
T-mobile password reset does not allow you to type the letter "V" - sal9000
http://support.t-mobile.com/message/163958#163958
======
MichaelGG
Apparently to prevent paste. Their CheckEnter.js file has:

    
    
      function keyDown(a) {
          if (a.keyCode == 86) {
              a.preventDefault()
          }
      }
    

And that's assigned to onkeydown...

Funny enough, elsewhere in their code, they do explicitly check for Ctrl &
V/C.

~~~
ams6110
And why prevent paste? Just ran into this recently on paypal when I wanted to
change my password. I generated one in passpack and tried to paste it in, no
can do. Ridiculous.

~~~
machrider
Apple does this, too. Not just on password change forms, but on login forms.
Drives me nuts, as I use a password manager and my passwords are 24 characters
of garbage.

Edit: Apparently I can't reply to the next comment, but keepassx also has the
feature that passwords are cleared from the clipboard after 30 seconds.

~~~
SquareWheel
I ran into this same problem. Had to use the Chrome Web Inspector to get
around it. I believe it's a part of PCI compliance, but plenty of sites accept
credit cards without that nonsense so I'm not sure. GetGamesGo.com does the
same thing.

~~~
tedunangst
Please, in the future, whenever talking about PCI compliance, cite chapter and
verse. There's more than enough wild speculation running around about it, all
sorts of myths are repeated and propagated.

~~~
SquareWheel
I asked a GetGamesGo employee about the pasting issue and that is what he told
me. Let me get the full quote:

    
    
      "Cut/paste passwords – that’s a stipulation of PCI compliance. We could scrap it, but they ask for it. We have to be PCI compliant on card processing."
    

I provided as much information as I had available, I do not know the
chapter/verse. Apologies if I spread any misinformation, I took this rep at
his word.

~~~
einhverfr
I have spent a fair bit of time reading the PCI standards and I have never
seen such a requirement. I suppose it is possible that some sort of
independent auditor is making that call but it isn't in the standard anywhere
I can see. (Auditors seem to have a huge amount of discretion here.)

------
untog
Their entire site is a really bad example of ASP.NET development. As someone
who knows the technology well, it _can_ make great sites. It just rarely does.

I like my T Mobile service but there's something odd with their backend
systems and/or customer service. I logged in to disable their "WebGuard"
service that seemed to be blocking pages at random. It required address and
social security verification, but I couldn't get it to verify my details.

I called, and the customer service agent hopefully told me that my address
didn't exist. I live in the middle of New York, and I've never had this issue
before. I can't help but wonder what crazy verification system they're using.

~~~
heretohelp
>As someone who knows the technology well, it can make great sites

Example?

~~~
untog
Stack Overflow, for one.

~~~
nopal
SO is built with MVC, which encourages good development practices. T-Mobile
looks to be using Web Forms. I'm sure there are good sites out there that use
Web Forms, although as a .NET developer, I've found a that Web Forms
encourages practices that I consider bad.

~~~
untog
Oh, agreed. It's just a shame to see the whole framework judged by the crappy
WebForms implementations you see out there.

~~~
nopal
I agree. But I hate the crappy abstraction that is Web Forms. It throws so
much garbage on top of the HTTP request-response cycle, and so many developers
are content to remain ignorant of what's going on underneath or how the Web
actually works.

------
skanuj
Try using special characters - It will just omit some special characters and
save the password with that character omitted. And yes, T-mobile sent back my
password in clear-text, and that's how i know.

~~~
agildehaus
I learned this too recently when my password, which starts with a special
character, suddenly was being rejected.

Turns out they use a Javascript validator on passwords, not only at creation,
but also when you're logging in (beats me as to why). I found a page on their
site that doesn't do the check and I can login fine there.

Storing the password in plain text is absolutely inexcusable. I'm an idiot and
my passwords are stored PBKDF2/SHA512 - not like it's difficult.

------
BryanB55
I hate when people disable pasting in password fields. Some of my passwords
are 50 character random strings stored in 1password and sometimes I need to
copy/paste and can not do it (ahem, icloud). I usually end up disabling
javascript if the page still renders without javascript.

~~~
jrockway
Assuming you're on Linux, you can just pipe the input into "xargs xdotool
type". Thanks to the keyboard abstraction in X, no program will ever be able
to tell that you didn't just type that on a keyboard.

~~~
jedbrown
Unfortunately, xdotool type is schizophrenic with multiple keyboard layouts

<http://code.google.com/p/semicomplete/issues/detail?id=13>

~~~
jrockway
An admittedly obscure corner case.

(Though I'm not defending the X keyboard API. Linux input is a nightmare. I
especially like the hard-coded list of keys in the kernel, limiting the number
of unique keys that any userspace application can address, even though it's
perfectly possible to plug in 128 keyboards each with several hundred keys.)

------
machrider
T-Mobile also capitalized my password on me, once. It was fine for a couple
years and then one day it stopped working. I got the site to text it to me
(why do they even have it in plain text?) and all the letters had been
capitalized somehow. (Previously was mixed-case.)

------
seanieb
Wait till this guy figures out that T-Mobile also stores his password in plain
text.

~~~
antimatter15
I wonder if it's a bad idea to disclaim that you store passwords in plain text
(when you actually use PBKDF2 or something) to trick users into making more
secure passwords.

~~~
milesokeefe
The type of users that use insecure passwords probably don't care about or
understand the implications of plain text passwords.

------
drzaiusapelord
I like to end my passwords with non-alphas like "!" Neither tmobile or at&t
let me do this for whatever reason. Its incredible how telcos get away with
everything from high pricing to shit web code. These are the mistakes of self-
taught amateurs, not professionals.

~~~
pyre
Sometimes the restrictions are due to interfacing with legacy back-ends. No a
great excuse, but at least more understandable.

------
madmaze
also interesting is that t-mo will truncate any password at 15 characters
without warning and then only accept 15 upon login..

At least that was the state of things about 2 weeks ago

~~~
troels
My guess - varchar(15)

Adobe does the same thing with the horrible license-management selfcare site.
Which, as far as I can tell, is some kind of SAP frontend.

~~~
einhverfr
And MySQL? ;-)

~~~
troels
I reckon that is nowhere near enterpricey enough. I would be very surprised to
find anything less than the biggest Oracle db running that crap.

~~~
einhverfr
But then you can't blame silent truncation on varchar(15) fields.

------
andrewcooke
why would you want to stop paste? don't mobile devices have things like
keypass? (i don't own a smartphone, but paste all passwords on my computers).

~~~
jschmitz28
It makes sense to paste your password when logging into an account, but from
what I read this is just on the password reset. They probably want people to
actually type their new password twice instead of typing it once and then
copy/pasting for the second field.

~~~
LoganCale
What about people who use password managers to generate random passwords and
paste them into the fields?

~~~
tedunangst
0.0001% of the people get 0.0001% of the love.

------
rat87
This might be a good place to complain about _-ed out passwords on mobile
phones. It makes it next to impossible to enter a password(yes the last letter
not_ -ed out for a few seconds only helps a tiny bit). If I'm not copy-pasting
from keepass I'm entering the password in the login field then cut/paste it.

~~~
morsch
I think having the last letter visible for a very short time is a good
balance. I certainly do not want the password to be visible in clear text.
Shoulder surfing is an even bigger issue for mobile devices like phones or
tablets -- which you routinely use in public and around strangers -- than it
is for laptops or desktops.

------
scorcher
I'm not surprised. I got the expiry date of my credit card wrong. It stores it
and will not let you change overwrite or delete it. In the end I just had to
top up offline till I could move carrier.

------
gnu8
Why are web pages still allowed to interfere with keyboard input like this?

~~~
mryan
Because the ability for JS to 'interfere' with the keyboard input enables some
very useful features. e.g. using keyboard navigation in web apps.

------
greesil
Because V is for vendetta?

