Posts Tagged ‘openletter’

An Open Letter to Costco: Please Fix Your Password Handling

June 9th, 2020 No comments

(Editor’s note: This originally happened in early March, just before the ongoing COVID-19 pandemic lockdown began in earnest.)

To whom it may concern at Costco: The process for connecting one’s membership card to their online account through your official mobile app is a nothing short of an overwhelmingly under-engineered mess: a combination of unintuitive workflow, security practices which serve only to epitomize mediocrity, and business logic decisions that, frankly, are so obviously wrong that they should probably be outlawed.

Okay maybe I’m exaggerating and getting a little ahead of myself here. Let’s begin this once more without the vitriol:

Dear Costco,

We need to talk.

I’ve been a long-time member and nearly-weekly customer of your local warehouse for many years; and I recently made the mistake of losing my membership card. It should have been in my wallet, but it was not. The specifics of my idiocy are not relevant here: suffice it to say, I no longer had my physical card. I was unaware of this until last weekend when I arrived at my local Costco warehouse for my weekly grocery run and found that slot in my wallet to be bare.

“That’s no problem,” I thought. “I have all my membership details stored in my 1Password and can easily just get a replacement card at the membership counter. No big deal.”

This is where the an attentive audience might have heard the record scratch, and a narrator say: “It was a very big deal.”

Upon reaching the customer service desk, the representative was very polite and asked me to provide my photo ID so that she could give me a replacement. Unfortunately for me, my license expired last month and even though I successfully renewed it, its slot in my wallet was filled only by a temporary paper license from the DMV until I earlier today received the new permanent one in my mail. Without that photo identification, I could get only a temporary paper card that would allow me access to the warehouse, but then I would only be allowed to pay in cash.

…Cash? …In 2020? Are you actually serious?

To be fair, I do carry a small amount amount of cash on me for emergencies; but as this is my usual weekly bulk grocery run, I can assure you that this small cash cache would have been woefully insufficient for what I was going to buy. And I am not going to the ATM just for groceries. (Again, it’s 2020 after all.)

With a spark of insight, I realized, “That’s no problem. I can just add my card to their official mobile app and use the card that way.” Once again, the record scratch and narrator here are all but audible.

Adding the card to the official app seemed to be fairly easy: Once I had input my membership number and some identifying information — ZIP code and name and such — I was shown a notice that told me something along the lines of: “You need to visit a Costco warehouse to complete the verification in-person.” (I apologise here; I forget the exact text. Had I known at the time what I know now about this process, I would have been more diligent about taking screenshots and whatnot.) This seems reasonable: You want to ensure that the person adding that account is actually a member on that specific account. I understand.

I walked back to the customer service desk and requested the noted verification. The representative there took down my email address and said to follow the instructions in the email to confirm my account. Again, something that seemed, at the time, quite reasonable.

A couple of minutes later, I checked my email and instantly realized that this was to be the last reasonable part of my afternoon: The email I received had a link to complete my account setup and the following information text:

If you have an existing account, you will need to create a new password. This will verify your membership number and link it to your account.

This is utterly ridiculous. I asked the representative why I need to change my password to confirm my email address, and although she was very polite about it, she simply told me she wasn’t sure, but recommended changing the password by simply changing the last character of my current password to something else, like an @ symbol or some such.

First of all, this necessity to change password is a severe flaw in your design. I should not need to change my account password just to verify my email address. There are many good and obvious correct solutions to this problem; and any software engineer with basic experience in this area would suggest one of them here. For example, one possible user-friendly way to do this would be to have the user log in (if not already) and then input some secret single-use passcode that is sent to their email (like a one-time password or random alphanumeric token that they could copy/paste or some such). This could be made even easier by by having the email contain a login link with that code as a query parameter: it would require only one click from the user!

Please note that this is the way almost every major website that handles accounts does email verification: no password change required. Why? Because forcing users to go through yet another hurdle in your software means you will have fewer users. The math is quite simple: The less difficult you make your software to use, the more that people will use it.

Secondly, the entire purpose of me going in-person to this customer service representative was (presumably) so that she could put in my email address and membership number into their computer so that their automated system could send me the email for password reset. This is yet another piece of your workflow that is incomprehensibly flawed: I should not need to verify my email address in-person. I know this is the case because once she had the email sent, I was able to do everything else through my phone with zero other human interaction.

I’m already logged in to my Costco account, and that is keyed by my email address. Just like in the method I described above, Costco should be able to easily verify my email address by sending me some unique code or token that I can enter in a form or via some special URL.

Costco, you should not need to have me verify my email offline. It’s yet another hurdle in your software that I have to jump over, just to use what should be one of its most basic features.

Thirdly, forcing password changes like this serves only to promote insecurity. Not only does this make users more prone to using weak passwords to begin with, but it also encourages them to change passwords in a way that is very predictable — and hence, insecure. See Lorrie Cranor’s FTC blog post for a lot more details and linked studies. Her particular post deals more so with password expiration policies than single-instance forced password resets, but the crux is the same: Forcing a password reset when there is no good reason to do so inherently promotes insecure passwords.

With a heavy sigh, I figured I had no choice and so created a new password entry in my 1Password and set about to change the password so as to confirm the account. Lo and behold, I could not use 1Password’s auto-fill functionality to put in the generated random password. This is a bit frustrating, to be sure, but not every text input in Android yet supports this. And frustrating as it may be, clipboard is always an option. So that lack of auto-fill was almost never a showstopper… until now.

Not only could I not auto-fill the password, but Costco’s official mobile app and their website both prohibit copy/paste functionality in the “New Password” fields. For someone who tries to be reasonably secure online, this is a usability nightmare. By denying the ability to use both paste and auto-fill functionality, Costco, you are adding yet another hurdle to your software, this time in the form of a terrible dilemma: do your users trade away security for ease of use? Of course they should not have to. Being both easy-to-use and secure is the raison d’être for credential-management tools like 1Password to exist at all. NIST themselves even specifically recommend pasting from password managers:

Verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets.

“Digital Identity Guidelines: Authentication and Lifecycle Management” (NIST Special Publication 800-63B) by Paul A. Grassi, et al. DOI: 10.6028/NIST.SP.800-63b

Okay, okay, so it’s not all bad, right? Just change my password and continue on? It’s only a one-time thing, after all. If only it were that simple. After creating a new random password and spending a solid three minutes meticulously typing it in twice to double-check it, I clicked “Update” so save the new password…only to see an error page appear and be prompted for a new password once more:

Password must include the following:
• Use between 8 and 20 characters
• Include at least one letter
• Does not contain blank spaces or the following special characters: < > ” \ . ,

This is yet one more hurdle your users have to jump over just to get basic functionality out of your software: in order to get through this quickly, most users will simply choose easily remembered (and therefore, easily guessed) passwords that meet the bare minimum of these guidelines. Moreover, by restricting the length and character possibilities of the password options, you are limiting the complexity of it. Once again, the math is straightforward: the longer and more complex the password, the more secure it is. The math here is once more nearly self-evident: the greater the entropy — that is, overall complexity — of the password, the greater the difficulty in guessing it through brute-force, dictionary attacks, or other means.

Thankfully 1Password has a “memorable password” option, so instead of a random character string which would be difficult to input from memory, I could create a password that’s a sequence of words and numbers (e.g., “Correct1Horse2Battery3Staple4“) which made it slightly less irritating to remember and type in, but my fourth point remains: Password restrictions promote insecure passwords. In fact, Jeff Atwood of Coding Horror summed it up quite nicely in four words: Password Rules Are Bullshit.

So in closing: Costco, please fix your password-handling and account-verification user experience flows. These are at least 4 flaws I found in barely one hour of using your app; and I can only imagine what other usability or security obstacles I could probably find with more time and effort. These flaws are ones not of code, but of architecture.

It’s perfectly fine — we all make our share of mistakes! But mistakes are made to be learned from, not repeated and left unchecked. If left as-is, these are and will be harmful to your customers from both perspectives of usability and security — two considerations that while seemingly disparate, should always go hand-in-hand. Not only does it promote insecure password usage, but in making your workflow actively hostile to the user, you are pushing away potential users and discouraging people from using the app at all.

Please fix these. Your users will thank you, because it will be easier and less counter-intuitive. Your IT staff will thank you, because it will be more secure. Your customer service staff will thank you, because they will not need to deal with as many account reset and usability issues.

And of course, I will thank you, because you will have acted positively on constructive criticism to enhance my experience with your software.

Open Letter to the Trump-voting American Public

November 9th, 2016 No comments

Dear America,

What the actual fuck?

I am ashamed. I am appalled. I am stunned. And I am speechless. I am disgusted to be an American today.

America, you stand on the precipice of electing to arguably one of the most powerful jobs on Earth not a qualified (though flawed) woman, but instead a man who, among his other terrible attributes

  1. spouts science-denying rhetoric, including having many times remarked that global warming isn’t a man-made concern, that it is a hoax started by the Chinese, and that vaccines cause autism — for the record: it is, it isn’t, and they don’t;
  2. has failed virtually every business venture in which he’s partaken, including declaring bankruptcy at least four times;
  3. has neither military nor political experience of any significance;
  4. has repeatedly advocated for violence as a solution to disputes including suggesting using nukes on enemies preemptively (!) and encouraging his supporters to punch protesters at his rallies;
  5. has repeatedly insulted and belittled women, handicapped people, LGBTQ people, Muslims, blacks, immigrants and many others;
  6. has been endorsed and held to high esteem by the KKK for his intolerance;
  7. has encouraged his supporters to bully voters at polling locations; and
  8. has staunchly been an opponent of LGBTQ+ and reproductive rights.
Let’s not forget that his VP candidate, Mike Pence, is arguably just as scary or possibly moreso: He has been outspoken against both Roe v. Wade and LGBT equal rights, including advocating for repeal of same-sex marriage; and has even suggested using federal funding to pay for so-called  “gay conversion therapy,” a malicious, wholly unethical, and entirely ineffective practice which is already (thankfully) banned in five states, including California.
Any single one of these should automatically be a red flag for someone of such potentially high office. But Trump (and in some cases Pence) embody all of these failures as a person and more; and with Republicans appearing to be winning the House and Senate majorities too, you’ve effectively removed even the checks and balances that are in the government by design to restrict such power. In addition to this, Trump’s candidacy has effectively legitimized the bigotry, xenophobia, and intolerance that we’ve worked so hard to rid ourselves of over the past two centuries…I guess the thought is that if someone of Trump’s stature can do something so horrible or cruel and get away with it, why can’t John Q. Public too? But this “us versus them” mentality is exactly the sort of fear-mongering that Trump is succeeding in spreading.
Just look at his record: The only person Donald J. Trump cares about is Donald J. Trump. If you thought he could “make America great again” even though virtually every political and economic expert worldwide is telling you otherwise, or that he could fix our economy the way he “fixed” his businesses, you are both mistaken and ill-informed. If you thought he could fix our immigration policies by closing ourselves off from the world and dividing us, you are again gravely mistaken and need to relearn basic United States history. If you think he can fix our healthcare issues by repealing ObamaCare, leaving 20+ million Americans without a decent health insurance option, then you are literally dooming many of these — your fellow Americans! — to death or disability simply because they can’t afford treatment. And if you think for one moment that he even is remotely qualified or deserving of the role of President of the United States even though he knows so little of the Constitution that he would be sworn to uphold and defend, then you are deeply, horrendously mistaken and I pity just how ignorant you truly are.
Do I agree with every one of Hillary Clinton’s policy proposals and ideals? No, absolutely not! (For example, everything I’ve read about the TPP just makes me despise it more and more.) But when it comes down to it, she has a decent amount of experience and knowledge to succeed in the role of President, which would have put her leaps and bounds above Trump (who has none). In addition, she had the support of Senator Bernie Sanders, former presidential candidate (and arguably someone more suited to the job than even she). I would have hoped that would be enough for those who voted for him in the primary…? But I digress.
Oh well, the long night is over and the election is done, right? Wrong. Wrong. Wrong. (Again.)
Congratulations, America. You’ve made your collective choice. I would have thought it to be a comparatively easy one, but apparently I have forgotten the error of your voting ways. In the 2000 and 2004 elections when you voted in George W. Bush and a GOP-heavy congress, you chose wrong; and those set us back many years of economic, scientific, and sociopolitical growth. I thought you had learned form those failures; but I was incorrect. A decade later and yet again you chose wrong. And the detriment to not only your own country this time, but to the rest of the world will likely be far in excess of anything we can imagine. This is going to leave a scar that time will not easily erase. I’d say to learn from history and not repeat this terrible mistake; but it seems you’ve twice failed to learn the lesson already.
We do have one saving grace, however: The electoral college is in place specifically to ensure that a dangerous candidate, even if victorious in the popular vote, does not become the elected president. I now urge the electors in those red states to do what’s right, going against the ignorance and idiocy of their own populace.
I hope you’re proud of yourselves, America. I’m not. I’m disgraced and disgusted by you. And when so many of you are willing to put such a dangerous and divisive man into power, I am truly scared of what the future holds for our country, for our world, and for humanity.
Categories: Politics Tags: ,

Happy Equestrian New Year (And: Thank You, Lauren Faust & MLP:FiM Team)

October 10th, 2012 No comments

Dear Lauren Faust,

Two years ago today aired the series premiere of this show you created: a show that would forever unite millions of fans – both men and women, adults and children alike, myself included – and change their lives for the better. From the inspirational characters to the wonderful artistry, from its excellent musical numbers (thanks Daniel Ingram) to the brilliant voice acting work all around, My Little Pony: Friendship is Magic has touched the hearts of so many, so quickly. And I your fan, cannot thank you enough.

To be honest, if two years ago you’d have told me I’d today be a fan of My Little Pony, I’d probably have laughed and made some snide, sarcastic retort. But since then, these colorful and playful bunch of magic ponies have stolen this geek’s heart.

I must admit feel a bit like Twilight Sparkle in the “Winter Wrap Up” episode: I can’t draw or do anything artistic at all; I am not imaginative enough to make fanfiction; and I won’t even dare to attempt a Pony Music Video or any such feat, since it would probably just be a waste of bandwidth. So how do I be a productive brony? I hope in lieu of anything fancy or creative, these words will suffice to demonstrate some iota of that gratitude.

In closing: Thank you, Lauren Faust. And thank you to the wonderful team of artists, voice actors, musicians, and other staff behind My Little Pony: Friendship is Magic. It’s been an absolutely fantastic first two seasons, and I eagerly await many more. (Oh, lest I forget, and thank you to all the creative fans who make the wait pass by with amazing art, videos, stories, and other media!)

If you would please, a brohoof!

(Pinkie Pie brohoof)

Aleedye’s Brohoof by ~MacchiatoJolt on DeviantArt (CC BY-NC-SA 3.0)

Peter Gordon