Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Sunday September 25 2016, @10:27AM   Printer-friendly
from the HA-HA! dept.

I always find the various authentication experiences to be more annoying than reassuring, but until now I've always managed to defeat whatever bizarre scheme a web site has created.

Yes, I'm fan of "Reset Password."

Microsoft though has stopped me dead by refusing me access to an outlook.com [account] even though I have the email address and password.

About three years ago someone established an outlook.com email for an organization. They passed the login info on to me. I subsequently just accessed it via Gmail for the next two years.

Today I tried to log in to outlook.com make some changes. They apparently feel that I am not who I say I am and demand some kind of "authentication."

After a half an hour of repeatedly submitting "Verification Forms" (Names, Birthdate, City, Postal Code, Captchas, Previous passwords....," entering numerous PINs, and generally jumping through hoops, I have concluded that I will never ever access this account again.

Best of all the email quoted below offers no way that I can appeal this to some kind of living being.

Is this the worst authentication disaster ever? Is there any logical reason why you would make it impossible for your customers to ever recover an account?

[Continues...]

We recently received a request to recover your Microsoft account *****@outlook.com. Unfortunately, our automated system has determined that the information you provided was not sufficient for us to validate your account ownership. Microsoft takes the security and privacy of our customers very seriously, and our commitment to protecting your personal information requires that we take the utmost care in ensuring that you are the account owner.

Please submit a new account verification form

At this point, your best option is to submit a new form with as much accurate information as you can gather. The more information you can include in the form, the better the chance you'll have of regaining access to your account. We've included a few tips below to help you fill out the form as completely and accurately as possible.

> Submit a new form

Helpful tips for filling out another form:

Answer as many questions as you can.
Use the information you provided when you created the account, or last updated it.
Submit the form from a computer you frequently use.
You will be asked to list recently used email addresses and the subject lines from recent emails. Ask for help from family members, friends, or business contacts to confirm their email addresses and tell you the subject lines of the last three emails they sent you.
Make sure to use the correct domain for your account, such as hotmail.com, live.com, or outlook.com. Keep in mind that your email address may be country specific. For example, if you created your account in Sweden, your domain would be "hotmail.co.se" rather than "hotmail.com".

Ready?

> Submit a new form

Thank you,
Microsoft Support Team

Microsoft Corporation
One Microsoft Way
Redmond, WA 98052
USA


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Interesting) by Marand on Sunday September 25 2016, @01:49PM

    by Marand (1081) on Sunday September 25 2016, @01:49PM (#406250) Journal

    This is my first place entry only because it literally made authentication impossible:

    One time, I attempted to sign up for an account on a site (from a large company that should know better) using an email of format foo+bar@example.com. I do this often for filtering purposes, plus a better idea of where spam comes from if I suddenly start receiving it. Sometimes the + causes problems during signup, but this time it went through without a hitch. Account made, email verified, no problems; couldn't be easier, right?

    Wrong. Everything was fine up until the point that I had to actually log into the site with that email/pass combination. The account was created, details locked in, but attempting to login with the email address was met with errors. The form itself didn't have a problem with the +, but whatever email/pass validation they did on the backend broke with the + and crapped out errors.

    Best part is the account existed as I'd given it, even though the login process couldn't handle it. I couldn't create it again with same name, couldn't use same additional information during creation ("this name already exists" type shit), couldn't do any sort of account change or recovery.

    TL;DR: sign-up and sign-in worked completely differently on the back end, so it was possible to create an account that was considered invalid by the login checks. Good job, guys.

    Second place would be when I needed to change some personal information for an online game's account. Damn thing got locked for the duration of the process, which took forever, and I had to provide a ludicrous amount of personal information to prove my identity. Surprised they didn't ask for DNA samples. It took more effort to fix that than it usually takes to prove identity for banks, jobs, etc. For a fucking game. I would have told them to piss off if it hadn't been a gift that'd already been paid for.

    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 3, Interesting) by Chromium_One on Sunday September 25 2016, @02:02PM

    by Chromium_One (4574) on Sunday September 25 2016, @02:02PM (#406253)

    Yeah, no.

    the address+foo@ is a nice idea, but I don't see the point. Bad actors who resell email addresses can very easily strip the +foo or any periods from the username filed of your address. Personally I'd rather just generate a new address that directly identifies the org that's getting it. Variants on "companynamebilling@mydomain" is good enough for about everything.

    --
    When you live in a sick society, everything you do is wrong.
    • (Score: 2) by Marand on Sunday September 25 2016, @02:46PM

      by Marand (1081) on Sunday September 25 2016, @02:46PM (#406267) Journal

      Who says they're mutually exclusive? Making a separate account for every sign-up ever is unnecessary overkill, so I mix the two ideas.

      I have multiple accounts I use, but I also use the +foo thing along with it so that I don't have to check (and manage) dozens of separate accounts. I can have, say, one email for forum type junk and add +sitename to further separate and identify, then do the same thing for a different account dedicated to communication stuff (IM accounts, stuff like that), and so on.

      You're right that people can strip the +foo but few (if any) actually do, so it provides easy sorting because I can filter on the incoming address instead of the sender address (which I've noticed sometimes changes as the sender changes their infrastructure, or outsources mailing list duty to another company, etc.)

      • (Score: 0) by Anonymous Coward on Sunday September 25 2016, @03:49PM

        by Anonymous Coward on Sunday September 25 2016, @03:49PM (#406283)

        Use something like foo99bar@example.com.

        There's lots of software that filters for proper email addresses, and many of them work slightly differently. So if you push the envelope you're asking for trouble.

      • (Score: 2) by Chromium_One on Sunday September 25 2016, @04:52PM

        by Chromium_One (4574) on Sunday September 25 2016, @04:52PM (#406307)

        Why not a new address per account? It's a bit more record keeping for new signups, but not much once you've got a system set up. Any new address is forwarded to (or mail alias is created for) your main address, one filter rule per address to sort to an appropriate folder, done.

        --
        When you live in a sick society, everything you do is wrong.
        • (Score: 2) by Marand on Monday September 26 2016, @04:18AM

          by Marand (1081) on Monday September 26 2016, @04:18AM (#406526) Journal

          Mostly just convenience. If I decide I want to sign up for something I don't have to stop and go set up a mail alias in the middle of it, I just stick a +string on there during sign-up and I'm done. I could get similar behaviour making an address act as a catch-all so that mail to any un-created addresses goes to that one, but I've never liked doing that.

          So, I do +foo most of the time because it's fast/easy, then switch to separate addresses if it fails for some reason.

    • (Score: 2) by Whoever on Sunday September 25 2016, @05:00PM

      by Whoever (4524) on Sunday September 25 2016, @05:00PM (#406311) Journal

      the address+foo@ is a nice idea, but I don't see the point. Bad actors who resell email addresses can very easily strip the +foo or any periods from the username filed of your address.

      While this is true, it assumes a level of competence that is not typical among spammers. I run my own domain/MTA and, having registered foo+bar@mydomain style addresses with websites, my MTA gets attempts to send emails to bar@mydomain. Somewhere along the line a script has tripped up on the "+" character.

      I have also seen the problem that I can register the foo+bar@address, but not log in with it. In the most recent case, this login problem only applied to the Android app: I was able to log into the website with the foo+bar@ address.

      • (Score: 1) by ewk on Monday September 26 2016, @10:31AM

        by ewk (5923) on Monday September 26 2016, @10:31AM (#406588)

        "...my MTA gets attempts to send emails to bar@mydomain. Somewhere along the line a script has tripped up on the "+" character."

        And if it trips on the part before the '+', email is sent to 'foo' :-)
        So that attempt never even reaches your MTA anyhow :-D

        --
        I don't always react, but when I do, I do it on SoylentNews
    • (Score: 2) by NotSanguine on Sunday September 25 2016, @05:56PM

      by NotSanguine (285) <NotSanguineNO@SPAMSoylentNews.Org> on Sunday September 25 2016, @05:56PM (#406329) Homepage Journal

      Variants on "companynamebilling@mydomain" is good enough for about everything.

      That's exactly what I do. And as soon I don't like the emails I'm getting to a particular address, BZZT! I disable it. No muss, no fuss.

      --
      No, no, you're not thinking; you're just being logical. --Niels Bohr
    • (Score: 0) by Anonymous Coward on Monday September 26 2016, @08:06AM

      by Anonymous Coward on Monday September 26 2016, @08:06AM (#406570)

      Bad actors who resell email addresses can very easily strip the +foo or any periods from the username filed of your address.

      If you always use a suffix stripping it off would give them the address for the spam folder. The idea is that the suffixes you actually want email from are whitelisted, and once you start receiving spam on that address, you simply remove it from the whitelist.

      Personally I'd rather just generate a new address that directly identifies the org that's getting it. Variants on "companynamebilling@mydomain" is good enough for about everything.

      That's a different way of doing the exact same thing, except that your method requires your own doman, while the + thing is a gmail.com feature.

      • (Score: 2) by Chromium_One on Monday September 26 2016, @04:44PM

        by Chromium_One (4574) on Monday September 26 2016, @04:44PM (#406692)

        If you always use a suffix stripping it off would give them the address for the spam folder.

        That's one way to go about it, however ...

        That's a different way of doing the exact same thing, except that your method requires your own domain,

        No, it's not the exact same thing. The user+foo bit can be fucked with by the sender. A completely different address can't. Also, it does not require your own domain, though that is much, much more convenient. You know there's no real limit on, for example, gmail addresses forwarded to one box right?

        while the + thing is a gmail.com feature.

        No, the user+foo addressing is not a gmail feature, it's standard in how email is supposed to work, mentioned in RFC 5233 and possibly others. Not that people pay much attention to standards.

        --
        When you live in a sick society, everything you do is wrong.
  • (Score: 2) by SomeGuy on Sunday September 25 2016, @05:32PM

    by SomeGuy (5632) on Sunday September 25 2016, @05:32PM (#406321)

    Odd characters can even be a problem on password fields. You know, the ones where these days you are encouraged or even required to use a "special" character or two. Hmm, what kind of password would little Bobby Tables use?

    Once managed to get a space character at the end of a password. Resulted in some interesting problems, but at least I was able to change that later.

    • (Score: 2) by Marand on Monday September 26 2016, @04:26AM

      by Marand (1081) on Monday September 26 2016, @04:26AM (#406532) Journal

      Password fields are a whole different nightmare. I love when sites remind me to pick a strong password while simultaneously refusing to allow passwords longer than 16 characters and also enforcing limits on what characters you can use. They want "special" characters like you said, but not too special. You start throwing in parentheses, brackets, braces, spaces, umlauts (or other accents), and mathematical symbols and get told to try again with something easier to crack.