The Proprietary Shopping Cart Fiasco: A Rant.

Based on my experience since becoming a web developer, I’m glad I don’t work in television, because I’d never enjoy shows the same way.

Last week I went online to purchase a ticket to a local sporting event, and was greeted with the bright red text “Please refrain from using any special characters in your password” (Screenshot for reference)

From a sign-in form, disallowing special characters, in passwords.
There are so many things wrong with this image

Never mind the fact that I couldn’t purchase without a username and password—I’m just trying to buy a ticket, now they’ve got me penning blunt blog posts where I’m tempted to out them publicly. It must be hard for Ron Howard to just kick back and enjoy a show on Hulu.

There’s no excuse for this.

The “help text” may as well say “we need to make it dramatically simpler for hackers and bots to crack your password, so we’ve disallowed special characters.”

I’d have loved to be in the meeting where the developer said (with a straight face) “Yeah, we can’t figure out why the database keeps dumping out passwords with special characters, so let’s just put a warning on the site about it, and not fix the bug.”
:head: :desk:

If you are planning on making money with your website, please do me a favor and fire your developer if he or she even remotely suggests this as a fix. That’s not just a non-fix, it’s a banner invitation hackers who are having trouble finding a database full of weak passwords to test their new malware script on.

If your shopping cart system has this warning, run. More specifically, run to me.

Here’s the real crime: that developer (or more likely the sales rep three cubicles down) probably sold this organization on their proprietary shopping cart system using the same tired “more secure than WordPress” line.

It's time to stop referring to garbage proprietary code as 'More secure than WordPress.' Click To TweetThis proprietary software, maintained by a team of 6 developers armed with a combined 25 years of experience because of one guy with 15 years of it, is all that’s standing between your credit card info and a public database dump. Yet, they can get away with the claim of “WordPress is not secure” because it’s conveniently powering TONS of websites, so odds are you know someone with a WordPress site that’s been hacked. The poetic irony is that the reason those WordPress sites were hacked has very little to do with the software, and a LOT to do with passwords like “asdf” or “password1” which are both perfectly valid, according to the bizzare-o rules above.

Not only is WordPress secure, I can build you an Ecommerce site powered by WordPress that will run circles around that garbage, and the code is maintained by thousands of developers. (And mine will actually require a secure password, instead of disallowing the characters that make it secure)

The whole experience came full circle as I was checking out, having added my tickets to the cart using the most secure 12 alphanumeric characters I could muster. The developers, again with a straight face, let me know of the $1.50 surcharge to email me my tickets.

A dollar and fifty cents to send that 158 KB email. I’m gonna call that the “Dire Straits” monetization strategy. Because I most certainly gave them Money for Nothin’.

Similar Posts