I heard from Alex Goldman of Reply All (a super duper very great podcast with stories loosely originating from the internet):
We’re doing a story about people that have names that websites and computers don’t seem to like – for example, we spoke to a guy named William Test, and a woman named Katie Test, both of whom can’t seem to keep a hotel or airplane booking because the name “test” is flagged by internal systems.
We also spoke to a guy named Christopher Null who had the same problem, and woman named Joan Fread, who can’t use paypal because her last name is the same as a PHP command.
I’m curious if there’s anyone in the dev community that is thinking about this, and how to deal with it. Is it even considered a problem? Is the population that this affects so small that people don’t even think about it?
I wrote back, but that was a few months ago and I haven’t heard anything. I figured I’d post my response here since it is really an interesting topic and maybe through the comments here we can stir up some interesting bits he can use.
This is my response:
At the end of the day, it’s sloppy programming. No software should accept a name input and at any point treat that as code. If your last name is like the famous XKCD comic, in a well-designed system, that should be fine.
There are some valid reasons to “flag” names. At my company (CodePen), we flag names for bad language. You can’t sign up as “Sh*tf*cker Dirtyballs”. We do that on purpose, to promote a healthier community.
There is a difference between names and usernames. It’s slightly more legit to have stricter rules around usernames. We have a file called “username_blacklist.rb” in our codebase that prevents the usage of lots of words. The reason for this isn’t because we’re worried about overriding Ruby functions or anything, but 1) We use usernames in URL’s, meaning we need to reserve some of those for our own use and 2) again, bad language filter. 3) Spam. If a username has “watchsocceronline” (for example) in it, we flag it for a spam review.
The “real world” of programming is complicated. It’s not terribly surprising that companies write “band-aid code” that fixes a problem quickly instead of well. Writing code that blocks/flags a last name of “delete” is easier to write than auditing a whole codebase for situations in which that string causes problems.
What experience to y’all have with this?
This has to be the best excuse to write “Sh*tfucker Dirtyballs” in an article.
For usernames we had a list of “admin” related names we wouldn’t let people take, as well as names relating to the domain. Just basic stuff to avoid impersonation, but we never really took steps to automate username filtering. We did some of it on a case-by-case basis as we found more people registering with usernames that aren’t exactly appropriate.
Our company ran a campaign last year with user-generated content and we had blacklist filters to stop spam and offensive content. Ironically on the same day we actually received feedback from two separate men who were unable to sign up. Their names? Christian and Islam.
Peoples names don’t break websites. Broken websites break because of regular peoples names. Very subtle distinction, but these websites were always broken, and it was just a matter of time. It’s 2017, we shouldn’t be coding as if ASCII is the only character set in the world.
Yup i have daily trouble trying to save my second name
x’; DROP TABLE users; —
I have a hyphen in my name and often get validation errors because special characters aren’t allowed in name fields (what?).
Phone number fields that don’t allow non numbers, even spaces in some instances. Email validation that doesn’t let a valid email address through (yeah, really). What is wrong with some people?
We’re moving towards just getting rid of most validation except required fields and matching passwords. There’s a great article here on why email validation diesn’t work and it’s hard to argue with the logic…
https://hackernoon.com/the-100-correct-way-to-validate-email-addresses-7c4818f24643#.jdwd3j4i4
Yeah, what is it with developers telling me, through their validation rules, that my name is invalid?! I’ve used it all my life and I’m pretty sure I’m spelling it correctly! It’s a bit of a slight to all the O’Learys and d’Aousts of the world.
Thanks for the link to the great article, by the way. A dose of sanity. The follow-up article, on how to infer user intent and suggest that they may have spelled their e-mail address wrong, adds a bit of complexity back in, but it does present a great way of helping users.
From my personal experience is 99% sloppy code and 1% collateral damage.
Reserved (user) names are not so much relevant because, uhm, er, should be an handful and (rarely) used (user) names.
Removing code injections can be done in a clean, mostly collateral damage-free but very rarely is done well because “I don’t know enough, I want to be 100% sure” attitude, which almost naturally leads to valid (user) names triggered invalid. In general shortcuts saves developer time but almost certainly affect negatively user experience.
On the other way doing clean and robust security checks does not come free, but code developed once is valid for all subsequent sites built by a given designer and so there is no excuse to do it well once for all.
Not enough programmers have read https://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/ and less understand the importance of escaping
I’ve had trouble with my name (Paul O’Brien) more times than I would like to mention as the apostrophe is often flagged as an illegal character.
I have to change my name or guess that they stripped the apostrophe. Sometimes the full name gets accepted but then when you login again the login system doesn’t accept the apostrophe and if you omit it to try and login then your record is not found.
I am unable to access my driving Licence details on the gov website because they don’t know who I am and some of my credit cards can’t handle the apostrophe either so I have to go without it!
My credit card doesn’t even have an apostrophe in it; I get two middle initials instead (my name is Paul A D Aoust, apparently).
My fave is when a website accepts my last name but I see
Welcome, Paul d\'Aoust!on login :) That’s when I know someone is using PHP with their magic quotes setting all screwed up.I recall an old issue of a magazine (maybe Wired) from early 2000s where they had an article about the same thing. I think Chris Null’s name was even used in that. but another name that I recall was Babcock. Some woman had trouble accessing certain sites that were filtering on those last 4 letters in her name.
Sometimes “Joe Cocker” can trick some swear traps (where they exist).
Apart from some systems “not liking” him, some of his songs are great! :D
I have a slightly different issue with names sometimes. My name is really short and some sites reject names that are 3 letters or less as not being names. Some even reject “valhead” as being too short to be a name or username. I give all these sites really dirty looks before I add my middle initial or something to make my name long enough.
I had to fix a site like that once. The designer wanted to be ajaxy and clever. The name in the login field would auto-complete (google search style). And it autocompleted based on the first 3 character of the name.
Until if found such a match, the submit button was disabled. As a result, people with 2 letter (or shorter) names could not log in.
In my country, people’s first names sometimes are only 2 characters long and last name 3 characters (like my example name ^^).
Admit I have seen and heard of issues with – and ‘. I did run into one site that didn’t like any of the user names I tried LOL I am sure they didn’t like that I did end up using :-)
Glad for the reminder to allow :-)
techmicHELLe
What it comes down to, is that you can’t automate every single thing in the world.
If you go to a real live sign-up desk, and you state your name as “Maya Nayme”, you will get a question back from the person, simply because it’s confusing. It will take a little bit of interaction before the name is accepted.
A sign up form handler can’t interact on that level when it’s confused, so it will just refuse it (at that point). I don’t think it’s necessarily broken/bad code.
Obviously, names such as Test or Null are just unfortunate for tech systems, but so are names like Uvuvwevwevwe Onyetenyevwe Ugwemubwem Ossas (see https://www.youtube.com/watch?v=fla-QobHzwg ) or Sh*tfucker Dirtyballs for regular, real life sign ups.
No automated system can make the distinction between real or fake for every single entry. Some are just more forgiving/flexible than others, and I agree, Test and Null should be allowed in general.
Oh hey remember that time when I couldn’t see this one web site because it had a classname “bottom” in the source so it was flagged as dirty hahahahaha
-sigh-
Just added Reply All a few days ago and am catching up from episode 1. Sounds like a hilarious and frustrating episode to come.
The comment about using blacklists for inappropriate usernames reminded me of a time where I got banned from a forum inadvertently for using the word ‘specialist’. Turns out it contains the name of a male enhancement drug (after the E and before the T) and their filter didn’t check for word boundaries.
I must admit I’ve used blacklists for content filtering before, but I did at least check for word boundaries. It was being used to filter Tweets, but in that case the original was still being saved to a DB, only the filtered was being displayed. No data destroyed!
I’ve had websites refuse to accept my email address (“you must enter a valid email address”) because my personal domain ends in “.us”.
I’ve heard many chinese people have two-letter surnames, which causes no end of problems with validation.
There’s also many forms that don’t understand email tlds are often longer than 3 letters. Back in 2005, our company emails ended in .travel, which failed many email validators. The last time I checked, tlds can be 2-63 characters long.
My biggest peeve with validation is when important sites like banks only allow short passwords (max 8 chars). These sites really make me worry about their security practices and how they’re storing passwords.
Amen! Password rules of any kind annoy the hell out of me.
Let the user have any password they want. If they choose something insecure it’s their problem not yours. You’re not their mother :)
@jonhobbs the only password rule that should be enforced is the minimum length. Forcing numbers and so-called “special” characters (what’s so special about them, they’re just characters?!) just forces people to create passwords that are hard to remember, but without them being that much more difficult for computers to break.
Obligatory XKCD reference: https://xkcd.com/936/
Yeah, some say you have to have at least one special character and some say you aren’t allowed to have special characters :) Personally I like to use a pass-phrase because they’re easy to remember and pretty secure but some even have a maximum length.
I used a bank that accepted passwords of any length when setting up the account, but limited to 8 characters when signing in. When I figured out why my password wasn’t working, I used Chrome’s developer tools to remove maxlength=”8″ and it worked.
I can’t tell you how many sites don’t allow me to put my legal name in; the apostrophe just gets caught up in a regex somewhere.
Yep have a ø in my surname
Often not accepted or is converted to a ? character.
I hate my parents. I hate my middle names.
As someone with the last name O’Donnell, I’ve stopped using the apostrophe entirely when filling out name lines. It’s always been an issue for systems to handle.
The main problem with many of the names here is the use of the apostrophe. We’ve been using a standard computer keyboard for so long that we’ve forgotten that it’s the wrong character.
There would be no issue at all (unless the host is moronic enough to block special characters out of spite or haven’t heard of unicode) if the apostrophe is a proper typographic one.
On the Mac, you can type
shift-option-]while on Windows it’salt-1046.I’m running into problems when signing up al the time.
Hate it!
Christoph
Co-worker used to not be able to sign up for things cause “Name can not be blank”. His last name was Blank.
I can vaguely comprehend the Test issue (and definitely the special character screwups), but Null and Fread? I literally don’t know how to screw up code so badly that a string is treated as a symbol, at least not without it causing equally bad issues with regular names like Smith.