There was a screenshot of some website floating around a few years ago, where if you entered the correct password but a wrong username, it would helpfully tell you which user the password is really for.
replyBut did they handle the edge case of two users having the same password?
reply"That password's already been taken by user 'mekdoonggi'"
replyProduct manager; “That’s a great UX.”
replyIn my free time, I help maintain the web presence for a small non-profit org with memberships. The original system when I started helping was a bespoke system that was smart in many ways (essentially a static site generator with membership control years before SSGs were cool, with regular automated tests), but the guy who wrote it absolutely insisted on storing passwords in plaintext and could not be convinced otherwise. Eventually he had to drop the volunteer position due to other things in life, and the first thing we did was correct this issue.
replyI've got a better one. I once had the same argument mentioned to me by my manager at the time when I pointed out that passwords were being stored in clear text. That it needs to be this way so that it is read/sent when the users forget their passwords(which happened a lot). I tried to explain that typically a "reset password" flow is used for that but that fell on deaf ears. That system contained healthcare data.
replySomething bad did end up happening due to that lax security and there were oh so many meetings about it.
> Something bad did end up happening due to that lax security and there were oh so many meetings about it.
replyThis is the sort of thing that makes me want to check out of the whole circus. Here I am, telling you ahead of time, and you ignored me
So how there's a circus that we could have avoided and not only do I get zero recognition for identifying the threat ahead of time, the people who ignored me keep their jobs and turn it into a zoo where everyone is scrambling in endless meetings
And I've seen it play out a few times. After a point, why bother...
Yeah, I can relate. It's a problem if you don't bother since you won't be doing your job to the best of your abilities and it's a problem if you do since you might get in trouble with the management for not being a "team player" or some other silliness. Without meaningful consequences, I don't see this situation changing.
reply> Defeated by such argument, I deleted my account.
replyI'd bet your account wasn't actually deleted, just marked as deleted or inactive.
Circa 2012 the San Francisco water bill pay was able to send me my password in plaintext when I forgot it. I was scandalized. But the alternative was to not pay the water bill, so I just made extra sure the password was very random and wasn't one that got re-used anywhere... I think they fixed this issue in the years since.
replyGnu Mailman still does this, and sends a monthly reminder email of your password.
replyGreetings, Bioconductor
reply