Are you looking for my non-technical blog?

This is now my technical-only blog, my non-technical blog is here.

15 April 2009

Don't Force me to Hack You

We all know that weak passwords are bad, and that's why most of the web sites add some code in their registration or sign up page to check if your password is strong enough before allowing you to create a new account there.

But for God's sake, why can't they just warn me if my password is weak and then give me the choice to change my password or leave it if I really insist to use a weak one.

The good news here is that most of the time, they do such checks in their front end, aka JavaScript.

Today one of my friends was creating a new account on StumbleUpon as he wanted to try it. But they refused to let him use his favorite password. So I used Firebug console to create a new function that returns true all the time.
function alwaysTrue(){return true; }
Then replaced their password strength checking function with my new function.
pwCheck = alwaysTrue;
And voila! They accepted my friend's password and stopped bugging us.

The point is, password policies are supposed to be there just for our reference. But people are supposed to be free to use whatever password they want. Or else, they will not be able to remember their passwords and will either choose not to use that annoying service at all, or - even worse - they may write those funky passwords down on a piece of paper or have only one passwords for all the sites and services they use.

Tags: , , , ,


  1. I'm not sure I agree with what you've done. Somehow I feel the universe will make you regret it :)

  2. Come on, sometimes you just dun care about a certain website. And you dun care if you loose your access to it, as long as you are just giving it a try and not willing to use it.

    Anyway, it's not me who is going to regret it, it's my friend :)

  3. I think this is the beginning of Browsing2.0 :D

  4. I disagree, password strength policies are there for a reason. It is important that a password should be strong enough. These functions should not be on the client end anyway. They should have checked it on the server side again.

  5. You're right, it's always a bad practice to rely on the client-side security only.

    And yes, the password strength policies are there for a reason, but I hate it when someone tells me what to do. At the end of the day, its may own account, and I am free to keep it vulnerable if I want to.

  6. You go Tarek! Kudos to you. I hate when the password code is not smart enought to accept symbols like @ and ! which I sometimes use for letters a and i .

  7. what u did was really cool :) Kudos to u!

  8. Thanks guys (Anon and Matt)

  9. مرحباً
    لقد قام أحد المعجبين بمدونتك بإضافتها إلى تدوينة دوت كوم، بيت المدونات العربية.

    قام فريق المحررين بمراجعة مدونتك و تصنيفها و تحرير بياناتها، حتى يتمكن زوار الموقع و محركات البحث من إيجادها و متابعتها.
    يمكنك متابعة مدونتك على الرابط التالى:

    يمكنك متابعة باقى مدونات تدوينة دوت كوم على الرابط التالى:

    لعمل أى تغييرات فى بيانات مدونتك أو لإقتراح مدونات أخرى لا تتردد فى الإتصال بنا من خلال الموقع.

    و لكم جزيل الشكر،

    فريق عمل تدوينة دوت كوم.

  10. Password policys are there for a very specific reason. One being is if they hack your account, they get a foothold into the server. I suggest you think about things a little bit more before compromising everybody's security on a website.

  11. I agree with Bitflip. Password policies exist not only for the security of you and your personal data, but that of everyone else on the server, and of the company's business interests. One compromised account can go a long way, perhaps you should be using a better password for everything?