Security through lying

Raymond Chen

I had forgotten the userid I had used to generate one of my online accounts. I thought I had used an underscore, but I couldn’t get the site to accept it. It did yell at me, though. “Userids must begin with a letter and may consist only of letters, digits, and hyphens.”

Okay, I tried it with a hyphen. No luck.

Fine, use the userid recovery system.

The recovery email arrived. It say “Your userid is raymond_chen.”

Apparently, when they said that underscores were not legal characters, they were lying.

Another site asked me to create a password, and it said that the password must contain a special character “for example ! @ # $ % ^ & *”.

I tried all sorts of passwords and it kept telling me that the password needs a special character, even though I tried [, ~, \, =, :, you name it.

Turns out that the only special characters the site recognizes as special characters are ! @ # $ % ^ & and *. In other words, the “for example” was not a list of examples. It was a comprehensive list of acceptable values.