And why prevent paste? Just ran into this recently on paypal when I wanted to change my password. I generated one in passpack and tried to paste it in, no can do. Ridiculous.
Their entire site is a really bad example of ASP.NET development. As someone who knows the technology well, it can make great sites. It just rarely does.
I like my T Mobile service but there's something odd with their backend systems and/or customer service. I logged in to disable their "WebGuard" service that seemed to be blocking pages at random. It required address and social security verification, but I couldn't get it to verify my details.
I called, and the customer service agent hopefully told me that my address didn't exist. I live in the middle of New York, and I've never had this issue before. I can't help but wonder what crazy verification system they're using.
Having worked with telcos previously (both OSS/BSS but not TMobile specifically), I can say that I'm not surprised at all.
In fact, I'm pretty amazed that things even work at all. The amount of random connectors and systems is mind boggling.
Some examples: A Tandem system used for nothing BUT ftp from telco switches for call details. Multiple enterprise message buses. Systems with only object files and no source. The list goes on...
Regarding your WebGuard issue, I actually had the same problem (they started blocking imgur!). For me, the actual issue was that the opt-out process does not work for prepaid accounts, but no one at T-Mobile call center knows that. I had to go into a store and show them my ID.
Try using special characters - It will just omit some special characters and save the password with that character omitted. And yes, T-mobile sent back my password in clear-text, and that's how i know.
I learned this too recently when my password, which starts with a special character, suddenly was being rejected.
Turns out they use a Javascript validator on passwords, not only at creation, but also when you're logging in (beats me as to why). I found a page on their site that doesn't do the check and I can login fine there.
Storing the password in plain text is absolutely inexcusable. I'm an idiot and my passwords are stored PBKDF2/SHA512 - not like it's difficult.
I hate when people disable pasting in password fields. Some of my passwords are 50 character random strings stored in 1password and sometimes I need to copy/paste and can not do it (ahem, icloud). I usually end up disabling javascript if the page still renders without javascript.
Assuming you're on Linux, you can just pipe the input into "xargs xdotool type". Thanks to the keyboard abstraction in X, no program will ever be able to tell that you didn't just type that on a keyboard.
T-Mobile also capitalized my password on me, once. It was fine for a couple years and then one day it stopped working. I got the site to text it to me (why do they even have it in plain text?) and all the letters had been capitalized somehow. (Previously was mixed-case.)
I wonder if it's a bad idea to disclaim that you store passwords in plain text (when you actually use PBKDF2 or something) to trick users into making more secure passwords.
I like to end my passwords with non-alphas like "!" Neither tmobile or at&t let me do this for whatever reason. Its incredible how telcos get away with everything from high pricing to shit web code. These are the mistakes of self-taught amateurs, not professionals.
It makes sense to paste your password when logging into an account, but from what I read this is just on the password reset. They probably want people to actually type their new password twice instead of typing it once and then copy/pasting for the second field.
if you don't have something like mobile keepass(or you don't have a current password file, i don't think keepass for android can add passwords)
or the app prevents you from pasting the password, entering a long complicated password can be difficult. Pasting helps improve the likelyhood of long complicated passwords.
This might be a good place to complain about -ed out passwords on mobile phones. It makes it next to impossible to enter a password(yes the last letter not -ed out for a few seconds only helps a tiny bit). If I'm not copy-pasting from keepass I'm entering the password in the login field then cut/paste it.
I think having the last letter visible for a very short time is a good balance. I certainly do not want the password to be visible in clear text. Shoulder surfing is an even bigger issue for mobile devices like phones or tablets -- which you routinely use in public and around strangers -- than it is for laptops or desktops.
I'm not surprised. I got the expiry date of my credit card wrong. It stores it and will not let you change overwrite or delete it. In the end I just had to top up offline till I could move carrier.
MichaelGG|13 years ago
Funny enough, elsewhere in their code, they do explicitly check for Ctrl & V/C.
ams6110|13 years ago
jrockway|13 years ago
naner|13 years ago
Or Rt-Click -> Paste.
DeepDuh|13 years ago
untog|13 years ago
I like my T Mobile service but there's something odd with their backend systems and/or customer service. I logged in to disable their "WebGuard" service that seemed to be blocking pages at random. It required address and social security verification, but I couldn't get it to verify my details.
I called, and the customer service agent hopefully told me that my address didn't exist. I live in the middle of New York, and I've never had this issue before. I can't help but wonder what crazy verification system they're using.
newman314|13 years ago
In fact, I'm pretty amazed that things even work at all. The amount of random connectors and systems is mind boggling.
Some examples: A Tandem system used for nothing BUT ftp from telco switches for call details. Multiple enterprise message buses. Systems with only object files and no source. The list goes on...
kineticflow|13 years ago
heretohelp|13 years ago
Example?
skanuj|13 years ago
agildehaus|13 years ago
Turns out they use a Javascript validator on passwords, not only at creation, but also when you're logging in (beats me as to why). I found a page on their site that doesn't do the check and I can login fine there.
Storing the password in plain text is absolutely inexcusable. I'm an idiot and my passwords are stored PBKDF2/SHA512 - not like it's difficult.
BryanB55|13 years ago
jrockway|13 years ago
machrider|13 years ago
seanieb|13 years ago
Steko|13 years ago
antimatter15|13 years ago
drzaiusapelord|13 years ago
pyre|13 years ago
madmaze|13 years ago
At least that was the state of things about 2 weeks ago
troels|13 years ago
Adobe does the same thing with the horrible license-management selfcare site. Which, as far as I can tell, is some kind of SAP frontend.
andrewcooke|13 years ago
jschmitz28|13 years ago
rat87|13 years ago
scjody|13 years ago
unknown|13 years ago
[deleted]
rat87|13 years ago
unknown|13 years ago
[deleted]
morsch|13 years ago
unknown|13 years ago
[deleted]
rat87|13 years ago
scorcher|13 years ago
gnu8|13 years ago
mryan|13 years ago
samuel55|13 years ago
[deleted]
samuel55|13 years ago
[deleted]
samuel55|13 years ago
[deleted]
samuel55|13 years ago
[deleted]
samuel55|13 years ago
[deleted]
samuel55|13 years ago
[deleted]
samuel55|13 years ago
[deleted]
samuel55|13 years ago
[deleted]
greesil|13 years ago