Hacker News new | past | comments | ask | show | jobs | submit login

> In many companies, this would be a P0 "don't go home until it's fixed" production emergency if a bug like this crept in to the software.

Would it, really?

P0 would probably be "10% of our customers can't submit an order." Or "20% of our vendors are experiencing 404s."




If 10% of customers have passwords that now can't log in and submit orders, that would be an emergency.

We're taking OP's word for it that FedEx doesn't allow certain characters as passwords (actually, from the description, it seems more like FedEx only allows specific characters which is even worse). If either of those are true, it is most certainly a defect. Whether FedEx treats that defect as an emergency is up to them I guess. I'm saying many modern companies would.

You originally said "Weird password issues don't count as broke." I think this might just be a case where we have to "agree to disagree".


> it seems more like FedEx only allows specific characters which is even worse)

If I read it right it sounds even worse. Fedex allows the characters and then random stuff just breaks.

It is much preferred to get a simple "only english alphabet and numbers please" warning message when you are trying to set the password than not getting any warning and then things breaking.


I've had this before at a University I used to attend. I had a password with either a % or a & and I found I couldn't log into one specific system. I changed my password to a different one, but still had one of those special characters. I was curious and tried a more "basic" password and I was able to get in. The system just wouldn't accept certain characters in your password. The main University password manager did disallow certain special characters, but clearly not enough of them.

It never makes you feel very confident in an institutions security when they can't even figure out how to get a username/password to work properly on their systems.


> You originally said "Weird password issues don't count as broke." I think this might just be a case where we have to "agree to disagree".

I meant broke in the sense of "if it ain't broke, don't fix." If there are over 300 microservices running code, connected to mainframes running code that was originally from the 80s, but they occasionally have password issues - the risks caused by trying to fix it might be greater than it's worth.

That doesn't mean FedEx can't do a better job telling people not to use special characters - or detecting if their current password contains them and forces a password change.


> If there are over 300 microservices running code, connected to mainframes running code that was originally from the 80s, but they occasionally have password issues

And we ended up where the thread originally begin "FedEx may have the worst and least secure digital platform for a major company."

Besides that is horrible! There should be 1 microservice which deals with passwords, the authentication one. Everything else should just get a token attesting that the user is authenticated (or not).




Consider applying for YC's Summer 2025 batch! Applications are open till May 13

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: