PSA for frontend devs:
Do not block pasting in password or other input fields!
Sincerely,
Everyone that uses a password manager
@m00se
That paste blocking garbage got me using an addon called Don't F*** With Paste and checking the HTML to see if I can get around the annoying crap that they'll use to circumvent a simple function
@skypage
Oh! Good tip! I will check it out. Thanks.
@m00se
Yeah, sometimes I can get around it by a right click -> Inspect Element and seeing if there's anything akin to `on-paste=...` that I can get rid of. Otherwise I'll add a rule for the site to the aforementioned addon (you have to proactively add a site for it to block paste sabotage)
@skypage also, name your fields appropriately so password manager browser plugins can identify them.
@skypage On Amtrak’s site if you try to paste in fields on the main login form you can’t, but if you pick your tickets and go to checkout a different login form is presented where you can!
@sirphenom
I've seen the same sorts of inconsistencies with email validation. The + symbol (amongst others) is a valid email character, but so many websites treat it as though it isn't
@skypage @sirphenom You know they're jacking with you about disallowing the + sign solely because they don't want you to use GMail plussing as a filter to move their future spam off into a spam folder.
They really want your email addy so they can sell it and use it to send you their advertising. i bet their buyers won't pay for a plussed address cause they know its an advertising dead end.
@Klaatu
I think it's literally a matter of naive devs thinking emails can only contain alphanumeric characters with a few symbols like [-_.] and a standard formatted domain name. In reality, about the only validation you can make on email addresses is ensure its at least 2 characters and contains an '@'.
@sirphenom
@Klaatu @sirphenom
This article changed my own assumptions I used to have about email address validation when I read it. More software devs need to read this.
https://davidcel.is/posts/stop-validating-email-addresses-with-regex/
@skypage @sirphenom I think they get messed up by how regex counts _ as a letter and not punctuation . Here's some of their validations
Javascript
/^(([^<>()\[\]\\.,;:\[email protected]"]+(\.[^<>()\[\]\\.,;:\[email protected]"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/
HTML5's <input type="email" internally does
/^[a-zA-Z0-9.!#$%&’*+/=?^_`{|}~-][email protected][a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$/
@skypage @sirphenom yeah, some purposely do it to stop people from using the feature to create multiple accounts.
@Bishop
It's a fools errand with sites like mailinator or other disposable email systems
@sirphenom
@skypage @sirphenom oh yeah, for sure.
@sirphenom @Bishop @skypage @adam The real question has always been what if my connection/power goes down? But there were always services like pobox.com to store & forward for you & provide many of those extra features without you having to run a mailer service 24/7.
Twilio SendGrid https://sendgrid.com/ is new & hyping itself as an SMTP in da CLOUD, Ok stop raffing. $30 to do 100K emails/month.
Why doesn't Adam give JCD SMTP access or run a listserv that only he can post a newsletter to?
@sirphenom @Bishop @skypage Well proper config'd SMTP tries to deliver mail to a down node for 3 days. But it usually sends a reply email back to sender saying that so it looks very unprofessional if you're down often or a long time.
Not all nodes you traverse may be setup correctly so you still risk bounced email plus + size restrictions etc.could affect it.
Which is why today most SMTP's try to deliver directly to the final node (the DSN MX record for the target email addy).
@sirphenom @Bishop @skypage Some SMTP servers have anti-spam limits to the # of TO/CC/BCC addys you can have on an email. But any windows box can simply use a script to send an email to all these addys & then send it again to the next batch limit & keep doing that until all subscribers get a copy.
Add/Drop management of the subscriber list is the harder part to offload.
@sirphenom @Bishop @skypage
Was looking at cheap $160 2bay NAS Monday, got me looking at Synology. Yet a $333 price has me sticking w/old PC based NAS's instead.
Synology's model #'s are 2 digits max # drives it can control (incl all add-on drive boxes), then 2 digit model year. Suffixes vary for enhanced abilites but J variant (Junior) is for cheaper versions. All use the same software package & SHR handles mixed drive sizes better than other brands.
SMTP FYI: Since NT4, Windows Components on the Add Programs control panel has uninstalled extra stuff like Fax Server, IIS web server, etc. Click on IIS Web server to see its subcomponents picklist & there's www, ftp, SMTP. So you can pick only SMTP to add an old unix style file based SMTP service to any windows box since NT4. Something to play with there on port 25.
https://en.m.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol
@sirphenom @Bishop @skypage Whatever a giblet is. Seen these?
Create Mail Merge w/Gmail & Google Sheets
https://www.labnol.org/software/mail-merge-with-gmail/13289/
Keep Google Contacts Up-to-date
https://www.labnol.org/internet/google-contacts-updated/27306/
Lynx-like Text Browser Runs on Google Servers
https://www.labnol.org/internet/google-text-browser/26553/
Web Scraping Reddit w/Google Scripts
https://www.labnol.org/internet/web-scraping-reddit/28369/
https://ctrlq.org/code/19600-reddit-scraper-script
Create `full fat' RSS feed for Gmail labels (enabling some dark social judo)
https://mashe.hawksey.info/2013/05/gmail-label-to-rss-feed/
Most Useful Google Scripts
https://www.labnol.org/internet/google-scripts/28281/
@billstclair @skypage No minimum length. I should be able to have no password if I want. Muh freedom.
@billstclair @skypage Must be 7 chars long, not 8 no more than 7 and contain 1 uppercase, 1 lowercase and one of these nine punctuation/special characters (listed here). I hit one of those and went WTF?
You know keepass can generate random passwords for you that are very strong and quite long. Way stronger than any of these stupid site rules produce.
Here, made ya a 20 char 111bits
SrBXAFZioH0PVerCS1Y2
strong pswd & I didn't even trick out the possible options.
@skypage @m00se
Yes, blocking paste is pointless from a security standpoint.
Renaming fields is a way to prevent bots from auto submitting your forms, so I understand why people do it.
Password restrictions usually means they are doing something wrong on the backend. There is no reason a password can't be 'war and peace' if the user so desires and blocking special characters means they may have sql problems.
Forcing people to choose exact requirements enforces bad behavior as well.
@paradisestudios @skypage @m00se Keypass now allows you to put some special markup in an entry's notes field to relate user/pswd data for that account with weird named webpage fields for auto fills. Can even have multiple series of them for really strange sites that may ask in different ways.
@Klaatu @skypage @m00se
Kee, the Firefox add-on for KeePass2, does that for you automatically when you save a new login. I like to logout, then login again with Kee to make sure the login was saved correctly. Sometimes it gets it wrong but it does a pretty good job. May be less secure using Kee but I do like the convenience.
@paradisestudios @skypage @m00se I had a expired password force-reset on my health insurance dashboard. The password reset form conveniently silently truncated my new password to 16 character from a longer value. The login form even more helpfully did NOT truncate my password.
It took me half an hour to figure out wtf was wrong.
@skypage
⬆️⬆️⬆️ THIS ⬆️⬆️⬆️
It drives me into a keyboard smashing rage when sites do that.