I got a “we’ve had customers accounts breached, please update your password” email the other day.
They specifically called out you can’t use # in your password, and it’s been bugging me why that is. What part if their system let’s in other special characters but # is off limits?
Now that I’m thinking about this it’s bugging me too. If they are passing it to shell scripts maybe it’s interpreted as a comment? Some databases like Oracle use # to separate schema prefix from schema user and table name in a query? But none of those would really make sense here 🤷
EDIT they are storing it in plain text, with other values using # as a delimiter? lol
“Shouldn’t” and “won’t” are too very different words. There are plenty of shitty programmers out there, and they tend to band together. And now you have vibe coders on top.
Doesn’t even have to be legacy, some programmers are just completely unaware of the concept of security. I’ve seen services where the forgot password functionality would send your existing password back to you in plaintext.
What? No punctuation marks? Special characters like !@#$%^&*()_+?
I got a “we’ve had customers accounts breached, please update your password” email the other day.
They specifically called out you can’t use # in your password, and it’s been bugging me why that is. What part if their system let’s in other special characters but # is off limits?
Now that I’m thinking about this it’s bugging me too. If they are passing it to shell scripts maybe it’s interpreted as a comment? Some databases like Oracle use # to separate schema prefix from schema user and table name in a query? But none of those would really make sense here 🤷
EDIT they are storing it in plain text, with other values using # as a delimiter? lol
I considered database stuff, but my password shouldn’t go anywhere near the database!
If they are storing it as plain text in this day and age, then there is no hope for the human race 🤦
“Shouldn’t” and “won’t” are too very different words. There are plenty of shitty programmers out there, and they tend to band together. And now you have vibe coders on top.
Based on the place (a supermarket rewards card), I’m assuming legacy code. But you’re right, the most likely answer is it’s shitty legacy code.
Doesn’t even have to be legacy, some programmers are just completely unaware of the concept of security. I’ve seen services where the forgot password functionality would send your existing password back to you in plaintext.