How to design a terrible website

Like most Americans with a university degree, I have student loan debts. This means that periodically, I get an email from my loan servicer that there is a special correspondence for me. The actual correspondence never appears in the email itself, of course, because that medium isn’t secure. Instead, it is hidden away in a Federal government website that has eschewed both security-through-obscurity and security-through-cryptography, in favor of the novel approach of security-through-a-user-interface-so-infuriating-that-attackers-just-give-up-and-also-the-intended-recipients.

I went to log in, and was told that my username and password – which I had saved in my password manager and not changed since my last login – were not valid. There was, however, a helpful link to reset my password, which I clicked. It had me provide my full social security number and date of birth, two things I just love providing to websites. I then received an email with the password reset link. Upon clicking this link, I was asked to provide a new password, which I generated with my password manager and dutifully saved. I was then redirected to the login page, where I supplied the username and password I had just saved. I was told that either my username and password were incorrect.

Ok, maybe I got the username wrong. Fortunately, there’s a “forgot username” link, which I clicked, again providing SSN and birthdate. I was shown my username, which was, in fact, the same username I had provided. So that’s not the problem.

Ok, cool cool cool cool cool cool cool cool. Maybe I only thought I saved the password. I looked in my password manager’s generator history, and confirmed that the password I saved was generated in the past few minutes. So I clicked the reset password link again, entered the super-secret government identifiers again, and got the reset link emailed to me. This time I supplied the same password I had already saved. I was told this was invalid, as I couldn’t re-use a recent password. So it definitely saved the password I generated. I generated a new one, saved it, and entered it. The password reset again succeeded, and again redirected me to a login page, where the username and password I had just generated still failed to work.

One of the messages the site provides upon a failed login attempt is that three failed attempts would result in your account being locked for thirty minutes. (Later I found a page on the same website that claimed the lockout period was one hour. Even they don’t know how long the lockout period is.) I had never once received a “your account is locked” message, but I thought maybe it had silently happened anyway. So I waited several hours just to be sure, and tried again. Again, I was denied. So I decided to try the password reset dance one more time.

It was at this point I noticed the password rules: the usual stuff about including a mix of upper and lowercase letters and symbols, and a line about how the length had to be between eight and fifteen characters in length. Wait, what? I checked my password generator, and, sure enough, it was generating passwords longer than fifteen characters. So I decreased the length, reset my password again, and logged in. This time, it succeeded.

Shall we review the many, many problems with this process?

  • Maximum password length. Why is there a maximum length for the password? Are they trying to save space in the database, like how everyone uses varchar(10) to store surnames and therefore truncates the names of millions of people who had the audacity to bear a name slightly longer than the database designers deemed fitting? If that’s the case, we have an even bigger problem, because they shouldn’t be storing passwords in a database at all. They should be storing fixed-lenght cryptographic hashes. Sure, maybe they want to set an upper limit to prevent someone from doing a crude DoS attack by pasting four gigabytes of text into the form and slowing down their hash algorithm. But if that’s the worry, you could set the limit at a hundred characters, or even a thousand, and allow any reasonably secure password without slowing down the hash too much. There’s absolutely no good reason I can think of for setting such a low maximum password length, and it makes the site less secure.
  • Opaque failure mode. The site happily accepts passwords longer than fifteen characters. It lets you set your password to one longer than that limit, and gives you no indication that the password is invalid. And it definitely stores either the password itself, or a hash of the password. I know this because when I tried to “reset” my password to the one I had previously saved, it told me that I couldn’t re-use a password. This pretty much eliminates “preventing DoS by hashing a huge password” as a reason for the limit, unless they only hash the first fifteen characters. I could verify this by attempting to log in or reset using my current password plus some garbage characters to see if it works, but that would involve using this website again, plus the risk of being locked out for “suspicious activity”. Anyway, I digress: the time to tell me that my password doesn’t fit their arbitrary rules is when I set the password, not when I try to log in with an “invalid” password you happily allowed me to set.
  • Lack of passwordless login. The maintainers of the site obviously feel that anyone who knows my social security number and birthdate, and has access to my provided email account, should be allowed to access the site. Otherwise, they wouldn’t send a reset link to that email address given only those two pieces of information. So why not just let you use those to log in? Instead of placing me in a weird limbo state where I can change my password but not view any actual content, just log me in already. There’s no reason to even require a password.

Anyway, I jumped through all the hoops and was finally able to log in. And if you thought that I was finally able to view the super-secret private message they sent me, boy do I have an NFT of the Brooklyn Bridge to sell you.

You see, I did all this in a mobile browser, which is by far the dominant means of accessing the web in the Year of Our Lord MMXXIV. I could see the subect heading of my message, but when I clicked on it, nothing happened. I did, however, notice a warning to “disable popup blocking”. To the best of my knowledge, my mobile browser does not have a “popup blocking” feature, for the very simple reason that it doesn’t have the capability to pop up windows at all. And why should it? There is absolutely no reason why any website needs to create a popup window, ever. If you think there is, you’re wrong. Web technology has come a long way since nineteen ninety smeggity suck-danged eight, and there are many more user-friendly ways to display information than a method typically employed only by spammy porn sites from twenty years ago. It’s akin to requiring me to enable the Netscape blink tag.

So yeah, I had to log in again, this time from my laptop, after disabling popups, before I could finally read their very important message. It wasn’t exactly “Remember to drink your Ovaltine,” but it wasn’t exactly worth the trouble, either. I think I’ll switch back to snail mail.