted and the form would allow it.

The worst part is that the client is not allowing us to secure the form with some sort of login or remove it completely (the best option) as it is not really needed but he uses it to upload some pdf catalogs or something.

TL; DR;
Old programmer created an upload form that was accessible to anyone on the web without adding any security or check as to see what kind of files was getting uploaded. Which lead to having maximum number on inodes used on server and client being unable to login.

Side note:
And ofc I had to go and fix the mess behind him again, even though he stopped working a long time ago and I started just recently and have been having nightmares of this project.

Fucking bruteforce man. Was supposed to go sleep when got few messages from my gameserver players that their accounts have been hacked.

Checked their logs, all of their accounts have been accessed from Russia. Told them to change their passwords and they told me their previous passwords which were easy af to guess.

Digged deeper and found hundreds of thousands failed logins in the last few hours and all of them from different ips.

Since I cant modify gamefiles on client side, the solution for now was to disable in-game registration and force player registration through the website form with captcha and also where each players login name gets appended with a random suffix chosen by player from a random list..

Fuck you bruteforce scriptkiddies, good luck guessing accounts now. At least I can sleep now.

Yes I believe you’re Google and I will click that link.
I don’t care that IP from that you sent it to me is from some company in India.
Probably Google outsourced it’s email service there.

But wait why is this link pointing to Chinese website?
Ouch you provided some ip under A dns record so let me nmap it...
So there’s bunch of services you have there.
ftp, ssh, msrpc, netbios-ssn, snpp, microsoft-ds, sun-answerbook ...wait what ?
Let me curl that 8888 port.
Oh you have login / password form and it’s pagoda linux panel.
Wait a second I will read about it maybe some default login / password will work...

Ok so maybe I just make a script to brute force it as you wanted to brute force my computer motherfucker.

This is what happens to overworked PMs.

Me: When users create accounts with social logins, they don’t have passwords in our database. If they try to enter an email and pw on the login form, what do you want the error message to say?

PM: Can we add a modal that says “Your account doesn’t have a password, set one now.” And have a password field?

Me: ☠️ That…would…allow…anyone…to…hijack…an…account…

PM: Right. Never mind.

...when users create a ticket or call support because they forgot their password. Even though there is a big 'forgot your password?'-button right below the login form.

I always wonder if they also call Google or Facebook when they forget their password on those accounts...

Which one do you prefer?

I just tried to sign up to Instagram. I made a big mistake.

First up with Facebook related stuff is data. Data, data and more data. Initially when you sign up (with a new account, not login with Facebook) you're asked your real name, email address and phone number. And finally the username you'd like to have on the service. I gave them a phone number that I actually own, that is in my iPhone, my daily driver right now (and yes I have 3 Androids which all run custom ROMs, hold your keyboards). The email address is a usual for me, instagram at my domain. I am a postmaster after all, and my mail server is a catch-all one. For a setup like that, this is perfectly reasonable. And here it's no different, devrant at my domain. On Facebook even, I use fb at my domain. I'm sure you're starting to see a pattern here. And on Facebook the username, real name and email domain are actually the same.

So I signed up, with - as far as I'm aware - perfectly valid data. I submitted the data and was told that someone at Instagram will review the data within 24 hours. That's already pretty dystopian to me. It is now how you block bots. It is not how Facebook does it either, at least since last time I checked. But whatever. You'd imagine that regardless of the result, they'd let you know. Cool, you're in, or sorry, you're rejected and here's why. Nope.

Fast-forward to today when I recalled that I wanted to sign up to Instagram to see my girlfriend's pictures. So I opened Chromium again that I already use only for the rancid Facebook shit.. and it was rejected. Apparently the mere act of signing up is a Terms of Service violation. I have read them. I do not know which section I have violated with the heinous act of signing up. But I do have a hunch.

Many times now have I been told by ignorant organizations that I would be "stealing" their intellectual property, or business assets or whatever, just because I sent them an email from their name on my domain. It is fucking retarded. That is MY domain, not yours. Learn how email works before you go educate a postmaster. Always funny to tell them how that works. But I think that in this case, that is what happened.

So I appealed it, using a random link to something on Instagram's help section from a third-party blog. You know it's good when the third-party random blog is better. But I found the form and filled it in. Same shit all over again for info, prefilling be damned I guess. Minor convenience though, whatever.

I get sent an email in German, because apparently browsing through a VPS in Germany acting as a VPN means you're German. Whatever... After translating it, I found that it asks me to upload a picture of myself, holding a paper in my hands, on which I would have a confirmation code, my username, and my email address.. all hand-written. It must not be too dark, it must be clear, it must be in JPEG.. look, I just wanted to fucking sign up.

I sent them an email back asking them to fix all of this. While I was writing it and this rant, I thought to myself that they can shove that piece of paper up their ass. In fact I would gladly do it for them.

Long story short, do not use Instagram. And one final thing I have gripes with every time. You are not being told all the data you'll have to present from the get-go. You're not being told the process. Initially I thought it'd just be email, phone, username, and real name. Once signed up (instantly, not within 24 hours!) I would start setting up my account and adding a profile picture. The right way to ask for a picture of me! And just do it at my own pace, as I please.

And for God's sake, tackle abuse when it actually happens. You'll find out who's a bot and who isn't by their usage patterns soon enough. Do not do any of this at sign-up. Or hell, use a CAPTCHA or whatever, I don't fucking care. There's so many millions of ways to skin this cat.

Facebook and especially Instagram. Both of them are fucking retarded.

Seriously, fuck that incompetent ISP of mine.

Stores passwords in fucking plaintext. Does VoIP calling in plaintext! Passwords are sent over postal mail! Passwords are at least not sent in plain via email anymore when you want to reset them. The password reset form, "cannot contain `", "cannot contain "", "cannot contain '", "must contain a special character" because why the fuck not mess with people's password manager's password generation function over our own incompetence, right?! And showing all those errors for a single password? Eh, no. Let's just show one error that applies to whatever password you've given at that time. JUST ONE, because "reasons"! And to top it all off, when I finally made myself a nice password with some padding to remove unwanted chars and put that in my password store and on the website. THE BLOODY THING CAN'T EVEN FUCKING LOGIN?!

Now I ain't no ISP, but being a sysadmin clearly isn't a requirement when you're going to apply for work at an ISP, THAT DOES NOTHING BUT FUCKING SYSADMIN STUFF!!! Incompetent pieces of SHIT!!!

My websites contact form got a submission from some "manjeet" offering me his freelancing services, together with previous projects, where he apparently delivered and... has a login backdoor that he advertises to others to check out?.. with credentials etc.

Also got flagged with "It contains a suspicious link that was used to steal people's personal information. Avoid clicking links or replying with personal information."

Only touching the topic slightly:

In my school time we had a windows domain where everyone would login to on every computer. You also had a small private storage accessible as network share that would be mapped to a drive letter so everyone could find it. The whole folder containing the private subfolders of everyone was shared so you could see all names but they were only accessible to the owner.

At some point, though, I tried opening them again but this time I could see the contents. That was quite unexpected so I tried reading some generic file which also worked without problems. Even the write command went through successfully. Beginning to grasp the severity of the misconfiguration I verified with other userfolders and even borrowed the account of someone else.

Skipping the "report a problem" form, which would have been read at at least in the next couple hours but I figured this was too serious, I went straight to the admin and told him what I found. You can't believe how quickly he ran off to the admin room to have a look/fix the permissions.

Well on my last full-time job, that ware using cookies for authentication (not something new, eh?). The thing is, you see, the cookies had the 'accountId' which if you change to another number, kaboom you're that account, oh but that was not all, there was an option to mark the account type in there 'accountType', which was kind of obvious in VLE (virtual learning environment), 'Teacher', 'Student', 'Manager' put what of those values and boom you are that role for the session

Thing was open of SQL injection from the login form, from said cookies and form every part you can pass input to it, when I raised the question to my TL he said 'no one is going to know about thatt, I don't see what is the problem', then escalated to higher management 'oh well speak to *tl_guy*'

Oh and bonus points for it being written in ASP CLASSIC in 2014+ (I was supposed to rewrite, but ended up patching ASP code and writing components in PHP)

In 2015-2016, in a private college, charging kind-of big money per year

Ffs people get the fuck out off that Gitlab. I've been there sooner than you, now can't event load login form.

One of my classmates was working on a login form, and the fucker handtyped a 100+ character email validation regex but forgot to add a check to make sure no fields were blank.

It was funny when I was able to create an account with no username, breaking his website, and even funnier when I told him html forms have a built-in email pattern

This is the last part of the series
(3 of 3) Credentials everywhere; like literally.

I worked for a company that made an authentication system. In a way it was ahead of it's time as it was an attempt at single sign on before we had industry standards but it was not something that had not been done before.

This security system targeted 3rd party websites. Here is where it went wrong. There was a "save" implementation where users where redirected to the authentication system and back.

However for fear of being to hard to implement they made a second method that simply required the third party site to put up a login form on their site and push the input on to the endpoint of the authentication system. This method was provided with sample code and the only solution that was ever pushed.

So users where trained to leave their credentials wherever they saw the products logo; awesome candidates for phishing. Most of the sites didn't have TLS/SSL. And the system stored the password as pain text right next to the email and birth date making the incompetence complete.

The reason for plain text password was so people could recover there password. Like just call the company convincingly frustrated and you can get them to send you the password.

When you're a hardcore web developer, the only 'action' you .get() is when you're writing a login form scraper for your three-legged oauth flow in Python

Client wants a webapp where every label on all form inputs are configurable, even the fucking login form ("Login" and "Password" text)

They also want it to send emails where the message is configurable too (they can insert your own HTML)

so basically they want the entire fucking webapp to be configurable, all without requiring any code change.

I could use a "configurable" torture device right now.

I once agreed to maintain and develop an application used in a different section of the school to keep inventory and make sure everything is where it is supposed to be.

At first there was enthusiasm, together with 2 of my classmates we agreed and git clone-d the .NET application that now graduated students built and maintained for the past few years. What could go wrong right?!

It became clear that the original students that worked on it followed an older curriculum, meaning they still got taught .NET instead of the core variant that we get now, not only that but it also seemed that they either did not fully grasp the Clean/Onion architecture or didn't get it in class since there were infrastructure components in the 'Domain' project of the solution. Think of 2 DBContexts in the domain model, yep.

One of us bailed in the first week, the other one and I felt bad for the people using the app so we went on and tried to work on the first bugs that were described in a document. One of these bugs was 'whenever I filter on something in the list, everybody gets to see that filter on their screen instead of only me'. Woah that's weird! Let's see how they put that together!

Oh god, they are using a _static_ variable to store filters, no wonder that it doesn't work properly. Ever heard of sessions?!

Second bug: Sometimes people can't create an account when we sign them up from the admin panel. Alright that is weird, let's figure that one out! Wait a second it seems to work in development? What's this about.

Oh wait I can't create an account on production either? Oh that's weird, wait a second... Why do I have to put my e-mail in a form that was sent to me through e-mail? Why is my address not filled in already? OOH, if someone types in the wrong e-mail address (which is easy since our school has 4 variants of the same f*cking e-mail address) it won't work since it can't recognize the user! Brilliant! Remove e-mail input box and make a token/queryparam determine the user account.

Ah that seems good, it's a mess but it seems a tiny bit better now, great! We're making progress and some sweet buck.

Next bug, trillions of 50x errors on random pages, that's a weird one.

Hm everything works in development, that's odd. Is the production data corrupted?

DID I MENTION that in order to get into the system in development we have to load in a f*cking production database backup ON OUR DEVELOPMENT MACHINE and then ask one of the users' password to login to it and create an account for ourselves? Seeding? What's that, right?!

Anyway, back to bug fixing. I e-mail the the people responsible for the app and get a production admin account, oh I also can't ssh into it because of policies so I have to do everything over e-mail and figure out what's causing the errors. I somehow also wonder if they have any kind of virtualization in place, giving students a VM to do that stuff in doesn't seem so weird does it ? Even with school policies?

Oh btw, 'deploying' means sending a .zip file to a guy in another building and telling him how to configure it, apparently this resulted in a missing folder that the application needed to work and couldn't make on its own. This after 2 weeks of e-mailing back and forth.

After 3 months i quit out of despair and sadness, and due to the fact that I just couldn't do it anymore. I separated everything into logical subprojects and let the last guy handle it, he was OK with that and understood why I left.

Luckily, around that time I already had an actual job at a software development company :)

Internal mail form CIO's office:

"Thank you for being part of the internal trial for NPMe, we have decided to remove this tool in favour of Artifactory because of its support for multiple platforms and tools. We are sorry for the inconvenience, here is a link to migration scripts ..."

Migration "script" readme, please clone this repo, create file A, and B, and install these 2 dependencies.

Dependency 1:

- "install via homebrew ..."
- .... homebrew needs to update, checking for updates
- 10 mins later = Update failed, please upgrade to Ruby version 2.3
- Installs ruby version manager
- GPG signature verification failed
- Install GPG v2 + accept keys
- Install ruby version manager
- "please execute this command before running rvm"
- execute command
- "rvm install ruby-2.3"
- Install failed, please see log file
- Opens log file
- "Xcode on its own is not sufficient, please install xcode cli tools"
- Install xcode tools
- 5 minutes later -> "rvm install ruby-2.3"
- 10 minutes later "brew install jq"

Ok back to read me, "login to Artifactory, go here and copy paste XXX."

- Login to Artifactory
- Eventually find repo
- Login again to actually see credentials for some reason
- Screen doesn't match instructions in readme
- Click around
- Back to readme
- Back to artifactory
- Login again
- Execute command auth / setup command
- Copy contents to npmrc file .... now all my scoped packages are going to point to 1 specific repo

Fuck the migration, Fuck these shitty instructions, i'll set them all up again manually. See tags below for further opinions on this matter.

FUCK!
After submitting a registration form I noticed the site is served over plain HTTP. Their marketing site is served encrypted, but login and register are not! What the fuck!!!

Fuck everyone who does this stupid fucking shit with disregard to basic security features! Their goddamn bullshit privacy policy is bragging about how it's top priority to protect their customers' information and shit like that. Get the fuck out, cunts!!

I contacted them so I might have a continuation to this rant if I'm not satisfied with their answers.

Goddamn it!

My very first rant here was about the mess of ticket submission and ticket tracking applications we use, and about how we were moving to a single unified system some day.

Well, that day is today. And, predictably, it went horribly wrong.

So the way it's supposed to work is people login to the portal, search for what they want to request, then fill in details and submit. It creates a request ticket assigned to the appropriate team. (The old way involved a bunch of nonsense that you can see in my first rant).

The thing is, I found out about this today, when I got a company-wide email saying the new system was live as of this morning. None of us knew it would happen today. Not that I could've foreseen any issues just by getting the announcement early, but still, usually people find out about these things beforehand.

So, ecstatic to finally be rid of the old ticket tracking system, I log into the new system and look for our request form, which is, of course, not there. I check the old system and see that they combined every single "general request" into a single request where you pick which team the request goes to.

So I finally find the right request, pick the right department from the drop-down, and see that the request looks much better than it did on the old system. Out of curiosity, I look at the list of people who are part of that department.

I am not on the list.

My ENTIRE TEAM is not on the list.

Because they migrated the team data to the new system a year ago, when the issue tracking/reporting portion of it went live. My current team was hired approximately six months after that and apparently updating the team data in the new system isn't part of our Onboarding process yet.

So... Bright side is I guess I will have a lot of free time soon since nobody can submit new project work to my team?

tl;dr: they took a great software product and implemented it so poorly that our team can't use it.

That feeling when someone in marketing insists that an unauthenticated user seeing a login form when trying to access a secure view is "too confusing".

When not logged in, twitter.com opens a welcome message and a login form. twitter.com/login opens a login page with a "remember me" check box so you can stay logged in.

Twitter don't seem to want visitors to their homepage to come back very easily.

As I am working with WordPress for the really first time I am making horrible experiences now.

My client wants a simple submenu on the sidebar if the user is logged in else he want the login form to be there. Easy peezy done with php and just good old plain html. Maybe some JavaScript to make the login process asynchronous.
But fucking bitch - NO. As I found out after searching and digging. I have to create a menu in wp-admin first. Then add a menu-widget to the sidebar. And then install a plug-in to make the links only visible for logged in user. Wtf?

WordPress takes all the joy in doing web development for me. I won't do that anymore. I will force all new clients to use proper tools to make their shit work for them. And as I am the expert in this things I am the one who suggests the right tool.

Fuck this shit.

Been getting a lot of troll / clown / clueless (?) comments on my posts recently. Select favorites include:

"Why do you have a login form on your website?" wut
"Why didn't you throw away that API key?" wut
"Why do you even need to access your apps' servers?" wut

There are just SO many amazing devs here who have NEVER had do any of those things, I'm quite literally an idiot and don't know what I'm doing, sorry for my ignorance. I'd forgotten that there is only exactly one way to build software, I wish I'd done it "that" way sooner! Foolish me.

Really not sure if trolls, clowns, or clueless. Don't care. 🤡🤡🤡

So some asshole keeps sending phishing emails to every student and prof in our university and the IT department is too pathetic to block it. They all come from the same email and contain the same text yet they cant filter it and just send warnings not to click it.

Im getting sick of recieving 5 of these a day, i scanned and viewed the page and its just a simple form copying the outlook login page with a redirect to the actual page after submission.

Whats the easiest way to write a script that will spam them with thousands of fake accounts? How can i fuck with these guys?

1. A login window or form appears
2. Enter username
3. Enter p-
4. Another application STEALS THE FUCKING FOCUS
5. Enter half of the (or the whole) password in the app that stealed the focus and press Enter by mere inertia

Or this variant:

4. The username field gets autofocused
5. Enter the password in the username field, out in the clear for everyone to see

DON'T YOU STEAL ME FOCKING FOCUS MATE

Can we stop that trend of only showing the username field and then show the password field after filling the username clicking next? It messes with my Keepass browser addon.
Apart from that, it messes with human workflow as well. Enter Username -> TAB -> Enter Password -> ENTER. With that stupid UI you have to either focus the next button with Tab and hope hitting Enter does not already submit the login form or switch to mouse and click the Next button.

Why have so many fucking websites the signup form in the start page but you have to click in the menu to get to the login?!
I signup only once but I have to fucking log in every single time I go to the page!!!11
Annoying...

i was trying to check a purchase i made on the store's website, so i tried to login, but I can't?? like, i fill the form and press login, and it doesn't? log in??? what the actual fuck, how are you supposed to do anything like that. isn't the login page the first thing they make? how doesn't it work? how is this website still active??

Protip: proposing a "simple yet beautiful" login form on Bootsnip with absolutely no knowledge of Bootstrap whatsoever, making it not responsive and centering it with hardwritten margins (such as: 'margin-left: 170px'), AND THEN proudly display "theme developed by WhoGives AShit" at the bottom won't make you any publicity at best. At worst, I'm gonna travel to India and won't leave before I erased the code you wrote by smashing your face on the "erase" key.

Oh god where do I start!?

In my current role I've had horrific experiences with management and higher ups.

The first time I knew it would be a problem: I was on a Java project that was due to go live within the month. The devs and PM on the project were all due to move on at the end. I was sitting next to the PM, and overheard him saying "we'll implement [important key feature] in hypercare"... I blew my top at him, then had my managers come and see if I was OK.

That particular project overran with me and the permanent devs having to implement the core features of the app for 6mo after everyone else had left.

I've had to be the bearer of bad news a lot.

I work now and then with the CTO, my worst with her:
We had implemented a prototype for the CEO of a sister company, he was chuffed with it. She said something like "why is it not on brand" - there was no brand, so I winged it and used a common design pattern that the CEO had suggested he would like with the sister company's colours and logo. The CTO said something like "the problem is we have wilful amateurs designing..." wilful amateurs. Having worked in web design since I was 12 I'm better than a wilful amateur, that one cut deep.

I've had loads with PMs recently, they basically go:

PM: we need this obscure set up.
Me & team: why not use common sense set up.
PM: I don't care, just do obscure set up.

The most recent was they wanted £250k infrastructure for something that was being done on an AWS TC2.small.

Also recently, and in another direction:

PM: we want this mobile app deploying to our internal MDM.
Us: we don't know what the hell it is, what is it!?
PM: it's [megacorp]'s survey filler app that adds survey results into their core cloud platform
Us: fair enough, we don't like writing form fillers, let us have a look at it.

*queue MITM plain text login, private company data being stored in plain text at /sdcard/ on android.

Us: really sorry guys, this is in no way secure.
Pm: *in a huff now because I took a dump on his doorstep*

I'll think of more when I can.

Fuck apple, and fuck xcode.
Making and running android app was a breeze.
Making and running ios app was hell.
Expectation : I should have gotten everything I need just by installing xcode and flutter.

Reality : I need to install these from the terminal : xcode command line tools, homebrew, ruby, cocoapods, firebase-cli. Also I need to manually add many stuffs, such as google login url into xcode project settings. Also we can simply test run our app or install to our device, and iphone we owned, we need to register in apple developer program, fill a full form, blah blah blah.

When it comes to android, I only need to register an account much much later, when I want to publish it to the playstore.

When the login form tells me that my password is too short. The password that I've manually set in the database in my local dev environment.

So I want to inform my internet provider of my new phone number, but I can't remember any of my login info for their web interface because I never used it. Luckily, they have a "forgot my username" function, where I submit my email address and get a confirmation that my username has been sent to me.

Yet, I just don't get said email. I try again, but no avail. So I just guess my username and use their "forgot password" form, which – hooray! – confirms it just sent my an email.

But I don't get any email. I retry, I retry after a day, but no automatic response. I remember a incident a few years back when I didn't get some automatically generated mails from a company and decide to contact their support if they could just reset my password manually.

Nearly a week passes.

Now I received the answer. I just don't have an account.

Lesson learned: Next time I'll just input garbage first to check if those forms are sane.

Ouuu today I experienced how web-devs must feel...

Task: create a form to answer questions with yes/no and a database behind it to collect stats.

So login to phpmyadmin
1. Wrong password got error message
2. No error message, still at login screen, but in address I see a token
3. There must be something wrong
4. Reinstalled phpmyadmin and mysql-server several times, wasted one hour on it - still stuck at login screen
5. Tried different browser and it fucking works!
6. Realized that cleaning cache fixed it...

Microsoft is fucking kidding me with the fall creators update, default onscreen keyboard is so tiny (that little black box below the login form) that the letters are rendered indistinguishable and you can hardly touch them with your finger. WTF?!?!

How to reproduce:
- have a single login form for admins and ordinary users
- add a second button right next to 'login' which reads 'login as admin' in order to have a separate login for them
- release a new version of software with this change solely and changelog informing about it
- have customers admin tell you everybody is complaining about not being able to login with thwor admin accounts

My fascination for programming began around 13, when i started developing plugins for my minecraft server in java.
Had an awesome time with creating plugins for some fully custom servers with relatively large playerbases(50-200 players, depended on the time of the day).
This sparked something in me, and i started creating crapp ass "portfolio" sites for myself with php and mysql login and registration forms. After that I got into some basic c# abd had fun with some cute console/form applications.
And here comes today, in the process of picking up more css, php, html, js knowledge, probably heading towards react or vue.
I just love programming to death.

Pretty much half of what clients ask for.

But to be more specific a username on a login form instead of an email address when it already had ratelimiting lockouts implemented on an internal network.

My pair partner and I managed to break every feature test written by our 16 strong team today while fixing a login form. Fixing other people's non-refactored rspec tests is not a pleasant experience lol

That disgusting moment when McDonald's wifi login form tells you that you are already logged in and yet you can't access to any page except their login form one -.-

TLDR: I wanted to change email to new one, but I could not remember which one I have
currently. I found out an API in DevRant JS files for email verification and used
it to find it out.

So, I am moving from Gmail to Protonmail Pro, absolutely love their service.
I wanted to do same on Devrant but I could not figure out my current mail for
"I lost my password" form. My Password Manager have only login saved, and profile does
not show email address.

I thought that this user information is stored on server so it have to be some way to retrieve it. I dug
in source code and I've found:

`<div class="signup-title">Verify Your Email</div>`

Which has event assigned to function which uses jQuery.ajax (love it btw :D) to call:

`url: "/api/users/me/resend-confirm",`

This seems like worth a shot. Few copy-pastes and one ajax call later:

*Ding*

From: support@devrant.io
To: dawid@dawidgoslawski.pl
"Welcome to Devrant"

Got it :) So I have already changed in march when DevRant on previous layout.

This is what I love in this profession - problem solving. AI will not replace human
in any way, we will just stop coding array iterations and data manipulation - we will focus
on real problem solving and human touch (like design, convincing management for changes).

I am currently running a heavily modded version of Ubuntu 18.04. I remove gnome applications, installed xfce with sddm for my login manager, plus removed a bunch of their pre-installed applications. I mostly use AppImages and snaps for installations with occasionally using apt for packages I am too lazy to build or are not in snap form.

I have been contemplating switching to Arch/Antegros/Manjaro. Mostly because I am crazy and heard that I could get a performance boost and I like being more in control of my own software.

My question is this, does it make sense for me to switch distros? Also, I'd like to have a close to the metal Arch install, but last time I did that I got annoyed with configuring too much from the bare bone, took me like close to an hour of setup, it was not hard, just really tedious.... Is Antegros/Manjaro have options to be really close to the bare-metal? Is there maybe a really good install script that I can just tweak some basic settings for?

There is a project: multi step form. It has login form, text field, date, upload. It is written in jQuery, Zend and oracle. I need to rewrite. I can use my familar jQuery, PHP skills. Or I can go for react redux, build API with Zend. The issue is that I only have 2 months. Very basic knowledge of react, redux webpack. So I need to learn and build the project. Should I go for new tech. I am not sure I can reach deadline, as there are many things to learn. Advice? If i use the new tech, how do I learn quickly?

Fuck Facebook!

Disabling apps without warnings or anything which means no customer login. This is a huge pain since the solution doesn't have any way to login to the same account with another credential.

"Oh did you use that? Now you can't. And the only way to do anything is to submit a form to 'appeal' the case which we'll just reject without any notifications or emails"

Normally I won't rant like this or use that much swearing.. but in this case:
Fuck you, Facebook. Fuck. You.

I recently logged into my care provider's online services for the first time, to schedule a doctor's appointment.
The login form requested the usual: username and password - but also a birth date. Which their developers implemented with the default Android datepicker control.

Meaning I had to click 'back' 339 times to get to December 1989.

fuuuuck.

Why the hell did you put the promo code field on the login form? What type of fucking eCommerce site are you?

TL;DR: FFS Microsoft

So yesterday we were at the point in our project where adding a login system seemed like a good idea. This is an asp.net core mvc project and we use Materialize for our frontend.

So according to _the tutorials_ we could start a new project and add authentication in the prompt by pressing a button. As it created the project I thought it seemed nice and easy enough. After it had created the test solution I build it and, sure enough, in the top right corner there were a register and login <a>.

I checked them out and they were your bog standard form input input submit and all. Now I guessed I could look at how it's all programmed aaaaaaaaand

Nope.

I saw a new folder located at Areas/Identity/Pages which had a _ViewStart.cshtml which contained three lines. There were also a database migration and in Startup.cs there were some database stuff, but other than that? Nothing. So where on earth was the login and register form located? Shit like that is frustrating ya know.

But oh well it seemed to work and I switched to our examn project where I found it was possible to scaffold the login system in a way that seemed nice.

Except, for some reason bootstrap and jquery decided to return to our project. FFS Microsoft!

I dont get it, why do all those authentication providers want you to use a separate webpage to handle the login, why cant i just have the form and "login with ID provider" buttons on my page.

Why is the user forced to take another step in the flow...
this is UX 101, comon!

This tuesday I saw a really badly made PHP web application. Two actually. I was giving a time estimate for how long it would take to transfer these applications to our servers. While I was reading the code it became apparent that they had more security holes than Emmental cheese. Most views had obvious SQL-injection vulnerabilities and most probably XSS too. Although I didn't think too look for XSS in the moment. It just puzzled me that this bad code even exists.

But cherry on top was that the password wasn't checked at all. The login form was on the organization's website and was sent to the selected application. But the password wasn't checked in the application. And this was made by a real Finnish software development firm, like what the fuck.

Time to redo the applications I guess. Not like there's anything wrong in that if they pay for it.

How can you make a login form in which details are filled via voice? One way is that we can use pyauto gui for fetching coordinates but it's not working as per my wish...

They asked me to build a small website they will embed in a native application with some web wrapper in Android and iOS.

But also asked me to build a login web service that will return a JWT. Done.

They want to do a native code login form that opens up the web wrapper with my small website already logged in using the login web service.

I have no idea how to proceed in the backend.

At first i tried using postman with a POST request to the sessions/sign_in route and sending a form with the authenticity token and the email and password; but CSRF stopped me. I don't want to turn it off because of reasons.

Now i am wondering how to use this JWT to generate a cookie with a session inside it that they can use in the web wrapper.

Any help would be appreciated :)