|
Brisingr Aerowing wrote: That last user was either an idiot or crazy.
Either way, it was considered my bug and had to be patched, clearly a case of not protecting the user from themselves not to mention code that didn't properly validate variable/field type limits in all screens.
I was lazy and simply used a larger datatype. Ideally, I should've triggered Clippy to ask 'Are you really sure you want to order 123,456,789,123 cases of broccoli?'.
"Go forth into the source" - Neal Morse
|
|
|
|
|
Bear in mind that "numbers" like 35e7 are often validated as numeric, but of course represent very large numbers (even though they're relatively short in terms of number of characters, so putting a MaxLength on a text field won't stop it!). They can occur in numeric input when a user mis-types. When testing validation of numeric input, it's always worth testing this case.
Sorry for a late post on this thread, but it might be of interest/use to someone someday!
(And as for asking "are you really sure..." you can guarantee that at some point the user will click "yes" and then you're still left with the original bug anyway. )
|
|
|
|
|
Yes, I've been bitten by the numeric e but usually always with very small numbers meaning I must have forgotten a round somewhere.
Actually, the input fields (in my case) only allow numeric chars plus b/s, and period validated at the keypress event. It's a little extra effort, but it's a good first line of defense against invalid data...of course, the clever ones can still copy/paste so you still have to check again. To be honest, I've never even afaik tried a value with an e in it. I'll have to check it out when I have more time!
DerekTP123 wrote: you can guarantee that at some point the user will click "yes"
Yep, whether they mean to or not...so many users don't even bother to read, they just click 'Yes' to dialogue they see.
"Go forth into the source" - Neal Morse
|
|
|
|
|
kmoorevs wrote: I still wonder wtf people want to double-click in a web browser??? Blame Windows Explorer for that.
I know people (non techie and pretty "I don't understand computers, so don't even try to explain me anything") that basically double click all, no matter what or where it is.
M.D.V.
If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about?
Help me to understand what I'm saying, and I'll explain it better to you
Rating helpful answers is nice, but saying thanks can be even nicer.
|
|
|
|
|
I've noticed from time to time that JS events can have significant, sometimes measurable, lag times. Since the JavaScript interpreter is single threaded, there is no such thing as pre-emptive multitasking. I vaguely recall encountering a similar issue several years ago, which I resolved by putting the double-postback preventer script in charge of submitting the form.
David A. Gray
Delivering Solutions for the Ages, One Problem at a Time
Interpreting the Fundamental Principle of Tabular Reporting
|
|
|
|
|
Let me prefix this with having no background in the world of security whatsoever, but I did have an idea that I believe could have some merit and I thought I’d see what others thought.
It occurred to me that an OS with a "private key" of my choosing, several algorithmic options to use in conjunction with that key and some specification (length/charset) of the desired output, could have a mode designed to "alter" my input based on those data points. No actual password would be stored, but my password of "password1" could be turned into 180 characters for me by the OS while in what I call "password mode". Unless someone is using my private key, my selected algorithm, and my character set criteria, then nobody could reproduce the same output as me by typing password1.
In my mind, this private key works similar to a cypher (yes I am that far out of my depth) and could be my dogs name or an entire paragraph from my favorite book. The algorithms would need to do all of this in such a way where each subsequent character is an entirely new (but repeatable) character footprint. So, even if you type 11111 for your password, each new instance of 1 has an entirely different burst of (20'ish) characters representing the next instance of the 1 key.
This probably wouldn't change how we would log into an OS, but I do believe everyone using garbled 120+ character passwords overnight would go a long ways towards securing ourselves on individual websites. I also believe it would be extremely helpful to keep my password and change my private key when I find out a wesbite I use has been compromised.
|
|
|
|
|
Wow. You essentially invented password hashes, salt and pepper. Again.
I have lived with several Zen masters - all of them were cats.
His last invention was an evil Lasagna. It didn't kill anyone, and it actually tasted pretty good.
|
|
|
|
|
Bogatitus wrote: having no background in the world of security whatsoever
So, the good news is that with no background whatsoever, you've basically described how most password systems work. You did munge it a little with asymmetric cryptography (a private key infers a public key), but that's okay.
Maybe you should look into crypto systems; it's a very rich field of study that you apparently have an interest in.
"Never attribute to malice that which can be explained by stupidity."
- Hanlon's Razor
|
|
|
|
|
There are a million things I'd love to dig into if I wasn't already spending 75 hours a week as a 3D modeler for construction company + 30 more doing industry specific hobbyist programming.
Based on your comment though, I guess I am proposing they reinvent the wheel, but encapsulated around the users. Not quite the level of isolation I want, but it does seem like even a Chrome plugin could mostly do this for me as long as it existed for iOS, Android and Windows. Still, would be nice for OS level integration on mobiles so all the various standalone apps could recieve the altered input.
Maybe I am just too ignorant on this topic to understand and I can accept that... Online or in the real world if someone wants to steal something they are going to steal it, all we can do is make it more trouble than its worth. With that said, wouldn't doubling down even on our current protection methods (as proposed) cause some kind of useful distruption?
|
|
|
|
|
Bogatitus wrote: Online or in the real world if someone wants to steal something they are going to steal it, all we can do is make it more trouble than its worth. There is no 100% security, you just need to make it more difficult to steal from you than from your neighbor
M.D.V.
If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about?
Help me to understand what I'm saying, and I'll explain it better to you
Rating helpful answers is nice, but saying thanks can be even nicer.
|
|
|
|
|
Just saw this -- too bad I didn't see it when you first posted.
Anyways, the idea you propose sounds like what I've done in my app which allows you to draw a geometric shape and then generates a long (SHA-256 hash-based) password for you.
You can read all about it and get the code here at CP: Users Hate Passwords (We're All Users): Never Memorize a Password Again[^]
I've written the app as a iphone, Android, WinForm and web app.
You can try the web app at the official site (it's all client-side javascript, nothing is saved):
C'YaPass : Never type a password again[^]
|
|
|
|
|
|
|
Would that work just using both the female plugs
We can’t stop here, this is bat country - Hunter S Thompson RIP
|
|
|
|
|
Yes of course! Why it should not work? It is a splitter and the females are parallel.
It does not solve my Problem, but it answers my question
modified 19-Jan-21 21:04pm.
|
|
|
|
|
Ah but it's electrickery to me - thanks for your help
We can’t stop here, this is bat country - Hunter S Thompson RIP
|
|
|
|
|
No problem If it should not work, pass me the explanation why it does not work _and_ your EBAN and I will return you the £1.98
It does not solve my Problem, but it answers my question
modified 19-Jan-21 21:04pm.
|
|
|
|
|
We can’t stop here, this is bat country - Hunter S Thompson RIP
|
|
|
|
|
Now I stand for all what I have write, but please allow me a question: Why one needs such a female to female extension?
It does not solve my Problem, but it answers my question
modified 19-Jan-21 21:04pm.
|
|
|
|
|
The power output on my SBC board is a male Molex and the power input on my drive housing is also a male Molex so I need a female to female Molex cable.
We can’t stop here, this is bat country - Hunter S Thompson RIP
modified 14-Apr-19 3:30am.
|
|
|
|
|
That sounds strange...
It does not solve my Problem, but it answers my question
modified 19-Jan-21 21:04pm.
|
|
|
|
|
Anyway check also again by yourself. According to the pictures, for me it looks ok. In the picture from your link both connectors have bottom/top the same alignement while in the link I sent, one is turned by 180°. If I compare the wires now and take that fact (one turned) into account, both cables are the same for me.
It does not solve my Problem, but it answers my question
modified 19-Jan-21 21:04pm.
|
|
|
|
|
The cable wont arrive until Wednesday (UK) I'll let you know if it works
We can’t stop here, this is bat country - Hunter S Thompson RIP
|
|
|
|
|
In any case, check again exactly. You will not believe it, but I had a nightmare that night in which your devices went down because I was wrong. I was about to get up at four o'clock in the morning to check everything again
It does not solve my Problem, but it answers my question
modified 19-Jan-21 21:04pm.
|
|
|
|
|
Just to update you, the cable you suggested duly arrived , but when I fitted it the drives and the fan span up and down ( like revvivg an engine on a starting grid ) constantly when powered from the hat. If I power it from the USBC on the board all is good ( although I suspect it's not getting enough power ) any ideas ?
We can’t stop here, this is bat country - Hunter S Thompson RIP
|
|
|
|