Just a quick rant today. 🙂 Nothing major.
I’m a member of Microsoft Alumni. All that means is I worked at Microsoft as a full time employee just like those before me. And, because of that I had applied for membership in the Alumni program when I left Microsoft. It’s a great program that keeps you informed of Microsoft happenings from other Alumni’s. Well, it’s actually much more than that. You get various benefits and it’s easy staying up to date on new software and Microsoft information.
But, the ecompany store portal is not very friendly at least to me. I log in every few months to see what is new. However, this year, seems like every 2 months, my logon information is either lost or the site is broken….So, not always a good experience.
I’m writing about this here for my future documentation and to see if others have this issue. Well that’s if you belong to the alumni program and use the ecompanystore portal.
Due to the number of accounts I have I utilize a password manager. There’s no way that I could remember all the passwords. Which brings me to this posting.
Why is it that every time when logging into https://store.ecompanystore.com/microsoft/Shop/Landing#/ there are issues? You’d think that logon password issues would be solved by now.
Things start off simply enough enter email address, one that I’ve had for many years. And, know by heart. 🙂
Select next and presented with options for identifying who you are. I select the Microsoft Alumni button
With this screen I enter my alumni number and open my password manager, copy and paste in to the “Password” field. (By, the way, yes I’ve typed in the password as well) Now That’s pretty damn simple isn’t it? Well, I’ll do that and display the next screen.
Yup, same issue that is repo’d every time. So, I select the change password option. But, as an additional step I’ll select “Send Password Reminder” Because I made it super simple when I had changed my password the last time (about 10 minutes ago). If the reminder is sent with what I had changed it too, It should stand to reason that my password was also changed.
After entering my alumni Id and selecting “Send Password Reminder”
You receive the following dialog for both “Send Password Reminder” and
“Reset Password” (go check email)
As a fan of the “Big Lebowski” I used his nickname for a test and I received this in email.
So, When I changed my password it also allowed be to set up a password reminder.
Requesting the password reminder came back with correct password hint. The password also simple should allow me to log in.
Starting again with newly changed password:
it behooves my why this is an issue. I used Chrome, Firefox and IE. All with the same results.
I’ll try and resolve this via email, not sure how well that will work out.
CONFESSION:
Sorry to subject you to the previous sections. I decided to leave this posting as is. Sometimes, I get a little impatient and when I wasn’t able to log in I stopped got a cup of coffee and captured each screen, talking to myself and reading the screens.
Well, digging a little more I noticed the issue could be my fault. NOT. I just counted my chars 18 chars. According to the password rules would generate the error message received. Still, the process allowed me to continue creating the round robin type of thread. So, this is what I’ve told them. And, it’s still broke. Go figure.
I’ve dug into this a little more and have discovered a possible bug in the ChangePassword function. It seems there isn’t a method that notifies users if password exceeds 16 chars. A password such as the following meets the password requirements of between 8 – 16 chars with special chars that are covered here.
P@s$Wrd1 (8 char)
This password also meets the requirements
P@s$Wrd1P@s$Wrd1 (16 char)
So, when adding these and updating the both the password and hints the data is stored and updated properly. So, when I log in again they’ll be there.
And, they are.
The following isn’t allowed according to the password rules of 8 – 16 as this one is 18
P@s$Wrd1P@s$Wrd1P@ (1* char)
So, when you enter this18 char password and a new password hints and hit enter you are displayed a screen that says password was changed.
And it was but not at the 18 char that was entered. The P@ are dropped leaving P@s$Wrd1P@s$Wrd1 which is 16 and the password hint is updated.
When attempting to log on again, having the message state the ID/password did not match caused this confusion.
Because the last time I had logged on was about 4 months ago when had changed my password and when it accepted did not think about until the issue cropped up again today.
When attempting to log in.
I bet I’m not the only individual that has had this issue and sent out emails reporting these issues.
If your trying to obfuscate things, from a security point of view you don’t want to really display a message that says longer than 16 or something similar
that can give away the password size for possible cracking, but on this site with the password rules mentioned
It should not be an issue to put a check on the field to ensure entered item isn’t greater than 16.
So, If I were you folks I would create a bug to ensure code paths are the same and that checks for field size are enforced.
The reason for checking your code paths is to make sure that something isn’t missing from 1 page or another with your mvc.
Change password link when signed on to the system ( 2 extra // )
https://idsrv.ecompanystore.com/account/ChangePassword/?sc=MIC&sru=https%3a%2f%2fstore.ecompanystore.com%2f%2fmicrosoft%2f
From Email Link To Change password
https://idsrv.ecompanystore.com/Account/ChangePassword/?sc=MIC&sru=https%3a%2f%2fstore.ecompanystore.com%2fmicrosoft%2f
Thoughts & Ideas, Joseph Kravis 🙂
Pretty good testing is easy to do (that’s partly why some people like to say ‘testing is dead’– they think testing isn’t needed as a special focus because they note that anyone can find at least some bugs some of the time). Excellent testing is quite hard to do.— James Bach
Categories: #kravis, Technology, Thoughts and Ideas
Leave a Reply