I spent the entire day today helping my wife migrate to a password manager. Not being a security-aware techie, she checked off every single item in the "you should not do that" list. From passwords that can be hacked in 2 minutes flat to using the same password (or single character variants) on dozens of sites. And, of course, passwords stored in Chrome, Safari and others in her head. Frankly, I was surprised she finally agreed to migrate to a password manager.
Yet, that's not what this post is about. We had to change the password, secret questions and sometimes user ID on dozens of sites. Through this journey of somewhere in the order of a dozen hours I got to see the good, the bad and the ugly --really ugly-- of nonsensical passwords policies and laughable-if-it-wasn't-serious approaches to user login, UI, uid and pwd recovery, password policies, confusing login sequences, logins requiring visits to multiple websites to login to a service, ridiculous login URL's, sites with parking pages for the main site and a full site only on a subdomain and more. Frankly, I was horrified.
I wish I had kept detailed notes, I did not. I wasn't expecting this and we were just trying to get done. I am typing this from memory.
The first "what are they thinking?" that came to mind is Trello. Yup. If you got to trello.com/login to login it presents you with a normal-looking user and password form. As soon as you enter your email the password field goes away and you are presented with one option: A "Login with Atlassian" button.
Imagine my wife's surprise. She has no clue who Atlassian is or how it might be related to Trello. Why do I have to have an account with Atlassian?
To make matters worse, the Trello login URL and the URL that you are routed to once you click the "Login with Atlassian" button (to then enter the password) are different, of course. Which means that your password manager is now confused because you entered your user ID at trello.com and now your password has to be entered at atlassian.com.
Really, seriously, what rocket scientist thought this would be a good idea?
And then you have banks and credit card companies with the weirdest password policies. Anything from 8 to 12 characters and almost randomly chosen ideas on upper case, lower case and symbol content.
One memorable one had useful guidance under password creation field. One line per policy and a checkbox that would turn green and be checked if you met that requirements. So, you start typing a password and different checkmarks light-up.
One of the requirements was "A symbol from this set:" followed by a bunch of symbols.
Well, guess what, "A symbol" quite literally meant ONE and only one character. Which means that the randomly generated password from the password manager --which contained a good assortment of upper, lower and symbols-- never passed the test. Until I realized that "a symbol" actually meant only one, rather than many. Problem solved...time wasted.
Oh, and speaking of typing...
Yet another website, I think it was a credit card, refused to allow us to login after changing the password. We must have done the password recovering thing three times. We'd generate a fresh 32 character random password, click-paste on both fields, click "Save" and go. The site accepted the password happily and said "You succeeded in changing your password".
Every single time we tried to login it said we had a bad password. Unbelievable.
Well, turns out to be that they had a policy limiting password length to 16 characters. In order to see this you had to click on a link labeled something like "password tips". We did not.
What these geniuses did was to TRUNCATE (yes, I am telling) the 32 character password from the password manager and store that. Since the truncated version matched in both recovery fields, they said "success!". They said nothing about having truncated it. So, when you try to login with the full 32 character pwd...it doesn't work. This was just maddening.
I came across another site with similar truncation, this one truncated to 12 characters. As if written by close cousins, this one did not warn the user about the truncation. The only hint was that the 32 dots became 12 every time I pasted the password. At least that was a hint!
And yet, one of my favorites belongs to our water company:
http://valenciawater.com/
No, no, that's right, it's a domain parking page. Yup.
I went there when my wife told me she was paying the bills at this URL:
https://webpay.valenciawater.com/iwr/user/login.seam
I setup the password manager to go to the root domain, after all, that payment URL could be changed, right?
Well, that's when I ran into the parked-domain-as-a-feature site (or whatever you want to call it). I could not believe this could belong to a legitimate water company. My first thought was that my wife has been paying money to some scam artist for months and could not understand why our water had not been shutoff.
So I did what anyone would do, I googled our water company and found they have a legitimate looking website:
https://yourscvwater.com/
OK, that makes sense. I thought, OK, I'll find the proper login URL and setup the password manager accordingly. Sure enough, they service three regions, two of them are services through the URL my wife had been using:
https://webpay.valenciawater.com/iwr/user/login.seam
And the other through this other URL:
https://ipn.paymentus.com/rotp/scwd
Unbelievable.
Today's journey was a jaw-dropping trip through a valley of incompetence and an exhibition of a complete lack of common sense in web development. I don't know what to say other than to ask: Where do these clowns come from? These are not insignificant companies. And, in most cases, they handle money and important personal information for their clients. This is horrific. If people only knew...
PS: Don't get me started on password recovery and MFA policies...
