Yesterday I had a very strange telephone conversation, but for what its worth, a very kind and pleasant one.
Bloggers in Germany often write about devastating calls to phone, computer or software hotlines. About employees who give a shit about the actual problem. This post isn’t going to be one of them.
I called the Parallels hotline about a funny problem with my account. I really didn’t have such a nice conversation with a helpdesk in a long time. An interested employee who really wanted to help me. Kind of a relief not talking to someone who is randomly bored, not interested, plain stupid or in any other way distracted.
My problem itself is funny on one side and on the other hand a “don’t ever think about implementing a system that way”.
I really had a good password on the Parallels website, with some special chars and one very special char, a german umlaut, namely the “ü”. Never had a problem with this until they did redo their website and the backend. Suddenly i couldn’t log in anymore. Hm, my browser did safe the password, i remembered it correctly so what the hell is wrong? There was the usual “(i’m stupid and) forgot my password link”, so i clicked this and got my password delivered via email. Huh? There a still people saving passwords in plain text? After for example someone stole reddits database with lots of email addresses and plain text passwords? I felt relieve, that i mostly use different passwords on different accounts.
Please, people, the least thing you could do is to hash you passwords, just to prevent a casual hacker to take your users data away. And even a simple md5 hash would prevented my silly problem ahead. Go with sha or sha512 or the best you can do, salt and hash your password, crypt or bcrypt. Their are libraries for every major programming language available to do this, no need to reinvent the wheel.
Why could this saved me and Parallels a lot of problems? A simple md5 hash would have change the “ü” to some arbitrary character which for sure would fit into the ASCII alphabet and an upgrade to their website backend wouldn’t have the data in the user table mutilated. Thanks! I guess I’m the only international customer with German umlauts in his password.
The most funny thing about the conversation was dictating a funny German word to a native American English speaker and hearing her repeating it. She could look up my account and saw the letters… Trying to log in with them wasn’t possible, neither resetting the password… For that, i must be logged in. Haha.
I guess i could be pissed about the need to open a second account, but the conversation was fun. And in the end, Parallels Desktop is a great product and what the heck, someone messed up and they didn’t blame it on me like many German hotlines do. Furthermore, i was really happy, realising that my rusty school English is still not that rusted and that I’m still able to communicate some problems without much hassle.
But going back to the password problem: Please start writing serious authentication code, it’s not that hard. Thank you.
Edit: I must say, the Parallels support really rocks! They did manage to reset my account and they did read my emails the first time i wrote them and did not respond with some standard templates like many others do. I really appreciate this and this post isn’t in any way a rant against Parallels or their support team, but it is ranting against thoughtless database design.
3 comments
There are a lot of websites in the internet, which are saving the password in plain text. I don’t know why they are doing that. Maybe the feel so save, that nobody ever can steel their database….
To be honest, I would not use german umlauts in passwords but only ASCII characters. To hash or not to hash (OK, storing passwords in plain text belongs to mediaeval times)… But did you ever try to type an umlaut on a keyboard without umlauts? 😉
Sven: That’s just an interface problem. I guess some Russian guys and gals would surely use kyrillic…?
One Trackback/Pingback
[…] A weird hotline call… oder Passwörter mit Leerzeichen, revisted (Link ist Eigenwerbung, zeigt auf mein Zweitblog.) […]
Post a Comment