Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
There's this guy that sits next to me in a class.
Guy: Hey, you're a hacker right?
Me: I'm a programmer.
Guy: Can you hack into my email account?
Me: Nope, I work in a different field of computer science.
In reality, I want to give him a piece of my mind.
I already know his email so I open up the login page and enter it. I click "forgot password", and it asks for his favorite teacher's name. Keep in mind that he made this account this year.
Me: So anyways, who's your favorite teacher?
Guy: *proceeds to give me favorite teacher's name*
Me: 🤦♂️
I change his password and log into his account. After that, I show him and tell him about how he should keep his account secure.
He left class with a priceless look on his face.14 -
Why the Fuck would someone disable pasting on a password field!!!! How the fuck am I supposed to enter my shit from my password manager now?16
-
So a user reported they couldn't login to our site, so I reset their password to:
uI+ffRT7M2NAzo8uOqzf4QxO3I9tj8PJ4TS0n8zDV7I
And sent them back an email with the updated password. A few minutes later, they replied and said that password didn't work. They even tried a different web browser, etc. I tried it myself, and sure enough, it didn't work.
I spent the next several hours trying to figure out why the password didn't save properly, or why the logic didn't compare them correctly. Perhaps it was some sort of caching issue? Oh the horror.
As it turns out, the problem was a maxlength of 28 on the login form field:
<input type="password" name="password" value="" maxlength="28"/>
I don't know who wrote that code, but it sure wasn't me.21 -
Not really dev as much but still IT related 😂
in college we got some new macs in our class. Before we were allowed to use them the "IT Tech" came in and did something to them all (probably ran some scripts to set stuff up)
Anyway, I was completely new to OS X and accidentally pressed a key combo that opened up a dialogue to connect to a remote file server. I saw the address field was already filled out (from when the IT Tech was running the scripts). So me being me I decided to connect. Low and behold my student credentials got me in.
Taking a look around I found scripts, backups and all sorts of stuff. I decided to look at some of the scripts to see what they did. One of them was a script to add the Mac to the domain. Here's the funny part. The login to do that was hard coded into the script....
To conclude. I now have domain level access to my whole college network 🙃
Tl;Dr: stupid it tech saves password in script. I find it. I now have domain level access to the college network14 -
Disabling pasting into a password field in 2020 with password managers, is retarded. That's it that's the rant. Doesn't matter if you think password managers are good or not. Its still retarded that there's a 40 something year old dumbfuck manager who told a web designer at EA to disable pasting into a fucking password field because he was dumb enough to think it stopped hackers or some shit like that.15
-
That awkward moment when you are focused on talking to a friend, and you realize that you wrote your password in the wrong field9
-
I absolutely love the email protocols.
IMAP:
x1 LOGIN user@domain password
x2 LIST "" "*"
x3 SELECT Inbox
x4 LOGOUT
Because a state machine is clearly too hard to implement in server software, clients must instead do the state machine thing and therefore it must be in the IMAP protocol.
SMTP:
I should be careful with this one since there's already more than enough spam on the interwebs, and it's a good thing that the "developers" of these email bombers don't know jack shit about the protocol. But suffice it to say that much like on a real letter, you have an envelope and a letter inside. You know these envelopes with a transparent window so you can print the address information on the letter? Or the "regular" envelopes where you write it on the envelope itself?
Yeah not with SMTP. Both your envelope and your letter have them, and they can be different. That's why you can have an email in your inbox that seemingly came from yourself. The mail server only checks for the envelope headers, and as long as everything checks out domain-wise and such, it will be accepted. Then the mail client checks the headers in the letter itself, the data field as far as the mail server is concerned (and it doesn't look at it). Can be something else, can be nothing at all. Emails can even be sent in the future or the past.
Postfix' main.cf:
You have this property "mynetworks" in /etc/postfix/main.cf where you'd imagine you put your own networks in, right? I dunno, to let Postfix discover what your networks are.. like it says on the tin? Haha, nope. This is a property that defines which networks are allowed no authentication at all to the mail server, and that is exactly what makes an open relay an open relay. If any one of the addresses in your networks (such as a gateway, every network has one) is also where your SMTP traffic flows into the mail server from, congrats the whole internet can now send through your mail server without authentication. And all because it was part of "your networks".
Yeah when it comes to naming things, the protocol designers sure have room for improvement... And fuck email.
Oh, bonus one - STARTTLS:
So SMTP has this thing called STARTTLS where you can.. unlike mynetworks, actually starts a TLS connection like it says on the tin. The problem is that almost every mail server uses self-signed certificates so they're basically meaningless. You don't have a chain of trust. Also not everyone supports it *cough* government *cough*, so if you want to send email to those servers, your TLS policy must be opportunistic, not enforced. And as an icing on the cake, if anything is wrong with the TLS connection (such as an MITM attack), the protocol will actively downgrade to plain. I dunno.. isn't that exactly what the MITM attacker wants? Yeah, great design right there. Are the designers of the email protocols fucking retarded?9 -
TL;DR I'm fucking sick and tired of Devs cutting corners on security! Things can't be simply hidden a bit; security needs to be integral to your entire process and solution. Please learn from my story and be one of the good guys!
As I mentioned before my company used plain text passwords in a legacy app (was not allowed to fix it) and that we finally moved away from it. A big win! However not the end of our issues.
Those Idiot still use hardcoded passwords in code. A practice that almost resulted in a leak of the DB admin password when we had to publish a repo for deployment purposes. Luckily I didn't search and there is something like BFG repo cleaner.
I have tried to remedy this by providing a nice library to handle all kinds of config (easy config injection) and a default json file that is always ignored by git. Although this helped a lot they still remain idiots.
The first project in another language and boom hardcoded password. Dev said I'll just remove before going live. First of all I don't believe him. Second of all I asked from history? "No a commit will be good enough..."
Last week we had to fix a leak of copyrighted contend.
How did this happen you ask? Well the secure upload field was not used because they thought that the normal one was good enough. "It's fine as long the URL to the file is not published. Besides now we can also use it to upload files that need to be published here"
This is so fucking stupid on so many levels. NEVER MIX SECURE AND INSECURE CONTENT it is confusing and hard to maintain. Hiding behind a URL that thousands of people have access to is also not going to work. We have the proof now...
Will they learn? Maybe for a short while but I remain sceptic. I hope a few DevrRanters do!7 -
So, a rather unfortunate bug on the Minecraft website.
Minecraft allows you to change your name every 30 days. I was reverse engineering their API so I could use it personally.
On the username change form there are two fields: your desired username, and your password.
To protect myself from actually changing my name, I purposefully put in password123 so that it would fail. Then, I clicked "Change name" to monitor the network traffic.
Well that's when two unfortunate things combined.
#1: I used my last name to test. It's a unique word that is relatively short and very easy for me to type out of habit.
#2: That password field doesn't actually get validated.
So imagine my shock when I clicked "change username" and it WORKED.
And now my username is doxxing me for at least 30 days + the permanent name history
FUCK me6 -
I just spent 30 minutes on the phone with my grandmother trying to help her sign in to her chrome book just to have her tell me she was punching her email into the password field...
-
A few weeks ago I stepped onto the grounds of lovely Canada. Back then - coming from Europe - I was surprised. Free WiFi everywhere without all the bells and whistles of creating an account and such.
Well ... at least I thought so ...
Today I went to a location where they actually charge you for their wireless services - fair enough the coverage area is pretty huge - and provide you with an access coupon. All good my optimistic me told me but once the login page loaded...
There are a lot of things about UX I could rant about but let's put that aside. The coupon came from the office where they KNEW all your contact details but it required you to create an account with all of them again to redeem the coupon.
Not only that but it asked for things like the phone number - obviously asking for a Canadian landline number since hell who uses mobiles anyway with numbers longer than ten characters?! - and even though it had a nice country selection it kept the states field there even when selecting a country that doesn't have states ...
Oh, and on a regular phone screen (which would be the target user for WiFi on a campground I suppose) the input fields for state and zip were occluded by the margins of the input rendering the content invisible.
And if that weren't enough after creating your account they made you watch an ad as if the personal data and the 4$ you paid them wasn't enough for the lousy 400 KB/s you get for 24h ...
Gets better though! After creating the account they display your password to make sure you remembered it ... over a non-secured WiFi network ... and send you an email afterward ... password via unencrypted mail via an unencrypted WIRELESS connection ... not that it protects anything that would matter anyways you can just snoop the MAC of your neighbor and get in that way or for that sake get their password but oh well ...
Gosh, sometimes I just feel the urgent need to find the ones responsible and tell them to GTFO of the IT world ...
Is it just me feeling like this about crappy UI/UX design? Always wondering...2 -
Best part about the covid19 manufactured crisis?
Liquor stores deliver. Worst part about liquor stores delivering? Needing to use their shoddy websites.
I've been using a particular store (Total Wines) since they're cheaper than the rest and have better selection; it's quite literally a large warehouse made to look like a store.
Their website tries really hard to look professional, too, but it's just not. It took me two days to order, and not just from lack of time -- though from working 14 hour days, that's a factor.
Signing up was difficult. Your username is an email address, but you can't use comments because the server 500s, making the ajax call produce a wonderfully ambiguous error message. It also fades the page out like it's waiting on something, but that fade is on top of the error modal too. Similar error with the password field, though I don't remember how I triggered it.
Signing up also requires agreeing to subscribe to their newsletter. it's technically an opt-in, but not opting-in doesn't allow you to proceed. Same with opting-in to receiving a text notification when your order is ready for pickup -- you also opt-in to reciving SMS spam.
Another issue: After signing up, you start to navigate through the paginated product list. Every page change scrolls you to the exact middle of the next page. Not deliberatly; the UI loads first, and the browser gets as close as it can to your previous position -- which was below that as the pagination is at the bottom -- and then the products populate after. But regardless of why, there is no worse place to start because now you must scroll in both directions to view the products. If it stayed at the very bottom, it would at least mean you only need to scroll upwards to look at everything on the page. Minor, but increasingly irritating.
Also, they have like 198 pages of spirits alone because each size is unique entry. A 50ml, 350ml, 500ml, 750ml, 1000ml, and 1750ml bottle of e.g. Tito's vodka isn't one product, it's six. and they're sorted seemingly randomly. I think it's by available stock, looking back.
If you fancy a product, you can click on it for a detail page. Said detail page lists the various sizes in a dropdown, but they're not sorted correctly either, and changing sizes triggers a page reload, which leads to another problem:
if you navigate to more than a few pages within a 10 or so second window, the site accuses you of using browser automation. No captcha here, just a "click me for five seconds" button. However, it (usually) also triggers the check on every other tab you have open after its next nagivation.
That product page also randomly doesn't work. I haven't narrowed it down, but it will randomly decide to start failing, and won't stop failing for hours. It renders the page just fine, then immediately replaces it with a blank page. When it's failing, the only way to interact with the page is a perfectly-timed [esc], which can (and usually does) break all other page functionality, too. Absolutely great when you need to re-add everything from a stale copy of your signed-out cart living in another tab. More on that later. And don't forget to slow down to bypass the "browser automation" check, too!
Oh, and if you're using container tabs, make sure to open new tabs in the SAME container, as any request from the same IP without the login cookie will usually trigger that "browser automation" response, too.
The site also randomly signs you out, but allows you to continue amassing your cart. You'd think this is a good thing until you choose to sign in again... which empties your cart. It's like they don't want to make a sale at all.
The site also randomly forgets your name, replacing it with "null." My screen currently says "Hello, null". Hello, cruft!
It took me two days to order.
Mostly from lack of time, as i've been pulling 14 hour shifts lately trying to get everything done. but the sheer number of bugs certainly wasted most of what little time i had left. Now I definitely need a drink.
But maybe putting up with all of this is worthwhile because of their loyalty program? Apparently if you spend $500, you can take $5 off your next purchase! Yay! 1%! And your points expire! There are three levels; maybe it gets better. Level zero is for everyone; $0 requirement. There are also levels at $500 and $2500. That last one is seriously 5x more than the first paid level. and what does it earn you? A 'free' magazine subscription, 'free' classes (they're usually like $20-$50 iirc), and a 'free' grab bag (a $2.99 value!) twice per month. All for spending $2500. What a steal. It reminds me of Candy Crush's 3-star system where the first two stars are trivial, and the third is usually a difficult stretch goal. But here it's just thinly-veiled manipulation with no benefit.
I can tell they're employing some "smarketing" people with big ideas (read: stolen mistakes), but it's just such a fail.
The whole thing is a fail.8 -
The "Change Password" function autofilled the old password. Dev told be it didn't matter because "if you set the field type to password you can't see it".4
-
Its been 1 month and still no reply from my university IT department after i inforned them the login was transmitting usernames and passwords unencrypted over http and that the password field was case-insensitive for some fucking reason.
Might have to break out the sniffer and setup a script to automatically email them different students account details until they fix it, i should cc the dean 😂8 -
So today I decided to change the passwords on some online accounts...
Sony: "Don't use the same symbol twice in a row. Oh, and how about 4 reset emails because the first 3 times it won't work?"
Me: "Okay, this password meets all requirements"
Sony: "I don't believe you lol."
Twitch: "Error: Your password length must be between 8 and 40 symbols!"
Me: "But mine has 24 symbols and the password field shows a green checkbox"
Twitch: "Error: Your password length must be between 8 and 40 symbols!"
Aaaargh! Did they hire toddlers as interns or something?1 -
So my colleuge is making a noise about his password not being accepted for a new account and calls me over to come assist.
After getting there and taking a look I could easily see the confirmation password was much longer than the inteded password and point this out to him.
He then proceeds to work through the source to the confirm password field and changes the data to text so I can read the confirmed password
Password: *******
Confirm PW: Yup that's it
Major facepalm for the prank😂
Colleague - @minij0ker4 -
Password policy for a big water company site in Spain.
Translation: Between 6 and 10 characters (only letters and numbers, no spaces)
In guess they have a VARCHAR(10) password field in their db?!?
2 -
**Me, while working on sql based project**
Manager: Does anyone knows java! Want a sample login screen written in java.
**I'm the only one in my team to know java, thus raised my hand**
Me: It's done. Mailed you the .java file.
Manager: I can see my password
Me: I fuckn hate myself. ***Forgot to set password field as password type***
Manager: you are no different than others.
Me: Yeah..😶 **f@#& you**1 -
Fucking Apple... my MacBook Pro committed suicide upgrading from High Sierra to Mojave, had to wipe the drive. After much trouble resetting my Apple ID (put the password AND the two-factor code in the password field.. who the fuck thought that up), it tells me Mojave isn't compatible with this computer.
... fine, it's a 2012 machine I can respect that, but you blew away my system to upgrade THIS WAS YOUR IDEA NOT MINE...
...and so I just try to update to El Capitan or something because I'm on FUCKING OSX LION now (swirling galaxy, so sparkle, such stars)
...and the App Store won't let me. Why?
"Software Update Required"
"To make changes to your payment information, you need to upgrade your Mac to the latest version of macOS."
just.
wow. -
I had to make an account for my kid's school.
Last night I start. I put in a username, then it has a quality meter for the password. I put one in and it goes to like 90%. Ok, fine. I submit and...
Validation error on the username field. Message? [object Object].
Try all different kinds of username: no numbers, all caps, etc. But no luck so I give up.
Today I try again and get stuck again. Then I think... "Maybe the devs suck worse than I think..."
I change the password so that it's rated 100% and submit... Success.
Fucking devs.3 -
Why the fuck did Oracle change their policies on the official JDK and made the website nigh impossible to use?!
It was shit from the 90s before, and now its still shit just modern.
Why do I have to register do get the JDK, you know Im going to use the fucking 10min mail. I just wanted to setup a freaking build server and I had to go over your retarded website that for some reason *refreshes* and erases the username field everytime I put in the wrong password. Why?
Why is oracle just outright bad at making websites?! Its always a maze to navigate and now it also takes seconds to even load...
This shit is why everyone uses openJDK and adopt. 3 billion devices running java?! Not with your jre/jdk they are not, because It's a pain to get... Don't me even get started on the mess it does on windows server. Why wasn't my JAVA_HOME set automatically?! I lost almost 2 hours because I trusted your piece of shit software to so the one job it has, even reinstalled it completely...
Get your shit together Oracle, this was unacceptable 10 years ago, let alone now9 -
WHY THE FUCK DOES AUTOCOMPLETE = "OFF" GET IGNORED 😡😡😡
managed to find a work around for the password field, but god forbid there's one for the username field 👿
I feel like I've tried everything google has to offer1 -
Oh boy, this is gonna be good:
TL;DR: Digital bailiffs are vulnerable as fuck
So, apparently some debt has come back haunting me, it's a somewhat hefty clai and for the average employee this means a lot, it means a lot to me as well but currently things are looking better so i can pay it jsut like that. However, and this is where it's gonna get good:
The Bailiff sent their first contact by mail, on my company address instead of my personal one (its's important since the debt is on a personal record, not company's) but okay, whatever. So they send me a copy of their court appeal, claiming that "according to our data, you are debtor of this debt". with a URL to their portal with a USERNAME and a PASSWORD in cleartext to the message.
Okay, i thought we were passed sending creds in plaintext to people and use tokenized URL's for initiating a login (siilar to email verification links) but okay! Let's pretend we're a dumbfuck average joe sweating already from the bailiff claims and sweating already by attempting to use the computer for something useful instead of just social media junk, vidya and porn.
So i click on the link (of course with noscript and network graph enabled and general security precautions) and UHOH, already a first red flag: The link redirects to a plain http site with NOT username and password: But other fields called OGM and dossiernumer AND it requires you to fill in your age???
Filling in the received username and password obviously does not work and when inspecting the page... oh boy!
This is a clusterfuck of javascript files that do horrible things, i'm no expert in frontend but nothing from the homebrewn stuff i inspect seems to be proper coding... Okay... Anyways, we keep pretending we're dumbasses and let's move on.
I ask for the seemingly "new" credentials and i receive new credentials again, no tokenized URL. okay.
Now Once i log in i get a horrible looking screen still made in the 90's or early 2000's which just contains: the claimaint, a pie chart in big red for amount unpaid, a box which allows you to write an - i suspect unsanitized - text block input field and... NO DATA! The bailiff STILL cannot show what the documents are as evidence for the claim!
Now we stop being the pretending dumbassery and inspect what's going on: A 'customer portal' that does not redirect to a secure webpage, credentials in plaintext and not even working, and the portal seems to have various calls to various domains i hardly seem to think they can be associated with bailiff operations, but more marketing and such... The portal does not show any of the - required by law - data supporting the claim, and it contains nothing in the user interface showing as such.
The portal is being developed by some company claiming to be "specialized in bailiff software" and oh boy oh boy..they're fucked because...
The GDPR requirements.. .they comply to none of them. And there is no way to request support nor to file a complaint nor to request access to the actual data. No DPO, no dedicated email addresses, nothing.
But this is really the ham: The amount on their portal as claimed debt is completely different from the one they came for today, for the sae benefactor! In Belgium, this is considered illegal and is reason enough to completely make the claim void. the siple reason is that it's unjust for the debtor to assess which amount he has to pay, and obviously bailiffs want to make the people pay the highest amount.
So, i sent the bailiff a business proposal to hire me as an expert to tackle these issues and even sent him a commercial bonus of a reduction of my consultancy fees with the amount of the bailiff claim! Not being sneery or angry, but a polite constructive proposal (which will be entirely to my benefit)
So, basically what i want to say is, when life gives you lemons, use your brain and start making lemonade, and with the rest create fertilizer and whatnot and sent it to the lemonthrower, and make him drink it and tell to you it was "yummy yummy i got my own lemons in my tummy"
So, instead of ranting and being angry and such... i simply sent an email to the bailiff, pointing out various issues (the ones6 -
Not as much of a rant as a share of my exasperation you might breathe a bit more heavily out your nose at.
My work has dealt out new laptops to devs. Such shiny, very wow. They're also famously easy to use.
.
.
.
My arse.
.
.
.
I got the laptop, transferred the necessary files and settings over, then got to work. Delivered ticket i, delivered ticket j, delivered the tests (tests first *cough*) then delivered Mr Bullet to Mr Foot.
Day 4 of using the temporary passwords support gave me I thought it was time to get with department policy and change my myriad passwords to a single one. Maybe it's not as secure but oh hell, would having a single sign-on have saved me from this.
I went for my new machine's password first because why not? It's the one I'll use the most, and I definitely won't forget it. I didn't. (I didn't.) I plopped in my memorable password, including special characters, caps, and numbers, again (carefully typed) in the second password field, then nearly confirmed. Curiosity, you bastard.
There's a key icon by the password field and I still had milk teeth left to chew any and all new features with.
Naturally I click on it. I'm greeted by a window showing me a password generating tool. So many features, options for choosing length, character types, and tons of others but thinking back on it, I only remember those two. I had a cheeky peek at the different passwords generated by it, including playing with the length slider. My curiosity sated, I closed that window and confirmed that my password was in.
You probably know where this is going. I say probably to give room for those of you like me who certifiably. did. not.
Time to test my new password.
*Smacks the power button to log off*
Time to put it in (ooer)
*Smacks in the password*
I N C O R R E C T L O G I N D E T A I L S.
Whoops, typo probably.
Do it again.
I N C O R R E C T L O G I N D E T A I L S.
No u.
Try again.
I N C O R R E C T L O G I N D E T A I L S.
Try my previous password.
Well, SUCCESS... but actually, no.
Tried the previous previous password.
T O O M A N Y A T T E M P T S
Ahh fuck, I can't believe I've done this, but going to support is for pussies. I'll put this by the rest of the fire, I can work on my old laptop.
Day starts getting late, gotta go swimming soonish. Should probably solve the problem. Cue a whole 40 minutes trying my 15 or so different passwords and their permutations because oh heck I hope it's one of them.
I talk to a colleague because by now the "days since last incident" counter has been reset.
"Hello there Ryan, would you kindly go on a voyage with me that I may retrace my steps and perhaps discover the source of this mystery?"
"A man chooses, a slave obeys. I choose... lmao ye sure m8, but I'm driving"
We went straight for the password generator, then the length slider, because who doesn't love sliding a slidey boi. Soon as we moved it my upside down frown turned back around. Down in the 'new password' and the 'confirm new password' IT WAS FUCKING AUTOCOMPLETING. The slidey boi was changing the number of asterisks in both bars as we moved it. Mystery solved, password generator arrested, shit's still fucked.
Bite the bullet, call support.
"Hi, I need my password resetting. I dun goofed"
*details tech support needs*
*It can be sorted but the tech is ages away*
Gotta be punctual for swimming, got two whole lengths to do and a sauna to sit in.
"I'm off soon, can it happen tomorrow?"
"Yeah no problem someone will be down in the morning."
Next day. Friday. 3 hours later, still no contact. Go to support room myself.
The guy really tries, goes through everything he can, gets informed that he needs a code from Derek. Where's Derek? Ah shet. He's on holiday.
There goes my weekend (looong weekend, bank holiday plus day flexi-time) where I could have shown off to my girlfriend the quality at which this laptop can play all our favourite animé, and probably get remind by her that my personal laptop has an i2350u with integrated graphics.
TODAY. (Part is unrelated, but still, ugh.)
Go to work. Ten minutes away realise I forgot my door pass.
Bollocks.
Go get a temporary pass (of shame).
Go to clock in. My fob was with my REAL pass.
What the wank.
Get to my desk, nobody notices my shame. I'm thirsty. I'll have the bottle from my drawer. But wait, what's this? No key that usually lives with my pass? Can't even unlock it?
No thanks.
Support might be able to cheer me up. Support is now for manly men too.
*Knock knock*
"Me again"
"Yeah give it here, I've got the code"
He fixes it, I reset my pass, sensibly change my other passwords.
Or I would, if the internet would work.
It connects, but no traffic? Ryan from earlier helps, we solve it after a while.
My passwords are now sorted, machine is okay, crisis resolved.
*THE END*
If you skipped the whole thing and were expecting a tl;dr, you just lost the game.
Otherwise, I absolve you of having lost the game.
Exactly at the char limit9 -
In my school, eleventh grade (so nearly "Abitur", A levels), we got the task to create a program which will be running on every computer here which should replace the Classbook (like a book where homework and lessons and stuff is written down).
Now, the class before mine already did a part of that, a program to share who is ill/not at school, with a mark whether it is excused or not.
So far so good. They all seemed not that bad when they were presenting it to us. Then, the first thing: they didn't know what git is. Well, okay I thought.
Next, there was this password field to access the program. One of them entered the password and clicked enter. That seemed suspiciously fast for an actual secure login. So fast, the password could have been in the Code...
Yesterday I copied that program and put it into a decompiler.
And... I was right.
There were the login credentials in plain text. Also, haven't thought of it but, IP address + username + password + database name were there in plain text, too.
Guess I am going to rewrite this program down to the core2 -
I'm seriously working with a system that saves the password AND the confirm password In the database... varchar field, copied info, no wonders it takes half an hour to make query.10
-
Yesterday, I wrote that Paypal password reset is kinda broken.
Well, today I found out that they have limitation to 20 chars in password and, if you paste longer one, input field will accept only 20 and rest is gone. And all that happens without warning. I mean, you can see only 20 dots, but who is counting password dots?2 -
Customers are so fucking stupid.
You're already on the page with a form with a "password" field and a fucking "save" button. WHY ARE YOU STILL ASKING ME HOW TO CHANGE YOUR FUCKING PASSWORD???
FUCKING STUPID CUSTOMER WHY DON'T YOUR FUCKING KILL YOURSELF???
FUCK!2 -
1. A login window or form appears
2. Enter username
3. Enter p-
4. Another application STEALS THE FUCKING FOCUS
5. Enter half of the (or the whole) password in the app that stealed the focus and press Enter by mere inertia
Or this variant:
4. The username field gets autofocused
5. Enter the password in the username field, out in the clear for everyone to see
DON'T YOU STEAL ME FOCKING FOCUS MATE3 -
What the actual f. I just changed my password on uplay to a 30 character password which works fine on the web account manager. Apparantly some moron decided to limit password field in the uplay client where your actual games are stored to 17 or 18 characters.
And that while they want to "improve" security. Please ubisoft, fix your shit4 -
What is it with the rising trend of password fields allowing you to see your password, and (worse than that) often having it as unmasked by default?!
Who woke up one day and said "Damn, you know what would be a great idea? Unmasking the password field, so everyone can see it! Why didn't we think of that before?!"
Dahh.7 -
So here I am investigating something our users are claiming. I look up which user the UserId did the change and I see not only the user but also the users password in clear text in a separate field. I thought that field was for a password hint that the user can set up, but I asked around and apparently, no... It's literally the plain text version of the password stored in the database, next to the hash of the password.
Apparently, the users were so impossible to deal with that we added that column and for users that constantly pester us about not knowing their password and not wanting to change it, we added a plaintext password field for them :D2 -
So for those of you keeping track, I've become a bit of a data munger of late, something that is both interesting and somewhat frustrating.
I work with a variety of enterprise data sources. Those of you who have done enterprise work will know what I mean. Forget lovely Web APIs with proper authentication and JSON fed by well-known open source libraries. No, I've got the output from an AS/400 to deal with (For the youngsters amongst you, AS/400 is a 1980s IBM mainframe-ish operating system that oriiganlly ran on 48-bit computers). I've got EDIFACT to deal with (for the youngsters amongst you: EDIFACT is the 1980s precursor to XML. It's all cryptic codes, + delimited fields and ' delimited lines) and I've got legacy databases to massage into newer formats, all for what is laughably called my "data warehouse".
But of course, the one system that actually gives me serious problems is the most modern one. It's web-based, on internal servers. It's got all the late-naughties buzzowrds in web development, such as AJAX and JQuery. And it now has a "Web Service" interface at the request of the bosses, that I have to use.
The programmers of this system have based it on that very well-known database: Intersystems Caché. This is an Object Database, and doesn't have an SQL driver by default, so I'm basically required to use this "Web Service".
Let's put aside the poor security. I basically pass a hard-coded human readable string as password in a password field in the GET parameters. This is a step up from no security, to be fair, though not much.
It's the fact that the thing lies. All the files it spits out start with that fateful string: '<?xml version="1.0" encoding="ISO-8859-1"?>' and it lies.
It's all UTF-8, which has made some of my parsers choke, when they're expecting latin-1.
But no, the real lie is the fact that IT IS NOT WELL-FORMED XML. Let alone Valid.
THERE IS NO ROOT ELEMENT!
So now, I have to waste my time writing a proxy for this "web service" that rewrites the XML encoding string on these files, and adds a root element, just so I can spit it at an XML parser. This means added infrastructure for my data munging, and more potential bugs introduced or points of failure.
Let's just say that the developers of this system don't really cope with people wanting to integrate with them. It's amazing that they manage to integrate with third parties at all...2 -
Can we stop that trend of only showing the username field and then show the password field after filling the username clicking next? It messes with my Keepass browser addon.
Apart from that, it messes with human workflow as well. Enter Username -> TAB -> Enter Password -> ENTER. With that stupid UI you have to either focus the next button with Tab and hope hitting Enter does not already submit the login form or switch to mouse and click the Next button.10 -
uhm, nice registration form I guess? those are not placeholders btw, it's actual values
source: https://dashboard.nanobox.io/users/...
in comments the password field and the webarchive
4 -
Yet another day at my company, Im rewriting some old code for client (rewriting old, php 4 system for vindications managment) and you know the moment when you are focused and someone comes to you to absolutely ruin your focus. Fine, whatever. Oh, for fuck sake. Again dev is doing as support becouse one moron with second can't login into zimbra admin panel and add fucking mailbox. I show them exacly how they login, remind them they are admins too, slowly show them, so you click "manage" than you click that gear icon and than you click "new", fill in email address and password. As simple as 1-2-3. Okay, fuck it, time to go for a cig. I just finish up few lines and stand, grab my vape and start walking towards door. In door I find my buddy with 2 random people. He told me that they are interns and that I should show them some basics and stuff around that. Oh god, fuck my life. If anything, Im definitely very bad teacher, mainly becouse I often have problems with saying what I mean in the way that somebody actually understans and knows what I am trying to say. Whatever. Fuck it all. I grab two of our old laptops that nobody used in like a year or so, and first thing I quickly figure out, is that one day for some what the fuck reason I dont even dont bothered to remember I installed Arch on both while I dont usually use Arch. I just needed it for some specific reason. Whatever. So I guess I will need to upgrade fucking system. Our network isn't really great so that was like... hour or so. In the meantime I figured what they know about coding in general etc, and holly shit. One of them (there was boy and girl), girl, apparently never ever in her life even touched code. Well... fuck. Why am I wasting my time? Becouse there was some programme or some shit like that... Someone could tell me before so I could mentally prepare.. fuck it. whatever. So while laptops are doing their pacman thing, I sit with them and slowly start to explain based on my machine some really basic concepts. Second guy actually had some expirience, he knew how to make some really really basic logic and stuff, so he had another world of problems, becouse it was PHP and, as we all know, everyone hates PHP, and... yeah.. You can probably imagine his approach. Yes, you get user input in super global array. I really wanted to say "Now shut the fuck up and write that fucking $_POST".
hour or so passed, I was close to giving up to not let my anger rise (im not really good teacher... I mentioned it. I suck at teaching others) but luckly machines upgraded. He wanted to use visual studio code, she didnt care too much, so I installed phpstorm in trial mode. whatever. Since that's linux and they were not comfortable with that, I walked them through installing LAMP stack, and when finally it started to look like LAMP stack, I requested them to google how to install xdebug, becouse xdebug is very usefull and googling skill is your best weapon on that field. I go for cig, come back and what I see boiled me a little bit. The girl was stuck looking at github page randomly looking through xdebug source code and idk... hoping for miracle (she admited she thought there will be instructions somewhere) and the guy was in good place, xdebug has a place to paste your phpinfo() for custom instructions. But it didn't work for him, he claims that wizzard told him it cant help him.. hmm intresting, you are sure you pasted in phpinfo? yes, he is sure. Okay, show me.
Again mindblown how someone can have problems with reading.
so his phpinfo() looked like that:
```<?php
phpinfo();```
I highlighted on the page the words "output of phpinfo". He somehow didn't see it or something. He didnt know, he thought that he needs to put in phpinfo so he did. OMG.
Finally, I figured out I can workaround my intern problem, and I just briefly shown them php.net, how documentation looks, said to allways google in english, if he uses tutorial to read whole fucking thing, not just some parts of it, and left them with simple task, that took them whole day and at which they ultimately failed.
To make 3 buttons labeled "1" "2" "3" and if someone presses one of them, remember in session that they pressed it and disallow pressing other ones.
Never fucking again interns. Especially those who randomly without apparent reason almost literally just spawn in front of you and here, its your fucking problem now.
Fuck it, I have some time to get back to my stuff. Time is running so lets not waste it.
After around 15 minutes my one of my superiors comes in and asks me if I can go on meeting with him and other superior. My buddy goes with us, and next 3 hours I was basically explaining that you cannot do some things (ie. know XYZ happened without any source of information) in code, and I can't listen for callbacks from ABC becouse it wont send anyc cuz in their fucking brilliant idea ABC can't even know that this script would even exist, not to mention it wants callbacks.
Sometimes I hate my job.4 -
Those little assholes who code the web interfaces for the provider specific router. You also can't replace it with a fritzbox or something similar.
1. Password field only
2. Password field is no password field
3. This red internet thing doesn't tell me what's fucking wrong
4. The "diagnose" says everything is alright with my internet
5. It always complains because not every device in my network supports gigabit yet (there is an old switch). No reason to show everything in fucking red imo.
6. The things it lists I have to check can be and also should be checked by the fucking thing itself. Like wtf. They wanted a lot of money from me for this shitty thing and there is no temperature sensor to check if it's too hot.
7. It just stops working on hot days... Restart manually solves it. Let's restart manually from work when I have to access my files on my NAS from fucking 40 km away..
(see comments for more screenshots)
4 -
I checked out this new hybrid app that was released by some local senior developers.
Turns out that on my user profile, my user ID is set as the value of a hidden field and changing it to any other user ID and saving the form will update the profile of that user. Including changing the password.
The password reset form also allows me to change the user ID to reset that user's password.
Speaking of passwords, the value of the password field on the profile is my actual password in plain text.
Yes, I said this app was released by a couple of "senior developers". One has over 15 years of experience and the other works at an IT company that builds online banking systems. They appear to have outsourced this side project to some other development team but... Come on. At least take one quick look at the source code before releasing it, why don't you?
I don't even...1 -
Interesting password recommendation here...
Translation:
- A form with to fields: Surname and password.
- Below the form is a text: "For signup please enter your name and a password (e.g. your email address). With your name and password you can change your data anytime and may get access to the memberlist."
Bonus: There is a "help"-button (outside of the cutting) which even *recommends* the use of the email-address as the password!
Extra bonus: The password field is a normal text one.
IF THE EMAIL ADDRESS HAS TO BE SUBMITTED, WHY NOT JUST ADD ANOTHER FIELD OR AT LEAST LABEL THE FIELD CORRECTLY!
Update: After this form, you get to another form, to enter you email address...
3 -
Usually websites:
- wrong password -> Password field cleared and focused again
Apple websites:
- wrong password -> Password field cleared and email field focused again and password field hidden because fuck you!10 -
Not only is the default password they set a piece of shit, the password field actually shows the password even after you save it, why even bother with security?
Hash your fucking passwords!
The internet kills my insides.
4 -
“This value must be shorter than 20 characters in length.” … password field, bank website, 2016, wtf ¯\_(ツ)_/¯2
-
So today I learned that you can simply recover the contents of a password field by making it into a regular text field in dev tools.
Better tell my friend because I now have his root password to SSH into.1 -
That feeling when you debug the Users table in sql, which has a Password field encrypted with hash, but most of the demo users use the same Adminadmin password, so you recognize the other users password because you rembered the hash1
-
Just a thought:
Google can piss off everyone by adding a "Confirm password" field in the sign in page.
*muhahahaha*1 -
One thing I don't understand, when I want to sign into iTunes Connect website, I have auto fill filling credentials, Apple first shows only email field, click next, then it shows password field, click next then you are logged in.
Why is it like this? Username and password are both filled, but yet need to click login twice to access my account -_-4 -
Fun fact: If you ever want to see the password you are typing or view the contents of a password field in a form, just pull up the web inspector. You can change the input type from "password" to "text" with no ill effects upon submission.
The lesson? When populating password fields, put junk values in there instead. Will present the right appearance, and doesn't risk exposing something that should be stored as a salted hash anyway.3 -
Stupid UX on Apple app store connect website!
*Enters email
*Enters password
*wrong password, password field still focused
*starts typing: email field focused and all content is written there now .....
Why?2 -
For credential errors on login forms..
Do you guys follow the “OWASP standard” and won’t let the user know which field (email or password) was incorrect, just a general message or the more UX-way and let them know that it is for example the password that doesn’t match with given email (if it exists)? 🤔
Had a minor “discussion” about this with our sales-guy this afternoon why that I’m (as the full-stack, and only, developer there) not that of a fan about the UX-way.. (even thou ‘security’ is a “myth”). 😁9 -
So... Apparently you can do ctrl+backspace in steam's password field and it deletes up to the last space instead of deleting the whole password... Nice.2
-
ESSO Password Manager.
Prepare to cry after ESSO inputs your password in the username-field instead of the password-field the third time while your colleagues are watching...2 -
Yesterday and today combined I spent about 8 hours trying to get my PGP / GPG passphrase to work. Absolutely magically, somehow a newline character had gotten into the passphrase. Yes. That's possible. On macOS, that is.
On my Windows machine I have the same fucking private key protected with the same password. Now try and get a non-windows newline character into any Windows password field, be it a command line or some GUI input. WTF! You'll lose a year of your life with every passphrase error while you have the actual passphrase.
So after all these hours trying to hack my own GPG keystore without success, I remembered how the private key got on my Windows machine in the first place: see tags.4 -
I can't sign in to my wifi router on my phone because of a stupid JS bug. When you tap on the password box it uses JS to check if the username field is blank. If it is, it auto focuses on that instead. The problem is that it doesn't it think the username field has any content even when it does. So I can't enter my password! I tried blocking JS, then it doesn't render anything. It has no accessibility at all. Thanks a lot TP-Link.8
-
Okay why in the world is Console.Readline() in C# such a bitch? So I was working on this small simple chat application using C# and I had a super-freaked-out-ugly-code-vending team mate who volunteered to build the server side code. After trudging through his elaborate and highly complicated plan of working for the server, I decided to make the client accordingly and for close to an hour I had no clue why the program was sending an empty password field. A few debug messages later I realised that a line of code was getting skipped. The compiler was happily ignoring the Console.ReadLine that asked for the password from the user. I swear I felt like one of those parents in the shopping mall with their really disobedient kids.
Btw, I still haven't figured out how to fix the bloody thing.
PS: First rant post woohooo!4 -
Okay this is my first time posting on this site. I've browsed it (definitely not in class) and the community looks beautiful, so I'm going to just kind of slide in here. Anyways this is the part where I use my caps lock button and type lots of naughty words I guess...
<rant type = 'school'>
Our programming classes are fucking DISMAL uuugh... Okay so we have four technology classes: Tech Exploration, Coding 1, Coding 2, and Intro to CS (a 'high school' level class)... So this means a fuck ton of kids in programming classes, mostly because I WANNA MAKE MINCERAFT AND BE A KEWL BOI LIKE GAME DEV BUT I'M ALSO A FUCKING IDIOT AND WILL NOT LEARN ANYTHING YAAAAAAY but that's a mood and so there's a fucking tidal wave of dumb kids in these classes. So right we're dealing with like 80 kids per class period. Sorry if I'm repeating myself but there are a FUCKTON of students. Now, we have... wait for it... ONE FUCKING TEACHER. ONE. I fucking swear this district does not give a SINGLE SHIT about possibly THE SINGLE FUCKING MOST IMPORTANT SUBJECT WHYYYYYY... Okay so the teacher is kinda overworked as fuck lol. She can't really teach eighty kids at once so she mostly gives us exercises from websites but when she can she teaches us shit herself and actually knows a good bit about her field of study. She's usually pretty grumpy, understandably, but if you ask her a good question that makes her think you can see the passion there lol. So anyways that's a mood. Now at the other school it's even worse. They have this new asshole as a teacher that knows NOTHING about ANYTHING IT IS SO FUCKING REDICULOUS OH MY UUUUUGH... THEY STILL DON'T EVEN KNOW WHAT A FUCKING LOOP IS LIKE OKAY YOU'VE BEEN TEACHING PROGRAMMING FOR A YEAR AND YOU'RE THE ONLY ONE TEACHING IT AT THAT DISTRICT SO MAYBE YOU SHOULD AT LEAST FUCKING TRY WHAT IS WRONG WITH YOU... so he just makes them do shit from a website and obviously can't do half of the shit he assigns it's so fucking sad... I swear this district is supposed to be good but maybe not for the ONE THING I WANT IT TO BE GOOD FOR. Funny story: in elementary school once I wrote down school usernames for people I didn't really know and shared them a google doc that said "you have been hacked make a more secure password buddy" etc etc and made them the owner and these dull shits report it to the principal... So I'm in the principles office... Just a fucking dumb elementary school kid lol and the principal is like hAcKiNg Is BaD yOu ShOuLd NoT dO iT and I'm like how did you know it was me... so he goes on to say some bullshit about 'digital footprint' and 'tracing' me to it... he obviously has no clue what he's saying but anyways afterwards he points to where it says last change made by MY SCHOOL ACCOUNT... HOW DULL CAN YOU FUCKING POSSIBLY BE IT WAS FROM MY ACCOUNT THAT LITERALLY PROVED THAT I DID --NOT-- 'HACK' INTO THEIR ACCOUNT YOU DUMB FUCK. Okay so basically my school is a burning pile of garbage but it's better than most apparently but it's GARBAGE MY GOD... Please fucking tell me it gets better...
okay lol that was longer than I thought it would be guess I just needed to vent... later I guess
</rant>12 -
As a long time Ubuntu user, last month I upgraded from Xenial to Bionic to try the new Gnome based desktop.
At first I thought it was a good transition, everything was working fine, beautiful UI, nice animations, so I installed all my tools and started the real work... then the problems started. The memory usage was always very high and only getting higher, the animations were stuttering and laggy, and it was having an unrecoverable freeze at least twice a week. Searching the web I was seeing more and more people complaining about freezes, lags, bugs, memory leaks, password input field bugs... damn, how I missed Unity! That was it, Gnome Shell made me miss Unity more and more.
This week I installed Unity 7 and purged Gnome Shell from Bionic. Now I'm happy again!
It's so good to be free of the anxiety caused by the lack of stability of the system, so good to know that the system will not break or freeze if I'm doing a resource intensive task. Now he sh** is working fast and stable, and I'm here wondering why such a good DE could be dumped for something so buggy like Gnome.1 -
So, I’ve been given the task of sorting the security out in an application plugging the holes and whatnot as to be honest it’s shocking haha. It doesn’t help that we automate security audits but that’s a different rant for another day.
We’re using devise for authentication (rails standard, ♥️ devise), we have no password resets through the login page, it has to be manually reset by ringing support, why who knows, even though it’s built into the gem and we allow the user to login using an username instead of an email because for whatever reason someone thought it was a bright idea to not have the email field mandatory.
So I hop onto a call with the BAs, basically I go that we need to implement password resets into the login page so the user can do it themselves and also to cut down support calls a ticket is already in place for it. So I go through the standardised workflow for resetting a password. My manager goes.
“I don’t think this will be very secure”
Wait.. what. Have you never reset a password before? It’s following the same protocol as every other app.
We go back and fourth and I said I’ll get it checked with security just to keep him happy.
The issue mainly is well we can’t implement password resets due to 100s of users not having an email on there account.. 🙃 so before we push this change we need to try and notice all users to set a unique email.
Updated the tickets. All dandy.
Looking at the PRs to see what security things have been done if any and turns out one of the devs in India has just written a migration to add the same default email to every user that doesn’t have an email present and yep it got merged. So I go revert the change but talk about taking a “we don’t care about security approach”.
Eventually we want to have the user reset their passwords and login using their email and someone goes a head and does that. Not to mention the security risk.
Jesus Christ I wonder why I bother sometimes.2 -
I can't stress this enough: Fuck Workday as an ATS. Nobody wants to create a new Workday account with a new password for every company that they want to apply to. Like which moron PM at Workday thought this was a good idea? Not to mention Workday's terrible resume parser, which requires you to essentially manually enter your entire resume because the parser only picks up the first word of each job description on your resume (and even then it puts that one word in the wrong field.)
-
you guys ever seen a webservice returning view elements for the front end to interpret and generate views using a switch
switch(data.type)
{
case password:
// generate password field with returned value
...
}
is this really some new practice in back end / front end design ? it just frustrates me so much. web service should be returning data only. i can't maintain this code it's too much crap.2 -
Why does #Devrant (idk if #'s are a thing here) not have a confirm password field?
Come on... I doubt it annoys users and it saves people a lot of hassle, especially when we are logging in on multiple devices :/ I know lots of people who type their password wrong the first time and later on they can't login and get frustrated and confused then end up resetting via email.
Also why no login with Google etc~ that's kinda annoying too...3 -
Apparently you cannot filter based on two parameters in firebase so something similar to "select * from table where email='something' and password ='something' " doesn't work .
So a shitty hack is to create a string to concatenate email and password and store it as a field and validate based on that field.
So basically there is a field in database which is
Sha256("emailid"+_+sha256("password"))2 -
Web development -
Caution: boring question
Have anyone worked on anything like a form builder like by giving a name generating a table with default columns and new folder for controller , models inheriting a base class that can provide a CRUD functionality ?
In my company they have a cool module builder that allow you to add any field email ,file, password,connector field - connect two modules one 2 one relationship clonable field many to many built on php.
I tried and created one using python Flask framework but without restarting app the routes are not getting registering asked in stack overflow got downvoted
Any thoughts?3 -
I was given a perl script to help change ubnt airos devices passwords from the command line. I was give no instructions on how to use it and I am not use to working with perl If anyone can give me some help I would really appreciate it. Here is the code.
#!/usr/bin/perluse
FindBin qw($Bin $Script);
use WWW::Mechanize;
die "Syntax: $Script ...Changes the password on 1 or more AirOS units." unless @ARGV >= 6;
my $user = shift @ARGV;
my $op = shift @ARGV;
my $np = shift @ARGV;
my $rouser = shift @ARGV;
my $ropass = shift @ARGV;
my @addresses = @ARGV;
open L, ">>$Bin/$Script.log" or die "Unable to write to $Bin.log: $!";
sub l {
print STDERR @_;
print L @_;
}
for my $a (@addresses) {
l "Changing password on $a\n";
my $mech = WWW::Mechanize->new();
my $entry;
my $start = "http://$a/login.cgi?uri=/system.cgi";
$mech->get($start);
$mech->field('username',$user);
$mech->field('password',$op);
$response = $mech->submit();
# to get login cookie
if (!$response->is_success) {
l $response->status_line, "\n";
}
$mech->get(qq|http://$a/system.cgi|);
$mech->field('NewPassword',$np);
$mech->field('NewPassword2',$np);
$mech->field('OldPassword',$op);
$mech->field('ro_status', "enabled");
$mech->field('rousername', $rouser);
$mech->field('roPassword', $ropass);
$mech->field('hasRoPassword', "true");
$mech->click_button(name => "change");
$response = $mech->submit();
if (!$response->is_success) {
l $response->status_line, "\n";
}
$response = $mech->get(qq|http://$a/apply.cgi|);
if (!$response->is_success) {
l $response->status_line, "\n";
}
}close L;
exit 0;8
Top Tags
Weekly Rant
View