Evil Password Change

      Comments Off on Evil Password Change

..or at least an extremely secure password change method. (Actual production code.)

UPDATE: It’s hard to believe that this code isn’t malicious, but it’s just possible that it was put in as a placeholder and the developer never got around to actually implementing it. If so it’s a pretty malicious placeholder since it reports a user error instead of “not implemented.”

What’s more interesting is that this follows a pretty common security anti-pattern. Many sites seem to think that it somehow enhances security to keep their password rules secret and force the user to guess what they are.