Hall of Shame: Office 365

When testing the brand-new Microsoft Office 365, I ran accoss this error:

All I can say: Why? Why would you restrict password length?  This is a new product, so you cannot use the old "We need to be compatible with legacy accounts" on me here.

There is no good reason to do this. Especially when you are securely hashing my password. 
You are storing the password securely, right?  Right?

Hall of Shame: Virgin America

While logging in with the correct password, I get the error message you see here.   If you are like me, you are wondering by now...

• What happened?
• Who decided that I need to change my password?  
• Why is that date important?

Anybody who has ever worked into a major corporation for more that a few months, know that this is not the way one makes users change their password.

In the real world, forced password resets depend on the time that the user last changed their password, and do not use the password reset process.    Normally, you get a simple form which asks for the old password and the new password twice, and you are on your way.

The fact that one need to do password recovery via email most likely means: Somehow, Virgin's password database got compromised to the point that they can no longer trust authentication with a password set before April 26th 2012.  There is no other good explanation.

Packing up my "Second Life" store.

Yes, the moment has finally arrived.  I started experimenting with the "Second Life" platform in 2005, become moderately in successful in 2006 but since then, after the 2007 boom, interest and traffic has kept decreasing at a steady rate.

When my latest hosting bill came in, the profit number finally fell below zero and turned red.

It's been a good run, but I have a first life to deal with. If anybody of the SL crowd is interested in any of the systems I have built in the past, drop me a line.

Hall of shame: Western Digital

When setting up my otherwise pretty nifty NAS, I stumbled on this error message when setting up the administrator password.  This leads me to the usual questions:

1. Why limit to 16 characters?  Are you storing this in plaintext, and is that the size you allocated for it?
2. Why do "double quotes"?  Are you not trusting your own input validation and escaping routines?
3. What's up with the double errors? Does your system have a stutter?
4. Why not let me know before I enter my password, what the requirements of said password are?

 

 

Hall of shame: Ticketmaster.com

There are many reason why I despise Ticketmaster, such as their ridulous "because we can" fees, "convenience fee for using the website", "fee for printing your own tickets on your own paper, using your own printer, with various ads on it", etc. 

But this series is about security worst practices, so here goes another password FAIL. 

Extra points for having a timer that gives people 90 seconds to fill in the form, come up with a secure password, and read the T.O.S. and privacy policy (each a couple dozen pages).