Back to previous post: Why Borders Cratered

Go to Making Light's front page.

Forward to next post: Sea Stories

Subscribe (via RSS) to this post's comment thread. (What does this mean? Here's a quick introduction.)

March 15, 2011

Department of “Say What?!?
Posted by Jim Macdonald at 09:35 AM * 50 comments

Welcome to our Login Page

If you already have an online subscription to the Caledonian-Record, you can log in below.

No, really.
Comments on Department of "Say What?!?":
#1 ::: Mike Bakula ::: (view all by) ::: March 15, 2011, 10:05 AM:

Um, if they were handling passwords correctly, that wouldn't even be possible. I leave the implications to the cloud...

#2 ::: Steve C. ::: (view all by) ::: March 15, 2011, 10:09 AM:

I wonder how many of them will have the username of 123456.

#3 ::: paul ::: (view all by) ::: March 15, 2011, 10:24 AM:

If all their users were following perfect password hygiene and using privacy-considerate nyms for their user names, this wouldn't be a problem.

(May I use this space to complain about the NYT, which limits users to not only one machine but one browser instance at a time?)

#4 ::: Nangleator ::: (view all by) ::: March 15, 2011, 10:25 AM:

Underwear to be worn on the outside.

#5 ::: toni ::: (view all by) ::: March 15, 2011, 10:37 AM:

It's not even decent odds to place bets as to how soon the hackers are going to rip through that site. Masochists much?

#6 ::: James D. Macdonald ::: (view all by) ::: March 15, 2011, 10:42 AM:

Plus, anyone who's been paying attention now has the username/password pairs for any number of people. Particularly of the people they've had disagreements with in the discussion threads.

#7 ::: Doctor Science ::: (view all by) ::: March 15, 2011, 10:43 AM:

My daughter, walking by and looking over my shoulder, said "I assume they've been hacked" -- and I agree, and believe this is the hacker's ruse to get people's passwords for the purpose of collecting un/pw combos to try on other sites.

#8 ::: Serge ::: (view all by) ::: March 15, 2011, 10:53 AM:

This reminds me of the scene from "Superman Returns" when Lois Lane has gone AWOL (again) and her boyfriend tries to find what she was up to, but her computer is locked. He finally figures out what the password is.


I wonder if that's-so-obvious-nobody-will-think-of-it works in real life.

#9 ::: Tom Whitmore ::: (view all by) ::: March 15, 2011, 11:13 AM:

Rather than just wonder, I've sent an e-mail to their head of IT, easily findable through their "contact us" link (well, two levels down from that, but that's easy enough). I'll let you know if I hear back.

#10 ::: Steve C. ::: (view all by) ::: March 15, 2011, 11:14 AM:

From another site, here's a list of the 500 most common passwords.

#11 ::: John ::: (view all by) ::: March 15, 2011, 11:20 AM:

Another early April 1 joke?

#12 ::: Mike Dixon ::: (view all by) ::: March 15, 2011, 11:40 AM:

Unless it's just an interface thing where the web designer got the input fields backwards on accident, this seems... implausible. For one, it's highly unlikely that everyone had a unique password before, and unique usernames are usually a requirement in any sort of account system...

#13 ::: Lee ::: (view all by) ::: March 15, 2011, 12:40 PM:

Steve, #10: One thing I sort of expected to see on that list but didn't was ETAONRISH, or possibly ETAONSHRDLU. OTOH, I guess the people who would know enough to use either of those would also know enough to know why not to use them!

#14 ::: James D. Macdonald ::: (view all by) ::: March 15, 2011, 01:28 PM:

Steve C. at #10:

Did you notice that "teresa" is password #189?

Proof our Miss Teresa rules.

#15 ::: HelenS ::: (view all by) ::: March 15, 2011, 01:44 PM:

"teresa" can be typed quickly and easily with the left hand. Of course that means it's easy to watch someone type it and guess what it is, too ...

#16 ::: Serge ::: (view all by) ::: March 15, 2011, 01:44 PM:

#239 is 'scooby'.

#17 ::: Older ::: (view all by) ::: March 15, 2011, 02:29 PM:

Nangleator, #4 -- "Bananas" reference FTW!

#18 ::: Steve C. ::: (view all by) ::: March 15, 2011, 02:36 PM:

Lee @ 13 -

I imagine ETAOIN would be a lot more common if our keyboards were laid out like Linotype machines.

Remember that Fredric Brown short story about the demon in the Linotype machine?

Just glancing at the list, first names are common, as are sports cities, with a sprinkling of dirty words and number strings.

I know that a few places have gone to the trouble of having a dirty words filter on the their password input. Spoilsports.

#19 ::: Lighthill ::: (view all by) ::: March 15, 2011, 03:34 PM:

Doctor Science @ #7:

My first thought was that an exceedingly lazy programmer mussed have messed up which field was which, and rather than fix the mistake, convinced management to tell everyone everybody that the mistake was in fact a "SECURITY CHANGE."

But you're right; an attack would make sense too.

#20 ::: Clifton Royston ::: (view all by) ::: March 15, 2011, 03:44 PM:

Nangleator @ 4: That was my first thought too! Either that or underpants on the head.

Steve @ 2:
"Which of you is 123456?"
"I am 123456!" "I am 123456!" "I am 123456!"

#21 ::: Tom Whitmore ::: (view all by) ::: March 15, 2011, 03:49 PM:

Steve C @ 18 -- more appropriate, perhaps, of Brown's is "The Angelic Angleworm", in which the Heavenly Records are recorded on a linotype....

#22 ::: Lee ::: (view all by) ::: March 15, 2011, 04:23 PM:

Steve, #18: The Frederic Brown story was in fact what I was thinking of; perhaps you didn't notice?

#23 ::: abi ::: (view all by) ::: March 15, 2011, 04:40 PM:

OK, so someone managed to out-fail Etsy. I am impressed.

#24 ::: Tom Whitmore ::: (view all by) ::: March 15, 2011, 04:43 PM:

Ah, there are two different stories involved here -- one has a linotype that becomes self-conscious when it sets a philosophical text (and my mind is blanking on its title, I fear) -- much more about demons entering the linotype. "The Angelic Angleworm" is about typos in the Heavenly Record resulting in someone being able to get up there in order to correct them.

#25 ::: Steve C. ::: (view all by) ::: March 15, 2011, 05:07 PM:

Lee @ 22 - D'oh! I should have noticed; sometimes I don't come to full consciousness until Wednesday. :)

#26 ::: Erik Nelson ::: (view all by) ::: March 15, 2011, 05:54 PM:

It is a violation of the Sarbanes Oxley act to have a password that is the name of a fantasy character.

#27 ::: Bob with a pseudonym ::: (view all by) ::: March 15, 2011, 06:11 PM:

Erik@26: And how exactly does the law educate itself about which miscellaneous Unicode strings are names of fantasy characters and which are not? Some of my fantasies can get downright typographic.

#28 ::: password1 ::: (view all by) ::: March 15, 2011, 06:17 PM:

I don't see the problem here.

#29 ::: Bruce Cohen (Speaker to Managers) ::: (view all by) ::: March 15, 2011, 07:35 PM:

Offhand, I'm having trouble thinking of any standard IT operating procedure that isn't a violation of the Sarbanes-Oxley act.

#30 ::: Bruce Cohen (Speaker to Managers) ::: (view all by) ::: March 15, 2011, 07:37 PM:

John @ 11:

No, this is too nitwitted not be real.

#31 ::: Andrew T ::: (view all by) ::: March 15, 2011, 07:59 PM:

Ha ha, joke's on them. My username and password are the same!

#32 ::: P J Evans ::: (view all by) ::: March 15, 2011, 09:24 PM:

I have an account at, which remembers the browser, not to the machine. And it won't allow you to have more than one (or two?) open at at a time, even though they're on the same machine.

(But they do a lot of things that aren't as smart as their programmers think.)

#33 ::: Don Fitch ::: (view all by) ::: March 15, 2011, 09:53 PM:

Somehow, this smells like phishbait, to me, and I'm wondering if responses really go back to the newspaper.

#34 ::: Serge ::: (view all by) ::: March 15, 2011, 10:02 PM:

If my name were Marx, would it be foolish for my password to be 'swordfish'?

#35 ::: Rainflame ::: (view all by) ::: March 15, 2011, 11:31 PM:

If my name were Marx, would it be foolish for my password to be 'swordfish'?

Depends on whether your first name is Karl or Harpo?

#36 ::: David Goldfarb ::: (view all by) ::: March 15, 2011, 11:32 PM:

Tom@24: Wasn't the title "ETAOIN SHRDLU"?

#37 ::: David Harmon ::: (view all by) ::: March 15, 2011, 11:34 PM:

I'm with Doctor Science #7. It's only charitable. ;-)

#38 ::: janetl ::: (view all by) ::: March 16, 2011, 12:56 AM:

abi @ 23: OK, so someone managed to out-fail Etsy. I am impressed.

I hadn't heard about Etsy. My goodness. I took a look, and found that I had in fact bought some things* on Etsy, but as is my wont, I had left the Profile quite blank. I did find these gems under Your Account > Settings > Privacy:

Who can see your favorites?
Everyone (public)
Only you (private)

Do you want others to be able to find you by your email address? Your email address will not be publicly displayed.

I found these both set to Yes. I assure you that I would never, ever have set those to Yes. Etsy must be opting everyone in on those. I'm tempted to use a Word of Power to describe them, but shall refrain to avoid making work for the moderators. Snarl.

*Chocolates and cross stitch designs. Such wantonness!

#39 ::: Lee ::: (view all by) ::: March 16, 2011, 01:10 AM:

David, Tom: Honestly, I'm starting to feel like I'm suffering from invisible woman syndrome here.

janetl, #38: Yes, Etsy has indeed made both of those misfeatures opt-out. That's part of what has people annoyed. The other reason is that they DIDN'T TELL ANYONE what they were doing -- they just did it, quietly, with only a brief announcement on the site forums. The forums are used primarily by sellers, not buyers, and especially not by buyers like you (or me) who have only bought a couple of things over the course of years.

I posted that link to a mailing list for Houston Etsy shop owners... and at least one of THEM hadn't heard about it. That tells you something.

#40 ::: Terry Karney ::: (view all by) ::: March 16, 2011, 03:00 AM:

Lee: I think Tom was trying to do what I thought of doing, which is correct the actual list, since as given it was incorrect (says the man who, at one time, ran a Linotype).

#41 ::: David (a different one) ::: (view all by) ::: March 16, 2011, 05:46 AM:

Lee - if you want to be properly invisible, you'll need an unmistakably female username. Or, I suppose, password.

#42 ::: David Harmon ::: (view all by) ::: March 16, 2011, 08:44 AM:

Salon gets to the point.

And while we're there, haven't we been here before? I could swear I saw stories to that effect years ago. (It's still utter idiocy, not to mention abusive.)

#43 ::: dcb ::: (view all by) ::: March 16, 2011, 09:58 AM:

The one I was surprised to see absent from the list (unless I missed it) was tanstaafl. Or is that too old?

#44 ::: Ken ::: (view all by) ::: March 16, 2011, 01:08 PM:

I also suspect a phisher. However, I have seen several business systems where the username and password are both your account number - you know, the one printed on every piece of correspondence mailed or e-mailed to you. They tell everyone to change it after logging in, but how many people do so?

#45 ::: Tom Whitmore ::: (view all by) ::: March 16, 2011, 01:19 PM:

Did someone hear Lee say something? (My previous comment was because I'd misread the response to yours, Lee; rather than continue the weirdness, I just stopped talking....)

And a further indication that this is a result of hacking -- my note to their computer person has been held up because the Caledonia Record website is not responding: "
Technical details of temporary failure:
The recipient server did not accept our requests to connect." I don't say this makes it certain, but it does add a bit of evidence.

#46 ::: Andrew Willett ::: (view all by) ::: March 16, 2011, 05:05 PM:

The C-R login page seems to have returned to normal. Either they've fixed things or the spammers have gotten sneaky.

#47 ::: Lee ::: (view all by) ::: March 16, 2011, 05:50 PM:

Tom, #45: 'sokay. I should have put a smiley on the end of my comment anyhow -- it was meant as a tweak, not a serious complaint. (And David @41, most of the commenters here do know that I'm female.)

Speaking of Etsy, they seem to have backed off. I ran a Google search on my Etsy username, and my purchases didn't come up; apparently I got the permissions reset before the spiders found my account.

#48 ::: Nix ::: (view all by) ::: March 16, 2011, 08:18 PM:

Oh, bad password policies are endemic. I just got through the incredibly tiresome registration process for a piece of proprietary financial transaction reporting software at work. This is just for the software itself, not for the account needed to use it, and only a test version. But the process involved one on-line registration (name, address, company name, three phone numbers, dog's hair colour, boss's name, name of company director), one ack to an email, another online registration process, a threefold countersigning and returning of a paper mail by director-level people, then another lengthy online registration process...

... all this to get an account on their site from which we can download the software. When it turned up, the account username was my (at-work) email address: the password was the name of the company making the proprietary financial transaction reporting software (so, by extension, the same for every user). There is no facility to change passwords.

All that bureaucracy, for *that*? I was tempted to walk round the corner (we're both in London's Docklands) and smack whoever thought of that password policy round the head.

#49 ::: Bruce Cohen (Speaker to Managers) ::: (view all by) ::: March 17, 2011, 12:58 AM:

Some years ago, when I first went to work at Nike, my first major bit of maintenance work was to figure out how to fix the username field on one of the B2B sites, where shoe stores could order from the factory. For some reason, the original designer had insisted on making usernames be email addresses; the software checked that the username had the form of an email address, and that it was stored in the email field in the database. Then they discovered that there often was more than one user at a store, and sometimes the users at a store all used the same email address (it was a store account nat an individual one). No one had thought of that before.

This is also a story about bad programming practices: the email/username field was hardcoded into the webpages, in, honest to Shiva, more than 500 different places.

#50 ::: Annalee ::: (view all by) ::: March 18, 2011, 01:31 PM:

Bruce @49: A-grepping through the code; a-grepping through the code! High-oh the Dev was so; we're grepping through the code!

Welcome to Making Light's comment section. The moderators are Avram Grumer, Teresa & Patrick Nielsen Hayden, and Abi Sutherland. Abi is the moderator most frequently onsite. She's also the kindest. Teresa is the theoretician. Are you feeling lucky?

Comments containing more than seven URLs will be held for approval. If you want to comment on a thread that's been closed, please post to the most recent "Open Thread" discussion.

You can subscribe (via RSS) to this particular comment thread. (If this option is baffling, here's a quick introduction.)

Post a comment.
(Real e-mail addresses and URLs only, please.)

HTML Tags:
<strong>Strong</strong> = Strong
<em>Emphasized</em> = Emphasized
<a href="">Linked text</a> = Linked text

Spelling reference:
Tolkien. Minuscule. Gandhi. Millennium. Delany. Embarrassment. Publishers Weekly. Occurrence. Asimov. Weird. Connoisseur. Accommodate. Hierarchy. Deity. Etiquette. Pharaoh. Teresa. Its. Macdonald. Nielsen Hayden. It's. Fluorosphere. Barack. More here.

(You must preview before posting.)

Dire legal notice
Making Light copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017 by Patrick & Teresa Nielsen Hayden. All rights reserved.