Who needs security...

This is another in the "Worst. <insert here>. Ever." series. When designing the login system for our new web application at work, I had the following conversation regarding hashing of passwords over the past few days.

Warning: This has technical jargon in it. I would suggesst something like wikipedia to help decipher it.

Boss: I need to change the MD5 password hashes that you wrote the other day back to the shorter version that I had.

Me: Umm. Why?

Boss: The MD5 hashes are too long to display in the password field.

Me: <blink><blink>Why are you sending the hashes back to the UI?

Boss: I need to know if there is a password set.

Me: <blink><blink>Why are you sending the hashes back to the UI? Can you not set a hidden input that is a boolean?

Boss: Well, really I'm not sending the hash. I'm just sending asterisks the length of the hash.

Me: <blink>So you want to change the hashing algorithm to something less secure so that you can have fewer asterisks? Can you not just send a specific number of asterisks?

Boss: *sigh* I guess. But I've already written the UI.

It's easy to not think about security, I suppose.

No EOF

I usually use here files when putting long strings in perl programs, and I usually use the string EOF to indicate the end of the here file. Today, I forgot to put the EOF in the document, and perl crapped out with the error:

Can't find string terminator "EOF" anywhere before EOF at ./csv-web.pl line 36.

This is not an example of obtuse error messages, or bad code - since I knew what I did wrong and how to fix it. The wording just struck me funny.

Worst. Interface. Ever.

Problem number 1
Trying to register a new account in firefox, I would fill out the form, click submit, and it would bounce back to the login page. No error. Nothing. Try again, same problem. Ok, this must be one of the few sites out there that requires IE. It doesn't even have the courtesy to warn me using a javascript or server side browser detection. I brush the dust off of IE, and try to create the account. Now I get an error at the top of the form page that tells me the username is already in use. If you're going to use AJAX, either make it work everywhere or don't use it--it's really not that hard.

Fine. Account created. Now I want to go back to my beloved firefox--maybe it was just the creation form that was broke. I close IE, pop open firefox, put in my shiny new username and password and hit login.

Warning

You have already logged in to the secure site with another browser. Please try again in a few minutes.[1065]

Thanks for the warning. What a lame security attempt. If I try again from the same computer, you should recognize that.

20 minutes later I can login. It's not even useful, either.