Hey front-end folks, just a quick note. Never ever ever ever ever mess with my browser. It's not yours, it's mine. I'm letting you use it for free to render your bloated sites.
As if any front end developer came up with this. Anyone who has ever had job in the industry knows this is straight from management.
I would love to hear anyone defend the practice of disabling paste on password fields.
I run into it relatively frequently and it both angers me and blows my mind that some developer or team thought this made sense
That and overly restrictive password rules. I often generate passwords using a PRNG or hash function that I know are pretty strong, even if it didn’t actually pick a number.
Most common are the passwords that don’t allow certain characters which leaves me thinking: (1) they must have SQL injection bugs all over the app and (2) they probably aren’t hashing passwords. Either way it’s a clear confession of malpractice.
A weird one in that example is that you aren’t allowed to use any trigraph that appears in your email. I find it amusing because last month I was working on an application that has a large number of autocomplete boxes that start showing options when you enter the first three characters and I must have filled out the form hundreds or not thousands of times so I wrote a little Python script that would compute the trigraph frequencies for any set of names. I found out the most common trigraph in country names is “and” for instance.
(1) they must have SQL injection bugs all over the app and (2) they probably aren’t hashing passwords.
Actually, one I've run into is web-framework-level security systems that are hard to disable. Stuff that prevents users from keying in, like XSS attacks. It's not that the password field is being used unsafely, it's that the web framework they're stuck on makes disabling security on a certain text field more complicated than it needs to be and telling the users "screw it, don't use this character in that password" is easier than figuring out how to get the Rube Goldberg machine to do what you actually want. Back-end languages aren't hot garbage like html+js+css so usually it's normal proper BCrypt in the back.
Obviously a modern web framework won't have this problem, but a lot of sites are old and still running on messy cobbled-together piles of JQuery.
There's also the chance that this is because "security made me".
More than a few times I've written properly sanitized and parameterized applications, and security came along after the fact and told me we had to prevent input of certain characters. Didn't matter that we handled it just fine, didn't matter that it was safe to put it in. Security's argument was that some other team, some where, at some future time might somehow reuse our data and not follow the same best practices.
So no special characters in your password because some engineer in the future might possibly introduce a bug.
I had that problem with ASP.NET back in the day. The creators seemed to think it was impossible to properly escape user HTML against Javascript injections and sometimes you just had to destroy bad strings completely.
It was trashing API keys and passwords which is a problem when "the customer can't log in". I didn't have a hard time disabling this behavior at all though. My feeling is that it is impossible to "live with it" because I didn't know exactly what rules I had to follow to not get strings corrupted.
I don't agree with it either, but the reasoning i've always seen has been along the lines of, "it prevents people from putting passwords into the clipboard which can be stolen by other programs", and then similarly for disabling browser or password manager autofill "because it prevents people from making a mistake and letting a field get filled with a password when it shouldn't". Basically leading to "users should just manually type in and remember all their passwords" at the extreme end of the reasoning.
That doesn't make sense. If I wanted to type a password into some other program for whatever reason I wouldn't find out that I can't paste into the password field until I had already tried.
I know it's not your argument but that doesn't make sense either. Processes on desktop OSes can read each other's memory anyway if they're being run by the same user.
What about all these sites now only showing you login input boxes one by one, what’s up with that???
Enter username, click, now enter password is revealed.
Some sites, password manager manages to do both even if only one is shown but usually not.
It’s a common known fact that every person is born with a certain max number of clicks and taps. We all only have so many clicks left in our lives, that’s one less click that I’ll be able to use doing what makes me happy like doom scrolling Twitter. Dammit.
For many it's to support SSO. so if you put in an email ending in `@company.com` and Company signs in to that site with SSO they direct you to the right place.
The single username and password fields usually allow the site to determine whether some sort of federated login is in place for your domain.
I’ve had very expensive pen testers tell me to do this as recently as last year. They folded instantly at the first sign of pushback, so it seemed to me something that had been sitting in a checklist for years without anybody questioning it, making every website and app they audited worse.
That's awful. It's such a security antipattern, obvious as soon as you take into account, you know, _Humans_...
Site: Please make a password
Human: 7#hs&_suiE2KcS0
Site: No copy and pasting
Human: mydogisagoodboy123
Site: Needs special characters
Human: Pa$$w0rd12345
Site: Looks great thanks
Its like those policies where the password needs to change every 60 days that was found to actually reduce security because of the count-up-by-one passwords people would use. For places where that's been a rule forever it is really get it removed.
You should check out the government's website for buying treasury bonds. Paste and keyboard inputs are disabled, you HAVE to click on an on screen keyboard to enter your password.
Email or other "ID" fields as well. I use 1password, and besides the password part, it's nice to just click on a field and copy/paste knowing you wont make a typo.
I hate it too, the reason might be that there are vulnerabilities where the virus hijacks the clipboard
You know you should memorize all your passwords? And have a unique one for every website? All 100+ of them?
This is literally enterprise software in a nutshell.
If you've ever wondered what the "Enterprise Application Server v21.5™ now with AI, Chatbots, LDAP, Active Directory Integration, Orchestration, and Web 3.0" experience looks like, this is it.
This is what happens when you bring enterprise software into the general public's view. This is what enterprise software customers see every day. Remember, at some point in the rollout of this dog, the team sat in a conference room and came to the right conclusion that the portal is terribly difficult to navigate, and thus the bright idea to write an 21 page PDF instruction manual for the portal was handed off to a 18 person team.
Edit update: The "Enterprise Chatbot Integration Plugin v2.1™ for Enterprise Portals - Enterprise Application Server v21.5" was an add on kicker for $1.6MM license revenue and $3.8MM for 21 years of support. This plugin was developed by one person who works for EnterpriseSoftwareCorp Inc at the behest of sales and marketing and management that decried "we must have a Chatbot AI offering for our enterprise customers because they are asking why we don't." The sales exec who inked the contract after the Broadcom merger ended up #4 in the company for sales, went to Hawaii for the EnterpriseSoftwareCorp President's club awards presentation. The Broadcom engineer who was forced to implement this plugin into the Portal just copied the example from the docs (a template of links) and realizes he'll really have to roll his own LLM to add any real capabilities to the bot. But, he was able to check the box that says "we have a chatbot"
I don't think all enterprise websites are this bad.
Certainly my utility websites (e.g. electric/gas) are a lot more functional and a lot less user hostile, because...those companies would really like it if you paid your bill on time, so at least that workflow is pretty polished.
Wait, you need to go to a website to pay your electric bill? Mine is auto-deducted from my bank (up to a certain monthly maximum that I have set myself). You get bills directly in your bank, and then approve (possibly allowing auto-deduction for future cases) or modify or ignore them as you see fit.
One would figure you'd set up this autopay through the utility provider's website.
Uh, why? Why would I need to go through a different procedure between each entity I want to pay? After all, the point of a bank is to make unified transfer procedures between entities.
Many banks let you set this up directly with them - through their own site - via partner integrations with utility providers.
I bet a shiny nickel that you live in a place where the liability for a mistake in this procedure is between the bank and the utility company, not on you.
Over in the USA, setting up a bill autopay for a variable amount generally involves a credit card intermediary with a 2-4% rake or a lot of risk to you.
It's only if you don't set up autopay, but you usually have to go to the website for the first time at least to set up the autopay.
You aren't dealing with the enterprise site at that point - rather a public frontend that uses some enterprise-y backend. The real fun begins when you get into the actual enterprise frontends for internal use like SAP Netweaver and Sailpoint, which end up being quite a lot like the broadcom experience in the article.
It's a racket. It might not be as common today, but I remember when there were lots of people whose career was based on their SAP expertise, and the reason they got hired was that no one else could deal with that crap if anything went wrong. Once a lot of those people get into big companies, their career is based on preventing their employer from dumping SAP (or equivalent) for something better. So, it's like they have agents inside all the large companies that use their stuff.
When I worked in manufacturing IT for a F500, a full 20% of our IT organization was various flavors of Oracle support.
Sailpoint
Oh gods, the painful flashbacks.
Certainly my utility websites (e.g. electric/gas) are a lot more functional and a lot less user hostile, because...those companies would really like it if you paid your bill on time, so at least that workflow is pretty polished.
Your utility websites are customer facing and everything that the user can't do themselves will result in a phone call or a ticket wich will directly drive up cost.
In enterprise it is the opposite. Whatever the costumer cant do themselves requires a ticket. Any ticket or fast ticket response requires support wich increases revenue.
I just had a meeting with someone from IBM last week about API Connect, they admit that their docs suck and are wrong in places. It is typical enterprise software, slow and cumbersome, just as reported by OP.
I think the point they were trying to make is that enterprise software (served as SaaS for internal-to-the-business users) frequently has awful UX. Think things like SAP & Oracle (or anything Oracle has acquired, like Cerner, AgilePLM, etc) -- those big, heavy, complicated enterprise softwares rife with decade(s) of technical debt and no-longer-understood features that were tied to long forgotten business or technical requirements and created by commodity developers who weren't particularly skilled or particularly knowledgable about their domain.
I ran an Enterprise Apps org for a F500 where IT was purely a cost center and we created crap like this all the time.
honestly this isn't that bad imo. i've seen, used, and been forced to make stuff that is way worse than this. it's just the natural result of the corporate development process and it's virtually impossible to not end up with something that strongly resembles the broadcom site.
you get one guy who just comes up with ideas in the shower and then drops a message on microsoft teams at 9:30pm telling the team to make it so, and you also have any manager even remotely involved with anybody who uses the product able to dictate features and functionality too, none of these people have experience in technical roles and are either sales, ex-sales or ex-scrum masters.
then finally at the end of the human centipede, you have a bunch of .NET-brained pseudoprogrammers sitting in a circle nitpicking and debating the most "correct" way to split up and size the current thing and then cram it into the existing mess until you end up with a plan of action that is a combination of multiple ideas which may have once been half decent in isolation but the result is a steaming pile of human shit.
I've been building enterprise software for a while, but in smaller startups. In all cases we've taken pride in our UX.
In the current product I'm building, the domain experts are a generation older than myself and the mockups and designs they produce reflect that. If we just recreated their spec to the pixel, our application would fit right in on a Windows 95 desktop.
Yet if you were to look at our application, it has a clean, modern, user friendly design. To accomplish that required me to occasionally push back when they were set in their ways or some cases just ignoring the requirements and building out certain functionality my way. The domain is sufficiently complex that we don't have a ton of time to focus on UX. So the most important thing was setting the general UX patterns from day 1 and mandating developers follow that early on.
I nominate anything run by Workday as the worst website in the world.
Anyone looking for work can probably empathize. All the other websites mentioned are distant runners up to that monstrosity.
My favorite part of Workday applications is the fixed list for “field of study”, which doesn’t include my field of study or an “other” option. Or maybe its the “autofill from resume” which always, always fails in different unexpected ways. Or maybe its requiring me to manually enter my name and the current date >3 times.
My favorite part is not having the ability to create a single Workday applicant profile that they can persist across all their customer companies.
For that matter, Peoplesoft isn't any better.
single tenant architectures strike again.
the fixed list for “field of study”, which doesn’t include my field of study or an “other” option
If it's anything like the "employment sector" options that banks ask you to pick from, then they're not trying to collect accurate info, but rather asking you to bucket yourself into a categorization system used by some very popular credit/risk-scoring heuristics.
My guess for why an HR platform is asking such a thing: it probably populates a field that can be fetched through an API, by corporate spending platforms (Float et al) that integrate with Workday, to determine (or at least "recommend") the employees who should be issued spend cards.
My theory is that companies choose workday because it saves them money. If I have an expense below a certain threshold, I just eat it rather than dealing with workday's insanely complex expense report flow.
I was railing against workday for a different reason last week. I had a qualifying event and needed to add a dependent to my health insurance. The first screen in the flow was to change my coverage, but it only offered "self" plans (not the self + dependent I was trying to change to). I finally learned (after 2 screenshot laden emails with HR) that I had to "submit my choice and continue" for the wrong plan before I'd be allowed to choose the correct self + dependent plan on some future screen that I had no idea even existed. The "submit my choice and continue" felt rather final.
> If your expenses and reimbursements are difficult to file, that's OK, because the people above you don't actually care if you get reimbursed. If it takes applicants 128% longer to apply, the people who implemented Workday don't really care. Throttling applicants is perhaps not intentional, but it's good for the company. [1]
That was also the thesis from an article that made it to HN’s front page a week ago [2].
[1] https://www.businessinsider.com/everyone-hates-workday-human...
Workday is a seemingly universal evil. That being said, some of my emotions toward Workday might be entangled with my feelings towards HR.
I got aggravated, physically aggravated just by reading the cursed hellspawn’s name. I hate this website and everything it stands for.
Agreed, I recall a short time some arm of my company used workday learning for training courses. To do a course, you had to add it to a shopping cart for some reason, then "check out", which opens a popup. If you somehow managed to complete the course, the popup would just close with no indication that the course was actually done.
I actually really like the ARNGREN.net site- reminds me of the funky product classified ads that you used to see in the back of magazines like Popular Mechanics.
I personally think this website is amazing... I mean, how do you even maintain something like this?
Absolute positioning and manual html editing :)
Absolute insanity. Commendable.
Okay hear me out:
instagram, but instead of infinite scroll you just show a blank canvas. When you post you include an xy position used to absolutely position it on the wall. Everything is 100x100 pixels max. Epoch time of post date determines zIndex.
you'd love https://www.lingscars.com
What that arngren.net is missing is the cheesy Johnson Smith ads for X-ray specs! and Sea Monkeys! Johnson Smith was like the cheap claw machine of magazine ads. You knew that all you were going to get was crap, but it was fun crap. Maybe it helped that it took like 2 months to come and you were imagining how great it would be the whole time.
Am I the only one who...kinda likes https://arngren.net? It makes me feel like I'm looking around at a garage sale, and it's somewhat enjoyable.
I get what you're saying. It has character, that's for sure :)
But have you tried to actually perform a task? Ie "I want to buy an animal-shaped robot". Your eyes don't have anchor points in such a chaotic layout, it's very easy to get lost, miss items, and forget which items you already checked and which ones not. Users probably get a brain seizure after 1 minute trying to actually find a product.
It's predictable, navigable, and fast. 10/10 compared to most other websites
Yeah I like that too. I don't know if it is accidental or what but it might be chaotic... but it is chaotic in a way that looks like it is governed by some very specific rules that sets your expectations and makes it pretty fun.
Reminds me of Lings Cars which is actually awesome https://www.lingscars.com/
I was on board until I realized that I could scroll off the right side of the world because of the footer background.
Sometimes unpolished design makes something feel authentic. Which I guess it is, if it's selling things people actually want to buy.
They have (forgotten to turn off) some sort of ftp service: https://softwareupdate.vmware.com/cds/vmw-desktop/
That's not ftp, it's https.
"sort of"
Prove it to us. Upload a file.
Two sides of the enterprise coin.
Not FTP, just a web server with directory listing enabled.
edit: downvotes? That's literally the situation here, look at the friggen URL.
I am so thankful for your comment. I was fighting with their captcha entry screen not showing me anything for the better part of an hour this morning before I gave up.
Compare and contrast to https://maddox.xmission.com/ "The Best Page in the Universe"
Another victim of enshittification. His essays used to be quirky and fun but he went off the rails once he started doing Youtube videos.
There's a bit more to it than that. Maddox _really_ went off the rails when his friends realised how thin-skinned he was on certain topics (i.e. his girlfriend leaving him for one of his closest friends) and they could get a much larger audience by making fun of him than working with him, and he totally played into their arms with his LOLsuit.
https://www.vice.com/en/article/a3bwjj/the-cuck-centric-flam...
Both [Maddox and his friend Kokkinos] performed at Upright Citizens Brigade in LA, sometimes together, with Kokkinos occasionally guesting on The Biggest Problem in the Universe*, a show Maddox co-hosted with his then friend Dick Masterson. After Masterson began dating one of Maddox's exes, creating an interpersonal rift that resulted in the duo cancelling their podcast in 2016, Masterson launched his own podcast, The Dick Show, on which Kokkinos was soon a frequent guest. As The Dick Show grew in popularity, Masterson and Maddox’s public rift widened, with each party’s respective fanbases joining in on the antagonism.
This is just the tip of the iceberg, check Maddox recent 3 hour video (!) on how he was allegedly stalked for years on end by Masterson and his crew. It's a wild ride.
Haha, I remember I sent him a hate email about this and he replied with something like "No, I haven't changed, YOU changed..." hahaha
I just went to it, been a while. It is much different than I thought it was :(
I have been moving my page to gemini, but maddox is a great page :)
I am experiencing similar frustration while trying to publish my App on Google Play! Publishing my app on Apple Store was smooth but Google Play is nightmare.
I totally agree. Their UI is hot garbage.
After going through all the pain now I am stuck at the last step where I need to find 20 unique testers before they will allow me to go to production!
Is that a thing? Can you go stand in a mall and spend an afternoon getting people to test it?
They are referring to the requirements discussed here: https://news.ycombinator.com/item?id=38258101
Can you go stand in a mall and spend an afternoon getting people to test it?
Does that really work ? If a stranger at mall asks us to install a random app out of regular play store flow, only a small number of people will oblige. That number should ideally be zero.
Just share it on reddit.
The worst website of all time was that of Yvettes's Bridal and Formal, a bridal shop in Panama City, Florida.
Here's a copy of it [1]. Here's a video that explores it and talks about the person who probably designed it [2].
You won't get the full Yvette's experience on a modern browser and computer because even if your browser does automatically play the MIDI file that the site tries to send it will probably sound good because you've probable got a decent sound system with good MIDI instruments.
That’s so bad, it’s good!
Reminds me of https://www.lingscars.com/ only even more so…
Yvette's Bridal and Formal is unironically art.
This broadcom website is a banal evil.
This sort of design was a style back in the late 90s when everyone was just getting the hang of HTML and using nested tables before CSS was invented & started becoming popular, and anything besides text/hyperlinks and images was pretty risky to include since browsers hadn't yet evolved to support a standard set of features.
My personal favourite is the old New Zealand Studylink website. You had to log in with both a password and a 'passcode'. You didn't type the passcode though, it told you to enter two or three random characters using dropdown boxes. I always had to write the passcode on paper to figure out which characters were needed (mine was long).
Reminds me of this classic 'feature' from Lotus Notes (scroll all the way down on the page): https://web.archive.org/web/20120123085307/http://homepage.m...
Direct link to the relevant paragraph: https://web.archive.org/web/20120123085307/http://homepage.m...
Some sites put the right number of asterisks between the boxes so you can count off the characters. If they wanted the 2nd, 5th and 6th characters of eight you would see (where B is a dropdown box):
* B * * B B * *I'd like to just respond to the caption on the first image.
It's me. I'd wear that shirt with a cat samurai on it.
Because I looked into it in the past, I would like to point out two things.
First, the shirt is very easy to find. If you want it, you can easily find the store online with the information from the post alone.
Second, Instagram is chock full of shady sellers like this one selling t-shirts with AI-generated pictures. You can order from them and the product will probably arrive (eventually), but their websites are copy-pasted versions of each other (I just found at least six stores with identical "About Us" text) with different t-shirt designs whose reviews are uniformly poor. So don't count on excellent customer support.
Then again, maybe you are the type of person who always wanted to maybe receive a badly-printed, misaligned polyester shirt of a cat carrying a deformed sword. If that's the case then today is your lucky day.
I would also wear it. Why does he get more relevant advertisments than me? I only get advertisements for clothes I'd never wear. I just checked out their website and I'm seriously considering buying some cat samurai shirts.
Dammit. This was also my first thought. Might consider it, if customs doesn't make it too expensive.
I can just imagine the meeting of the people who created the 11 page how to use this website pdf. Awful.
I actually feel for these people. They know the site is awful and have no way to improve it except to make a manual.
The real problem is letting the marketers and the "we're proud of ourselves!" sort take full control. I imagine the goal is "we have all these things under one roof!".
Good grief.
You can still have the same framework/layout. EG, support, products, etc. But you can do it under "categories". For example, "VMware by Broadcom" or some such blather.
And all support, all webpages, are only vmware related in that category.
But really, transitioning vmware's webpages to this is just dumb. What a waste of time. Just use vmware's website with a "by broadcom" in the banner, and who the hell cares.
So juvenile. That little bit of brand recoginition, oh it's so important.
Yeah, it's so important that it's not LSI, but broadcom in the firmware when my server boots now? Firmwares all need to have name changes?
Can anybody help me understand why browsers even allow disabling paste? It’s such a universally hated and ableist function. Why can’t the browsers just force a fix by…not supporting this “feature”?
Problem is, the idiot customer copies and pastes the wrong thing, and then goes on bothering customer support, who go and bother me, the dev, to fix the account. Obviously there are solutions to fix all of this, but that's not how management dreamed up their website, so I'm stuck between supporting idiots and disabling paste.
right, if I can type into it, I expect to be able to paste into it, like every other text field in every OS GUI of the past, what, 40 years?
Just use Proxmox, it's fantastic for many vMware use-cases.
Agreed, but it doesn't run on Apple Silicon.
The switch isn't nearly as easy for vmware, but nothing drove EDR sales like the new bcom website after they acquired Symantec.
SEP was great because it was low impact and ticked a compliance checkbox. Useless if any event was going on but in the technical planning calls these clients just werent interested and would passively renew SEP every year like clockwork. Then broadcom switched up the website and every single one of them brought up the 'so we are wanting EDR after all' pitch request on their own. None of them could figure out how to renew their license.
edit: Have you guys seen IBM's fix pack site? it technically works, but jeeze. Why do I have to go through a web store ordering flow to patch db2?
YES! IBM's Fix Central, or how it's called, it's literally a maze.
And I hate Oracle's and Red Hat's paywalls, even if I can understand their presence.
In for a comment on the premise that led to this article:
Broadcom didn't make vmware desktop apps free because they want you to use them; they made them free because they don't want to sell or support them anymore. They only still exist because they have to ride out existing commercial support agreements and customers need the software while they transition their workflows.
Do not use Workstation or Fusion anymore; these products are dead-ended.
It used to be that ESXi and vSphere were free to use for a single server too, but not anymore.
Don't forget the marktcap of Broadcom is $646 billion!
ENTERPRISE'Y
Is this website still actively being used? One of the items is for something that appears only 4 years old: https://www.youtube.com/watch?app=desktop&v=0ci2860tpRU
Some interesting comments in the source:
<!--$sitebuilder version="2.9.0" extra="Java(1.8.0_231)" md5="58227db99c3a8f4ebd4480726328f28f"$-->
<!--$page size 3500, 2832$-->
Terrifying
My insurance company wants to dethrone this awful web site with their own. At least they're working towards it.
This is like that email where Bill Gates was lambasting his subordinates for the insanity that is Microsoft site: https://www.techemails.com/p/bill-gates-tries-to-install-mov...
I have a strong contender. British Gas has removed their bank details from printed statements and their website, because they want to force people to create online accounts and set up Direct Debit.
The worst websites in the world are the ones that are just blank pages without any content at all. Most corporate websites are like that these days unless the stars align and all the javascript executes just right.
I am pretty sure you will change your mind after visiting my university website.
Right now Broadcom.com is coming close to the worst website in the world.
I recently tried to register for an Apple developer account, and it has been the most infuriating process I've been through on the internet... and I am used to the French govt websites! At some point, the H1 title was in white on a light grey background, and I considered sending a screenshot to Jonathan Ive. To this day, I did not succeed registrating.
I think most of the "fuck yous" where you just simply get dropped at the main Broadcom page is because most enterprise sites just redirect what would be a 404 to the main landing page.
I hate that pattern because it's super confusing. Did I click the wrong link? Just tell me you can't find that page.
Many enterprise websites undergo so many retools that search engines trying to drop you off at a specific page would just 404 everything (even the main page if it's something like `example.com/main/en/index.php`), so the 404 redirect is "required". Then one company buys another, then all example.net/useful/docs links are translated to example.com/useful/docs links, which 404, which redirect to example.com's front page.
Not even close to the worst. The worst I see is a major brick&mortar retail chain that has been trying to do online for years.
Part of their execution problems might be misleading metrics. Their "how was our service?" followup emails aren't sent for the routine (around 50%) fulfillment fudge-ups that backend should've prevented. Nor for occasional checkout breakage that fails with signs of multiple things that are simply being done incorrectly. So I have the nagging thought that someone might be hitting their KPIs/OKRs, and the right people aren't aware what a dumpster fire they're operating.
I wonder whether Amazon could've already eaten the online component of that category, with their overall superior competence and (selective) customer focus, if they didn't have the counterfeits indifference/misalignment problem, and worsening reputation for quality and caring about the customer.
Did someone tell you about SAP Ariba? The website for invoices where you cannot click on your list of invoices, but can get an other click menu to get “send me a link by email”…
For Linux, there is Gnome Boxes, which is a quite good VM for all the stuff I need one for. It may not be as complete as VMware, but has most of the important stuff.
What you get when money meets corporate meets engineers who don't say no.
Weird, I thought the arngren.net website screenshot looked beautiful.
The password requirements on some websites seem like they're designed to deter me from creating an account.
That looks awful. Unfortunately you could probably write a very similair article about many other corporate or governmental websites. E.g, applying for an ESTA felt like registering for some kind of scam. Or the systems to let friends and family park for a reduced fee in many municipalities also seem to be designed by people who hate humanity in general.
I know a website even worse, globalsign which is selling code signing certificates. They are so deep into making shitloads of money out of thin air they stopped caring in 2002. This is the only website with a password field which ONLY allows alphanumeric characters, so you have to remove all them exclamation marks, dollar signs and underscores from your generated password. They also have a freakin chat bot assistant which just throws links to documentation in response, and they use "Live Chat" for the button just like you are really going to talk to a human. If you google something globalsign certificate related, the whole first page is filled with links to their documentation. Guess what happens when you click one of them? It's a 404 page. The insides of a portal is just a horror website from the far far past, it takes maybe 30% of the wide screen in the top left corner, everything you click loads for good 30 seconds. Ah yes, if you go to your orders for example, you just get an empty table. Only when you click on "search" button the table fills. Also they will put a block on your card funds for purchase the very first moment they can do it, and it's not the last step of the form. If you could not proceed due to some nonsense error which tells your american express card zip code check failed (i used visa lol), your money will return in 10 days maybe. In the end, you have to print and send some HAND FILLED forms to them in order to get this bullshit "vetting" process done, you can finally launch your fucking egde browser in an internet explorer compatibility mode to collect your hard earnrd certificate. At least a bit cheaper than other providers. 0/10 would not recommend. Unless you really really need to eliminate this SmartScreen circus warning dont do it. Sabotage this stuff. Just let your users check the installer hashsums and they safe
Is that website a profit center? If not Broadcom absolutely could care less about your experience.
He didn't even mention my favorite part: "No learnings found" . No learnings here indeed!
Brilliant
It's like if eBay and Altavista had a child in 1995.
When you get your own browser you can do whatever you want but while you are living in my house under my rules I get to copy/paste whenever I goddamn feel like it.
Don't give Google any ideas, err, wait...
You can apply this do many Governments, banks and insurance websites.
Last example I witnessed: my home insurance forced me to re-register in their website due to some (clearly half-assed) migration. The way to force that was giving you a login form with user/password but no clickable "Submit/Login" button! And then a mini (like 50px tall) banner at the top of the page telling you that you had to recreate the account.
A post talking about the worst website that doesn't mention the wonderful Ling Cars [0] cannot be taken seriously.
Or should that be in a post about the best website?
This is amusing, but in a "stand-up comedian jokes about bad drivers" kind of way. Good for a half-second chuckle, but flattens out pretty quick since extremely bad websites and software are something I deal with literally every day. And most of them are not even corporate behemoth types like VMWare.
And while I'm here... Thankfully, I am in a new job where I don't have to support vSphere anymore, but I just want to give a big "fuck you" to Broadcom for literally wiping the quite-decent community forums and knowledge base off the map. Sure, the KBs still exist, but on a different domain, and they deleted _all_ the metadata and the old KB links scattered across decades and the web all 404 now.
If Broadcom's goal was to reduce support costs, eliminating the forums and neutering the KB was a pretty bad way to go about it.
That Broadcom support site looks like it must be Servicenow.
If you know, you know.
The Vodafone website in Italy is actually worse, believe it or not.
bro needs a fuck broadcom sticker https://sysadminafterdark.com/product/fuck-broadcom-sticker/
I've got a friend who's been pushing his employer to get off VMware since Broadcom bought them. Absolutely astonishing how fast the enshittification is kicking in.
The bigger they are, the stupider they get.
Seems like he never used government websites.
When you get your own browser you can do whatever you want but while you are living in my house under my rules I get to copy/paste whenever I goddamn feel like it.
Any company that blocks copy paste on their website is stupid and I hate them.
I would think management can't be that adamant about not letting users copy-and-paste... I would also think front end folks should try saying "no" to at least some of those silly requests
Large corporate/government IT lives on another plane of existence. Rules are made in some far-flung office and enforced through edicts that can't be challenged, partly because nobody knows exactly who created them, partly because nobody wants to stand out, and partly because yes-men surround the upper levels of management.
Anyway, somebody somewhere about a decade ago seems to have injected into the heads of such rule-makers that users who paste their password confirmations defeat the purpose of the confirmation mechanism, which was leading to excess support requests for forgotten passwords. So, therefore, pasting into the confirmation box (or even better, both boxes) should be disabled.
Never mind that password rules have gotten more complex, that allowing users to temporarily preview their passwords instead is now recommended, or that the use of password managers and online password resets means even if the original concern were valid, it's now moot. The rule exists, and so it must be followed.
At some point these corporations do lurch forward (or die), so eventually this will get changed, but it'll happen way slower than it should.
Honestly, 1Password (& co.) should have an option to "Type password" next to "Paste password".
Prevent that, you stupid website, I dare you!
It does, actually. (At least the old self-hosted version that I still use does. Don't know about the newer one.)
Fwiw keepass and keepassxc allow you to do this.
This shit is usually from "security" which, in corps, is just endless list of boxes that you need to check and are handed over manager to manager. Everyone is scared to actually remove anything from the list because nobody knows who is actually responsible for maintaining it; getting through the hierarchy to even find such a person would take a month; if you find him, he will tell you "oh it's for compliance with <some mysterious government/iso/owasp document that's 20 years out of date>, safer to keep it there"
Exactly, good luck convincing management not to do something that the infosec team suggested even though it provides an insignificant amount of security. The hackers you really have to worry about aren't using your front end, they're submitting directly to your endpoint to bypass exactly these kinds of things.
That one may be coming from the InfoSec guys.
"Infosec mill agency that looks for easy wins to justify the high price tag they charge enterprise clients like Broadcom"
FTFY.
Disabling copy-paste is exactly the kind of thing that a higher-level manager sees on some website, decides immediately that it’s very important for content protection and IP and trade secrets and whatnot, then emails a middle manager to have this implemented ASAP. A week later the request has filtered into a ticket that lands in the front-end developer’s inbox.
What should the developer do exactly? Ignore the ticket? Educate the manager who’s perhaps three steps up in the hierarchy and doesn’t even know the person’s name who is charged with implementing the misfeature? Neither would go down well.
Not in my experience, and not for trivial things like this. I'm sure this varies widely with employer, location and life situation, but generally these kinds of annoyances are both far from the worst that people need to do / tolerate, and that they don't have any say in what goes into the product, they either implement it, or someone else implements it and they can go work at someplace else if they don't like it.
I do some front end work. I push back on things and win some battles re-directing them, but ultimately if the client pays to do a stupid thing, they get the stupid thing. It is their website, not mine.
I can't imagine any front end person spending extra time blocking the paste function when nobody asked them to do that. This may also come as a surprise, but sadly management and infosec doesn't always take advice from the front end developers.
This isn’t a front end dev problem.
You can say no but management isn’t under any obligation to capitulate, and often won’t.
More over, it’s often solutioneering as a result to some other management identified issue that devs have pushed back on.
This is the imbecile's solution to people pasting in their passwords from a text file. Except some people paste them in from their password manager.
Also, the error he got when he tried to put in the password the first time is likely because there's a mismatch between what it claims the password rules are, and what they really are. He might have exceeded the maximum password size (yes, I know they're supposed to be salted in the backend, and maybe then even are, but you still run into this). Or it might be that he used disallowed punctuation (some sites seem to dislike anything other than question marks and the ones over the 1-2-3 keys... I've personally seen the percent sign and ampersand both cause problems.
If there were some little embedded xml file that my password manager could pull from the page automatically that would tell it what the rules are, then I wouldn't have to debug your shitty account creation systems, nameless developer drones out there working for big companies! Not that you care.
Hm? No, it really did come from a front-end person.
There was a period in the late-aughts when people wanted to emulate the iPhone's inertial scrolling on the desktop. Most modern sites had it and it was infuriating.
That's probably around the time when this site was built.
I'm thinking you may not have made it all the way to this part of the article when you were reading it, but here's the rest of the context
Forcing the user to type the password manually rather than letting them paste something in. I think the original idea was to not allow them to mistype the first one, then paste the typo in the second field. But it's a dated practice and very annoying.
I once worked on a project for a Pharma company and this one guy tried very hard to push his password requirements and no pasting stuff, but luckily we convinced someone with final say that we should just follow the NIST guidelines for password reqs and leave the UX of the password field up to the UX people lol.
I do agree though that smooth scrolling was a front end developer offense, luckily it went out of style pretty quickly.
correct. the other analysis here is wrong. we see similar for payments where user is not allowed to paste in ACH info.
but this isn’t exactly about user error per se. this is about support cost for bad entries. if the user types a wrong password during registration the recovery of such is very hard. the common user (even of a product like fusion) is VERY unsophisticated and will have severe problems recovering. the more advanced user will have plugins that disable paste disabling. the middle skill user (like in the post) will get past it on their own.
so net net this is just another case of this is why we can’t have nice things. they “have to” address that bottom (skill) level of users.
personally i can excuse this. the rest, not so much!
I think we can go another level up though: why are browser vendors allowing it if it's verboten — if they make it possible, someone will use it.
No one's going to risk their job over their boss's inane request to break copy & paste.
yeah I can't really think of a good use case for blocking paste. the Clipboard API is useful in general though and a good addition overall even if some people misuse it.
As I understand it, you need to be able replace the paste command with your own custom thing for stuff like Google Docs. But then you can always just replace it with a no-op.
I wonder. In my experience, all Indian news media outlets (except two) hijack the clipboard. If you select and copy an entire paragraph, in your clipboard, you get only the first few words and a link to the article. While I hate it, and think they are being hostile to me. I think they are catering to a usage pattern, that if you paste that stuff in WhatsApp, the readers would definitely get a link to the article. Traffic guaranteed.
Side note on this clever work around https://github.com/aaronraimist/DontFuckWithPaste
This edge is a greatly under-acknowledged and under-represented boundary of propriety, and is routinely flagrantly and hypocritically overrun by organizations with legions of attorneys who fight tooth and nail to stake their claims in the providence of others.
The close cousin is the "click-wrap" agreement, which should be the very first point of engagement for access to any resource that employs it, but is perennially represented as an afterthought which a priori deprives the visitor of recourse from his later exploitation using the form of a "contract" which is fully understood by everyone to not be read, is written in gibberish, and placed at the very end of a primrose path of necessity for access to one's own labors.
A huge warning sign of the intrinsic rentier dynamic of the high technology industry has been built into every PC since the dawn of the era and on prominent display: the "Welcome" screen. You think you are being warmly greeted upon arrival to the cusp of a vibrant commons, but you are actually being told in no uncertain terme that the PC you just bought was pre-appropriated by its software. The purchase price is rent. The device is your property only in the sense that you own the direct costs of its failure and disposal. You are given an account with limited access to its capabilities and being permitted to access it under the auspices of your hosts. Your work is without value to your hosts. The device is a conduit of your continuing consumption, controlled as tightly as possible, which with every step into its labyrinth further reduces, limits and degrades the value of your work to you, and shifts its value to the device purveyors.
This hazard is conventional to the structure of every web service today, including this one: your data (work) goes in and never comes out. It's trapped in the dynamic and context maintained by the host.
No social media architecture today respects your work in context, including this one.
Your comments should belong to you, be hosted by you, and maintained in a mutually shared and beneficial context. But instead your comments go into a black box which you are permitted to review, in exchange for locally issued currency called (tragically) "karma" which is a simply a mechanism for limiting your visibility within a hopelessly regressive and passé format of a reverse-chronologically ordered list of the popular. Everyone on the social web is a serf, tilling a text box, and sharecropping status.
My making an example of HN not to call it out for being egregious. HN is completely ordinary. I'm merely offering an example for how totally indoctrinated the technogentsia is to these dark patterns of social networking architecture and how blind everyone is to them.
It's pretty weird that these dark patterns are so pervasive when you consider that the ideological bent of most computer technologists is "libertarian".
But I should note that California ideology is inherently Randite, and Ayn Rand was a deeply disturbed person.
With transformer AI we have now seen that every human input on the web has specific economic value which is being aggregated and harvested towards the creation and consolidation of enormous kingdoms of social wealth and privilege. This is being done completely without regard for the principles of propriety that software and MSM content publishers have represented through law as being essential to the construction of a commonwealth.
Every output of a transformer is a derivative work without even attribution, much less royalties.
And the AI technologists seem poised to have transformers run interference at every level of "customer" interaction with new architectures.
The more you look into it, the more you will see that high technology has been an epic swindle to transfer control of a commons to narrow silos of exceptional privilege, in which not only does the commonwealth shrivel in exchange for the tech's very limited public advantages, but the vehicle you use for your contributions endlessly deprives you of the just fruits of your own labors, encircles you with infrastructure beyond your reckoning, and enforces your conformance to alien protocols via dark patterns.
Much as automobiles make every destination into a parking lot, so the web browser has made every avenue to knowledge end in a gate which is ever further obfuscated into an opportunity to withhold something of value from the visitor, including the value of your own work in context.
"Welcome."