Challenge: Tell Me Why These Things Happen
Tuesday, July 29, 2008 -
The last few weeks has been ripe with weirdness. On three separate occasions I've been jarred into an alternate Macarena universe where I can still get Lucky Charms from WebVan. No really.
You see I can be slightly obsessive and when I'm confronted with a situation or some form of left-field reasoning that I can't figure out, I lose it. Sometimes things just stick in my head and I just ... Snow Crash.
My wife and I were once discussing diets and my wife, out of shear frustration, decided to assault me with Gratuitous Negatives:
"Just because they don't know they're not fat doesn't mean they shouldn't go on a diet"
The conversation ended at that point. I ask her from time to time what she meant, and she literally won't tell me. I love her so.
So here I am, once again, with my mind tied in a thousand little knots; afflicted by some seriously ridiculous "WTF" logic problems. I need to go to sleep at some point, so I'm going to ask for you help: please help me to figure out the 3 things below, won't you?
I'm not asking for a virtual shoulder to cry on, nor for a comforting pat on the back as we rage against MAN. What I really want, nay what I CRAVE, is for you to lend me your cortex and (seriously) offer some reason to the madness to follow...
Exhibit A: Your Password SUCKS
For you consideration - the American Express cardholder website. I had to register there tonight and was asked for a password:
What was I thinking! Let's just cut to the chase here:
"Passwords cannot be more than 8 characters... as [Deity] intended".
Completely perplexed, I found their password policy on their Change Password page (buried deep in their site, under "Advanced Services"):
This.
Is.
Lame.
SQL Injection fears, special data types on the database, or perhaps a special encryption routine that doesn't like a lot of extra stuff to encrypt? Laziness?
If it is a data type issue (maybe they have char(8) or something), doesn't this mean my password is stored in clear text? If you encrypt text with any popular encryption scheme ... doesn't it use "special" characters?
Are they serious?
Exhibit B: Amex Is Not Alone, Apparently
I had to do some work on my retirement stuff tonight (in a strange coincidence) and like I always do - I forgot my password. I assumed it was my "strong" password that I use for sites like this, but it wasn't. So I decided to change it online. In doing so, I came across this little gem (Scott Hanselman originally wrote about this - but I encountered it just tonite):
The best part here is that my login is my social security number. So if someone managed to nab that, it's a quick Rainbow hack and you've got the retirement money I'm not saving. Seriously - lucky for me I don't save my retirement, Fidelity seems to want to give it away for me.
Exhibit C: Twitter's Warp Engines Are Stuck
The other night I was at my hotel and I overheard a classic 1999/2000 Dot Com power dinner where two guys were trying to name their startup. Aside from making me ill with memories of egregious silliness, I found their naming process to be... well ... egregiously silly. So I Twittered it - I couldn't help myself.
They were being loud and obnoxious so I figured I'd let the rest of the world in on my painful flashback and over the course of the next 45 minutes, I sent six Tweets from my cell phone using SMS:
_f81c8c40-5fb5-4f4b-ad5f-1135dfe16b46.png)
You've probably noticed this looks like gibberish and makes little sense. You may also have noticed that the time on the Tweets are literally seconds apart. What you can't see is that they are 4 hours late in arriving.
I'm not going to jump on Twitter any more. It's become obvious that they like that sort of thing and a new "Masochistic Marketing" trend has taken over the industry. Maybe it's Emo Marketing: "Hey look how bad I suck... /sigh". Anyway, beating up on Twitter's not what I want to do here - what I want to do is figure out WTF happened - how could my Tweets have been scrambled?
Assuming that the messages were received when I sent them (otherwise you'd get a delivery failure), The only things I can come up with are:
- Twitter has a cluster of servers "listening" for Tweets, and the clock is off between them.
- They "bin" the messages as text when they come in and ignore the timestamp from SMS; setting the received time to when they get added to the database.
- They know I'm in Hawaii, but got confused when they saw the PDT (Pacific Daylight Time) time zone on my SMS. So they delayed showing the posts until they made sense with what time it is in Hawaii. This would explain the 4 hour delay (my money's on the fact that they don't know Hawaii is actually 3 hours behind, not 4).
- They were eaten by the Fail Whale and, like Jonah, flew out the blow hole and didn't know where they were.
I think it's number 3. It's strange enough that it must make sense.
But why are they out of order? OK OK OK so let's assume they were "over capacity" once again - the messaged GET QUEUED right? Otherwise they wouldn't show up! If they get queued - there has to be some order there, some way for the DB to know which ones came first!
Seriously how do you blow the ordering? And to emphasize: I'm not trying to beat up on Twitter (it's pointless) - I need to know (given the evidence) how this could happen!
Wow. As a recent AmEx cardholder, I faced the exact same WTF moment. Really, what is going on there under the hood that would make you specify a password between 6-8 chars? Oh yeah, and thanks for not allowing "special chars". I'm sure the hax0rz will love that one. And it's American Express!
I'm not sure but potentially the dodgy pin algorithm is to allow direct communication between the site and their mainframe which may not support the special characters, just a thought.
Dave the Ninja
The Twitter issue could also be due to your Cellphone Service Provider. I've seen it happen a few times that an SMS (or group of SMS') was delivered only after a few hours.
My bank restricts you to ONLY 8 characters, no less. And nothing fancy there either.
The SMS issue sounds to me like its more the fault of their SMS gateway or your carrier then Twitter itself since the service was running normally when you sent those.
The only reason I can give for the ridiculous password restrictions is because all Financial service providers use one of the big auditing firms, where anyone can become an IT auditor, no technical background necessary, and the guy who wrote the "Best Practices" misunderstood the technical expert when he said "a minimum of 6-8 characters". I've had this fight multiple times with auditors who try to insist that I implement the same archaic password rules on our systems.
The whale was sick. Jonah didn't fly out the blow hole. LOL.
I recently wrote to my bank saying this exact same thing. They sent me a letter saying they'll "investigate". Yeah right.
It's a crazy world. More and more is being computerised and we've got nonces writing code.
I think that programmers should be licensed. If you don't have a license, you don't get to write anything that the general public will see. full stop. Far too many sites are completely insecure. It's going to hurt if we don't do something about it.
As Theodor said, your Twitter thing could've actually been your service provider. I've had late messages many times, and even a few times I've had messages in the wrong order.
I once had a great one: "(2 of 2)age, need to speak urgently!" Way to get me worried.
tgmdbm, don't blame the developer. Some one handed then the speck. And they chose to keep their job rather then fight.
The banking issues are more than likely due to their core host system lacking proper storage space to store longer passwords. It also means that your password is stored in clear text somewhere.
Trying to make sense of Twitter is like trying to take pee out of a pool.
I started reading this post about 4 hours ago, and I've been stuck going over and over the gratuitously negative statement ever since - an email notification managed to jar me out of the trance, luckily.
The Amex login is something that gets me every single time I try to log in to the website - I think that there's only 2 outlets in the entirety of the UK that actually accept amex, so it doesn't get used very often.
Every single time I have to go through the password reset thing, then I get to the page that you show and it gives me an idea of what my password might be if I was hideously constrained during the creation of my password.
I would tend to agree with John S. idea for the twitter problems, if there was some sort of backlog on the SMS gateway then this could possibly account for the out of order-ness of the messages.
It could be worse, I remember when my friends mobile operator's gateway glitch and over the course of about 5 hours I received around 50 copies of a message that simply said 'GUESS WHAT?' - I seriously thought she was taking the piss! The worse thing was, when I finally found out what I was supposed to be guessing, it was like the anticlimax of the century.
Seems most likely that the 8 char pwd limit is a sql injection defense. But you'd think they'd parameterize the query or something rather than imposing the restriction on users...
I've noticed that my bank has used numeric only PINs for years and years. Seems pretty low on the security scale for a bank... It's to allow the users to use the same PIN (personal identification NUMBER) in their IVR (phone) system and their website. I haven't used IVR for banking in like 8 years! Why would they compromise the security of thier site even a little bit for a 'marginal' usability feature (abilty to keep the same PIN/pwd for two access points)? Is my bank the only one that does this? I noticed that the fidelity site used the term PIN - is it actually a numeric only field too? The error message suggests that characters are allowed...
I think this is a legacy issue. Your same Amex web site password is used for data exchange with other banks and programs like QuickBooks. I'm guessing the protocol only supports 8 characters for pins/passwords because my bank is the same way.
I'm in favor of password fields that support just about any character and are long enough for a whole sentence. From what I've read special characters don't make passwords nearly as secure as longer length. A pass-phrase or sentence should be supported by all applications where possible.
Allan N is on the right track. Your password is a PIN... something that can be punched in via telephone. Thus no spaces, or special characters. Just numbers and letters.
I know because at Fidelity, if I use '1234cat' as my PIN, I can type it on the phone as '1234228'.
That is, as long as I'm not using my Blackberry which has a totally different letter to number mapping than traditional phones. :-)
In fact here it is in there help...
personal.fidelity.com/.../pinchange2.shtm with pin#f3
Thanks to you, I have to buy a new keyboard since beer from my nose destroyed the other (you should see this 10 pound IBM piece I am typing on now, the keystrokes are loud enough to generate an echo). I think you should pay half. Exhibit C, number 4 - hilarious!
Exhibit A should be illegal, Exhibit B I understand, and Exhibit C, well, you can just do like I do and blame every problem with Twitter on Ruby on Rails.
Regards...
It's a good thing that I don't use AE. I don't buy the mainframe argument. Why would they need your pin to pull the information anyway? What about employee access? But whatever the reason is I think whoever responsible for that password scheme should be fire. There are no reason for a financial institution to have such a horrible password scheme. Boycott them :)
I see Twitter as an unreliable message delivery system and so they behave as such. So it's kinda expected for me.
Hummm... Nothing to tell you about. I just know that most bank still have mainframes and those have some limitations. Maybe they don't support unicode and only ANSI and nothing else.
Maybe a Architect Astronaut somewhere that putted his feet down to have passwords of 6-8 characters with no special characters.
What I think is that they somehow want you to be able to "type" your password on a phone keyboard (you notice there is no special characters?)
Ah well... sure as hell don't like that. At my bank (QC, Canada), the password need to append 4 digits (linked to the phone system) and then letters and numbers as wanted.
I haven't tested special character.
Sure hope I lighten some lanterns over there Rob :)
I've got a nice one for you Rob:
Garanti Bankasi is one of the largest banks in Turkey and they have a very good quality internet banking site that has been awarded "Best Banking Site" by various agencies both within Turkey and abroad.
Just the other day, my friend ran into an oddity while performing a transaction on the Garanti banking site. He was trying to pay a utility bill but the billing system had changed and now he had to supply a new number called the "Company Code" along with his subscriber number. So he started to follow the instructions on how to do that.
It turns out that this "Company Code" number is formatted on the utility bill as dotted numbers, eg. "212.1.2.3.4". The instructions were very clear on how to enter this number on the web form:
- Replace all the dots in the string with zeros.
- Enter the thus obtained 11 digit number in the text box.
So, my colleague tried to do exactly that, except he realized that he ended up with a 12 digit number that the system didn't accept. He tried to drop the last digit, the first digit, etc, and all failed. Then, he took a step back and realized that his number was like "212.1.2.3.45" and that maybe, just maybe, he should not put an extra zero in front of the last group "45". He tried it like that and it worked.
Seeing how brain-dead the instructions were and how most people wouldn't be able to perform the given task even if it worked properly, he went on to type an complaint email to the bank. The day after, a bank representative called him back trying to explain how it had to be done like that and how there was no other way, during which time he was trying to convey how the instructions were wrong. So after this unsuccessful phone conversation, he let the matter go thinking it won't be rectified.
This morning, however, he realized that the had updated the instructions. Now the instructions were saying that all dot separated groups should be padded by zeros if necessary to make them two digit numbers and the resulting 11 digit string should be typed into the textbox without dots.
So, can someone explain to me, why on earth would anyone (and I mean ANYONE) would want the customer to perform something like that when you can just Split->Pad->Join all the digit groups?
I believe the only answer that makes any sense is "42".