What’s wrong with the “security” people at the UK Mail Online?
They don’t set expectations and they don’t know that a password is a shared secret?
I wanted to make a comment on one of their stories. Doesn’t matter which one. But here’s the saga.
Comment box asks for Name and Location.
OK, that’s not bad.
Then, to get it published, you have to give them and email and a password.
OK, that’s not too bad. (I have a page of one time passwords. But how many folks do? Most just reuse the same one.)
Then, it doesn’t like my password length. (I like 12; it wants 5 to 10. Do you think you might mention that on the page that asks for it. I feel like I’m playing gotcha!)
OK, that’s not too too bad. (I drop the last two characters to get to 10. No big deal!)
Then, it doesn’t like that I have a special character in it. (I like 26 letters, upper and lower and special characters at random — 26 lc + 26 uc + 10 digits + 4 specials = 66 ** 12. I always score strong on most password ratings.)
OK, that’s not too too too bad. I drop the special characters and readd the two characters I dropped before.
Then, it says we’ll email you a link.
OK, that’s not too too too too bad. I’ll just wait for the link.
Then, I find the email after a short wait — hey it’s a long way across the pond. It has the huge multiline link to click. But being a member of the “I NEVER click email links” church, I faithfully copy the link to my plain text editor, cntl a, cntl c, and got my browser and paste.
OK, that’s not too too too too too bad. I get a message that they’ll post my comment if they see fit.
Then, I read the rest of the email message and I find my password, my “shared secret”, my “carefully generated but mangled by their rules” password in the clear for any system or mail administrator to read. With the subject, “Welcome to Mail Online”. (Not to hard to id that!)
OK, that’s bad.
How many “security rules” did they break? How many “human factors design principles” did they break?
Now I have to go back and change my password, just incase someone wants to post something under my name.
Ok, that’s very bad.
I could ramble on to make more lines with “very very very bad”. But I’m bored with the topic. And, my ADADHDD is kicking in.
# # # # #
Begin forwarded message:
Subject: Welcome to MailOnline
Thank you for registering with MailOnline
To authorise your new user account please click on the link below.
If comments on this article are unmoderated, your comment should appear shortly. If comments on this article are pre-moderated then your comment will be checked in advance and will be queued for checking. We receive thousands of contributions every day so please be patient. If your comment does not appear, this may be due to the volume we receive or your content.
To find out if comments under a particular article are pre-moderated or not, look just above the comments to see if they are “pre-moderated” or “unmoderated”.
If the above link does not work, copy and paste the link into the address box on your web browser.
Your log in details are shown below:
You can update your details at any time – just tick the box marked ‘Update my details’ next time you log in.
House Rules: http://www.dailymail.co.uk/home/house_rules.html
# – # – #
*** begin quote ***
Thank you for adding a comment to MailOnline.
Comments on this article are being checked in advance. We aim to publish as many as possible. MailOnline receives thousands of comments every day, so please be patient. If your comments do not appear, this may be due to the volume we receive or due to the content of your comment.
Why not get the latest News from Mail Online delivered via RSS?
*** end quote ***
# # # # #