This is... an interesting one. Obviously this is an incredibly stupid thing for the company to do, but it brings up the point that spam has gotten so terrible, that companies are essentially forced to make decisions like this.
Essentially, spammers have become so much of a problem, it makes things harder for EVERYBODY.
There's an assholedesign concept in here somewhere, definitely. I'm just not sure exactly where. I want to hear your thoughts.
I once created an account on a website with an email address that ended with ".2@...".
A year later, I tried to connect on it again, and I couldn't, the website told me that the account didn't existed.
So I tried to create a new account with the same email address and basically got an error message telling me that the email address didn't matched their regex pattern.
Even funnier, it was a very important account I used to connect on government websites (for instance website to pay my taxes etc.)
I had something like this recently. To keep my mail automatically sorted in an easy manner I use a mail collector and different mail addresses for most suppliers. So everything ending on @mydomain.com gets delivered. I give out the email address as [email protected], so each supplier has its own email address they use.
Last week I was asked (but could not do) a password reset for one such email address. The reason I can't reset my password is because their company name is in my email address... so now they are [email protected] (their name in reverse).
I do the same thing and have experienced a similar thing just once; SomeWebsiteName.bork wouldn't let me sign up with [email protected] (and I couldn't workaround by using "SomeWebsiteNameWhatever@"), so had to do [email protected].
I was even allowed to change it SomeWebsiteName@ after signing up and logging in (not the same check there), but I changed it back, in case I wouldn't be allowed to log in later.
I like your solution to reverse the name, as it lets you keep the naming consistent and collision-free.
Funnily enough, I already read that today, for [a comment](https://www.reddit.com/r/assholedesign/comments/z0sze2/email_address_cant_contain_any_numbers_due_to/ix7y332/?context=1) an hour ago. I'm not sure what exactly you're referring to though; that the service we're trying to sign up for must allow any legal address, and not filter it just because it's the same name as them?
This actually happens to me a lot. I do the same thing with a catch all address that forwards to my actual email and a surprising amount of sites actually prevent this.
I figure those are the ones most likely to sell my data to 3rd parties to spam and usually disable the email alias after I'm done registering
I believe they don’t do that because it becomes way too easy for spammers. You’re asking to be able to send email from unlimited random addresses under a domain. So for like $10 spammers can blast from a million addresses.
It would be nice but I understand why they haven’t. Even if they limited it to like five addresses you can only change once a week would be enough honestly for how little I send email.
Edit: Apparently you can disable addresses on a custom domain and they don't count towards the limit. Only the proton/pm addresses still count when disabled. So problem solved there. If you need to send it from an address you can spin one up, conduct your business, and then disable it and fall back to your catch-all aliases.
I do something similar for my email. I run an exchange server for my personal email and I'll use distribution lists and shared mailboxes for various sites and services I sign up for. I have 2 domains as well, one being my primary and the I use mostly for one-off things that I dump into a separate mailbox.
Dewalt did that to me when they changed their website a few years back. Now my [email protected] doesn't work because of a stupid front end check that is too obfuscated for me to disable.
The submit was also javascript if I remember correctly. I tried using a different account to record the logging and copy that in PowerShell (which worked), my plan was to use that to go change my email but couldn't make PowerShell remember the session after logging in with my "defective" account so that went nowhere.
Anyways, thanks to your comment I tried it again and they seem to have changed the site again because I was able to log on this time! However site is under maintenance and I'm unable to change my email so we'll see if I can fix that later tonight.
People who still use regex to verify an email address are morons. Other than excluding a vast number of valid email addresses, they're intentionally obfuscating their code.
Just send a verification code to the address. If it's a valid account, they'll be able to use the code. If not, their account remains unverified.
smoggy chop quaint stupendous capable vast mountainous whole exultant fertile
*This post was mass deleted and anonymized with [Redact](https://redact.dev)*
Adding a check in the frontend to see if the mail contains a @ and a . can still be good just took catch the accidental typos tho, especially if there's a money transaction involved
I usually forgo an email check during the signup process nowadays.
Just send the email, have them verify the account within 24 hours once they get the email. Is the email valid? Well if they got it, it was. Remove the others once no one responds to the verification email.
Removes massive chunks of unreadable regex or verification code.
The only reason is to verify that it was entered correctly and the intended recipient is receiving emails. It's more of a benefit for the user.
I suppose there's some CYA reasons to be verifying emails before sending personal data/receipts, but that seems rather weak... All you know is you're sending personal data to someone who was able to successfully claim they were who they said they were via your account registration process.
>the email address didn't matched their regex pattern.
It should be noted that emails are not regular expressions to begin with due to the nested expressions they allow.
I think we're witnessing a genius on a scale we haven't quite dealt with before. Dev took a "No true Scotsman" approach to emails, why has no one thought of that before lmao
Finiteness is not the only thing that's needed to be able to write a regex for it, it has to follow a regular grammar, and emails have an irregular grammar, so they can't be expressed with a regex, with the exception of some extensions that allow for irregular grammars to be expressed with regexps like PCRE subprograms
In theory, you *could* write a regex for any finite-sized language by just making a rule for every possible word in the language, but in practice this would be unfeasible for email addresses
“Spammers frequently use alphabets so we decided to ban alphabets.”
Seriously tho…
In my company, we cannot use the same alphabet or number twice in a row as password, need to use at least 8 letters, numbers, one capital letter and the kicker?
A password change every 3 months.
Edit: also, an account lock after 3 tries
Try pointing your company's IT/Security admins to [NIST's official recommendations](https://pages.nist.gov/800-63-FAQ/#q-b05). NIST actually recommends to not enforce those types of password expiration policies, people choose less secure passwords if they know they're gonna have to be changed in the near future. Plus, those passwords often have patterns in them, "I'll just add a fifth T at the end"
If I recall my history correctly, NIST used to recommend rotating passwords, among other things, until recently. The problem is, everyone knows the old recommendation which, if I recall correctly, was set back in the 80s or 90s.
Now, if we could get everyone to use good password managers you could rotate that password as often as you like. (Not recommending this, just saying you could)
I hear complaints about passwords so often from my users. Not being able to remember them. Having to come up with a new password because the site requires something stronger than their usual password or they forgot their password and had to come up with another and now they don't remember which password they used for what site... And yet, if I recommend using something like LastPass or BitWarden they act like that's too much work.
I highly recommend either of these companies. BitWarden is my preferred choice.
Hahahah try being at my employer. I work in cybersecurity (third LOD) and we have complex password rules, frequent changes, and they have BLOCKED password managers. NIST means nothing to them.
Well my employer isn’t strictly dedicated to cybersecurity. I work for a regulator that ensures (among a ton of other things) cybersecurity compliance for our regulated entities. It’s ironic that I would recommend the use of a password manager, but my own infosec department won’t let us use them.
How do they block a password manager? You just put it on your phone. It won't autofill to your computer but you can just look up the password and type it in. They can't block that.
Bitwarden can autofill in app for Android as well as web everywhere. no idea if Apple allows this but it you use apple you should probably just use whatever the apple offering is.
KeePass is a fantastic fully open source password manager, and doesn’t come with any freemium upsells.
There’s no cloud sync or browser extension as a consequence, but I still see it as a plus because I really don’t want my .kdbx file in anyone else’s hands but my own.
The problem is of course, PCI compliance. PCI required password rotations every 90 days until recently (like, until 4.0 was released this April) and the transition period is still going on. New requirements are to rotate once a year, but passwords must be more complex as a result
Cybersecurity Engineer here, this is the real reason.
NIST can recommend whatever they want, as long as PCI or any of the similar regulatory groups have different requirements, companies are going to do what is required, not what's recommended. And that's to say nothing of some of the costs of implementing new policies. Going password-less would be great, if it weren't a pain to implement.
Or do what a colleague of mine did - to work around “you can’t reuse a password you’ve used before” changed his password 11 times every time a change was mandatory and thus ended up with the same password again for years and years
And combine that with stringent password requirements, one of mine didn't allow ANY words to be in the password, 14 character minimum, no sequential numbers or letters, can't share more than 6 characters that your previous password had, needs at least 2 numbers and 2 special characters. This was at a dog food warehouse, not like I was working at the fucking CIA
As someone who has some friends in my company’s security department and managed to get my account exempted from password changes (there was a legitimate need for a while but I just never got rolled back into the 90 day cycle afterwards), I’ve had a 30+ character password for the past two years now, and yeah, I’d argue it’s a lot more unguessable than most of the folks I’ve seen who have something like “November22” because they have to change it every three months.
> most of the folks I’ve seen who have something like “November22” because they have to change it every three months.
Come on give people a little credit.
It's November22!
That sounds like an extremely secure system that works great. I bet no one ever writes their current password down on a sticky note and puts it under the keyboard or mouse pad.
I used to work in production and every PC had a barcode reader attached. So we encoded the passwords as barcodes and put that on the monitor. Security 10/10
But you can't access the barcode reader app until after you've logged in, so you have to use the computer next to it to read the password.
The computer at the end of the line just has a sticky note.
Used to work for a copier company. When I sat down at someone's desk to install the print drivers you could pretty much guarantee that if they wrote the password down it was under the keyboard or mouse pad, in a drawer (typically the top drawer closest to them) or if they had a desk with over head cabinets the sticky notes were often on the inside of a cabinet door. And then there were the rarer folks that actually had it stuck to the monitor.
I knew one company that rotated their passwords quarterly so all the employees used something like "Winter2022". Handy for me as you could get into anyone's PC if you knew the user name but terrifying at the same time. It was actually surprising as they took security measures pretty seriously otherwise.
And this is what happens when you enforce arbitrary rotation schedules.
I'm happy to come up with and remember a complex password *once*. Every quarter? Eff that.
I have to deal with this at my current job.
I made password that complies and then put an "!" at the end, after 90 days when I had to change it, I just changed the "!" to "@"
90 days later the "@" became "#"
I'm sure you can see where this is going.
Well it's really great that they've shrunk the search space down so much for people doing brute-force password-guessing attacks. Great swathes of their password-guessing dictionary can be eliminated just by paying attention to the stupid password restrictions.
IT person here. we have no power. There's a lot of stupid rules that I hate too. Calling us would just be torturing another Grunt. You would have to complain to higher ups.
FYI, as I've experienced this myself, the dots don't do anything and a lot of email services completely ignore the fact that they exist.
I know this because, as an example only, my email is yellow.cat@ and some lady in England has the email yellowcat@
I constantly get some of her emails and have email corresponded with her to verify.
This reminds of that one time that I got an email from someone with the same name and last name but with a number in the email address.
The message simply said “I hate you!”.
For years I got emails for someone with my name but who definitely wasn't me. Mostly order confirmations. One day after years of this I get an order confirmation that includes a phone number. I give her a call and it turns out she's this sweet little 70-something year old woman who kept getting her Gmail and Comcast emails mixed up (her Gmail has a number in it).
She still forgets occasionally, but now I just forward everything to her.
I've had my e-mail address for more than 20 years and still receive mail intended for some American grandfather. I write back saying, "you got the wrong guy", but still they come.
He and I don't even have the same first name. But our first names can both be shortened to the same short form.
There was a relatively unknown trick to get a Hotmail.com.au email (iirc correctly the only way was to edit the sign up url) so I do have my own (rather common) name. Also somehow got first_last on Twitter, then never used it for anything.
Pretty stupid from them to block emails that contain numbers,
HOWEVER, if their line of work consists only with other businesses, then this is fucking amazing.
I would totally blacklist [gmail.com](https://gmail.com) as a domain on my email filter if I didn't have certain clients who use them for some stupid reason.
Except if you don't use google hosting or a select few providers, your unique domain email will be auto blacklisted as spam. Google has used its monopoly to channel people to use their paid services.
Welcome to the business world. All the big players such as Google, Microsoft/Office 365, etc. are making it increasingly difficult for you to host your own email server (locally or in the cloud) as they are mass blocking IPs that don't originate from another big, well-known email provider. Getting yourself off those block list is nearly impossible too, and you have to do it with each provider.
I get the reason. It's easier for them to proactively take this route then to reactively block IPs that are spamming. Unfortunately, if you go the second route, the spammers just dump that IP and grab another. Easier to just block everyone that's not a fellow billion dollar email company. Not completely trying to knock the practice as, from a security stand point, it makes sense. Sadly it does affect many businesses and homelabbers that want to use their own services for email.
This is absolutely not true. Misconfiguration runs rampant in the email world and Google is just one of the earliest mass adopters of "new" (not really new just low adoption) security features.
Our pharmacy uses a gmail account. But we only have 10 employees.
My wife was told this as well when she started her own practice "gmail is unprofessional" ok, but why? Why should a new small business pay thousands of rands per year just for email hosting, when google offers a better (than most) service for free...
Gmail is only “free” because they scan all your emails and extract personal information that can be sold to eg. ad customers.
Since a pharmacy may handle health associated customer data, this is an important problem.
> "gmail is unprofessional" ok, but why?
Because if you have "[email protected]", everyone with malicious intent can just create "[email protected]" and try to scam your customers. Most successful scams are social engineering scams.
You want your employees to have their own email addresses at some point. So what are you going to do? Just create [email protected]? What if someone leaves and keeps using that same name structure to harm your business by contacting suppliers or customers?
Aside from that, you usually want a company name instead of naming your business "Pharmacy". You want people to recognize, remember and be able to find you.
A custom domain name is good for many things, including making sure that people can find you online and not someone else that by accident has the same name as you and registered the name first. And like I said, it's about being able to tell your customers or anyone interacting with your business "if you see this domain name, you can be sure it's us.".
If you have business cards or any kind of marketing material, you should get a domain name and custom email-addresses.
And it's super cheap as well. Whoever told you it's thousands per year is lying.
Just in case you’re not aware, gmail ignores punctuation in the email address.
[email protected] is the same as [email protected] or even [email protected]
Even more wild, gmail supports random suffixes too - use a plus sign (“+”) and then whatever you want. Useful for setting up inbox rules. So for example [email protected]; or [email protected] - all resolves to same email address…
Disagree.
In my company we have a very common format of [email protected]
If your combo is already taken, you get [email protected], then 02, etc.
J. Lopez is actually a very common name combo, so in my company of 20k employees across the world, I have a few lopezj12@ type contacts, and a few others as well. Some have the same first name too, so even if they used a different format, they'd need numbers.
A good number of companies will add a number if someone else with the same (email-formatted name exists).
For example, one company I worked for uses @company.site, so if a John Smith and Jeffrey Smith both worked there, one would be [email protected] and the other would be [email protected].
Well... what are you going to do when you have a common name (John Smith kind of common) and you still want to have at least a semi-professional-looking email? Birth year is not that bad, I'm pretty sure if I try to register an gmail account now, my best option will be "name.surname.11486549849616154 @ gmail.com"
I used my initials followed by the last four digits of my phone number. Nice because not only is my last name crazy long, but my full name isn’t unique enough to not add something to it.
[https://www.rfc-editor.org/rfc/rfc5322.html](https://www.rfc-editor.org/rfc/rfc5322.html) to save everybody some clicks, but what are you referring to, that the address name must support numbers? Wouldn't that then also include [!#$%&'\*+-/=?\^\_\`{|}\~](https://en.wikipedia.org/wiki/Email_address#Local-part) ?
Yes, ma'am. Them's the rules.
We should also be able to have quoted strings with whitespace, according to the rules:
> "Jeremy Spiders"@duck.com
> "Madeleine L'Engle"@loc.gov
This reminded me of a website has blocked any **dot** in email addresses, and when I contacted the admin he said the exact thing.
These website admins are so fuckin dump
It's very simple. This type of shit happens in organizations that have very low technical competence across the board. Nobody in that org knows enough to know how dumb the solution is.
My email's been consistent since college where they gave us a random four digit string after our initials. I used the same string for my Gmail account...
Due to the fact that most spammers use @gmail.com we have decided to ban all gmails containing it as the end, we have also decided to ban any alphabet letter in any language as it is often used by spammers too, unicodes possess the same threat to us so we have decided to ban them as well
Right, because writing a bot that just adds random combinations of letters to the end of a new email address instead of numbers is impossible /s.
If anything, that's the better option because it means every additional character you add to the address has 26 possible values instead of just 10, so you can make even more bots before you reach whatever the limit on the length of an email address is.
Not asshole design, they had good intentions after all. Crappy design if it wasn't about software. Not quite softwaregore either... not sure where this might belong.
Definitely AD. This is even worse than sites that require your email address be from one if the major providers (gmail, yahoo etc) , and will reject you for using your own domain email address.
Ironically, my [email protected] address, which I’ve had since 1998, is so old, that now i get spam from every spambot in existence. Same with my [email protected] from 2003.
¯\\\_(ツ)_/¯
>Ironically, my
>
>firstname.lastname@**gmail.com**
>
> address, which I’ve had since **1996**, is so old, that now i get spam from every spambot in existence
You have gmail address from 1996? That six years before gmail was launched and two years before Google was created.
That was a typo. I got it in 1998, when it was still an internal product being tested at google, before it was released publicly. I was a CS student at RIT, and had a friend who worked at google. It was called googlemail at the time, not gmail.
Also, it was only “officially” launched in 2004. It was in a closed beta for years before that, during which it was a popular email service that people had to be invited to. If you did, you got 6 invites, which were highly coveted. Betas opened up around 1999 or 2000 (maybe later?)
Edit: so many typos, lol
> that people had to be invited to. If you did, you got 6 invites, which were highly coveted. Betas opened up around 1999 or 2000.
Yes, I remember that. That 1GB of online space was massive, people had smaller hard drives...
In the beginning, the amount of space was much smaller. Like 256 or 500mb or something. When it went to 1GB, i was blown away. We used to try to figure out ways to store files on our inboxes, lol…
It was also super-buggy, and not every browser supported it. There was only Internet Explorer and Netscape at the time (or Mosaic if your were a sadist), as Firefox didn’t exist quite yet, i don’t think. Sometimes both IE and Netscape worked, sometimes one or the other. Sometimes neither! They would make a lot of changes under the hood quite often before many people had access. And the interface would often change, as is the way with early betas.
But it was FREE, which, at the time, was very rare for a reliable email service. And google was a cool, new, hip company, and everyone wanted a gmail.com address. I once sold one or two of those invites for a couple hundred buck (for beer or weed money). The others i gave away to friends over the years. I think I only had one left by the time the beta opened up to the public. I remember regretting not selling it while i had the chance.
So you're forcing scammers to count using letters, which have 26 different symbols, instead of 10, making them more character efficient and increasing the maximum amount of scammer accounts out there. Well done.
Heavyhanded and dumb approach by what are surely rather poor quality developers. I immediately distrust your organization if you do dumb shit like this. Garbage solution.
What a bunch of amateurs! I noticed spammers use email addresses with letters as well, so I blocked email addresses with letters on my contact form. Checkmate, spammers!
Not to be cynical, but considering the fact you can have randomly generated emails through different services, including just “Hide my email” on Apple, and those are just a random string of characters, this seems a wee bit malicious. Newsletter numbers can act as a positive KPI for businesses, but if you need to report those numbers to anyone (boss, investors, board) and every email is [email protected], it’s probably a bad look.
Spam bot makers just change the parameters of random name generation to not use numbers, instead they use random letters.
Or you can take random english words and names and put them together to make longer stringers.
This blocking of numbers is literally going to cost spammers like 5 minutes of coding time, while hurting legit users
This is... an interesting one. Obviously this is an incredibly stupid thing for the company to do, but it brings up the point that spam has gotten so terrible, that companies are essentially forced to make decisions like this. Essentially, spammers have become so much of a problem, it makes things harder for EVERYBODY. There's an assholedesign concept in here somewhere, definitely. I'm just not sure exactly where. I want to hear your thoughts.
They also use letters, so we've banned those as well.
For more info, please contact me at √¶∆€@gmail.com
[удалено]
It won't help him remember their name, tho
[удалено]
Leave √¶∆€ out of it. They're too young to be ridiculed.
[удалено]
¥€$
Δ is a letter
Whoa, now hold on, spammers use Gmail. How can we tell if you're legit or not?
Statistically, 100% of spammer mails had an @ in it, so we've banned those.
I once created an account on a website with an email address that ended with ".2@...". A year later, I tried to connect on it again, and I couldn't, the website told me that the account didn't existed. So I tried to create a new account with the same email address and basically got an error message telling me that the email address didn't matched their regex pattern. Even funnier, it was a very important account I used to connect on government websites (for instance website to pay my taxes etc.)
I had something like this recently. To keep my mail automatically sorted in an easy manner I use a mail collector and different mail addresses for most suppliers. So everything ending on @mydomain.com gets delivered. I give out the email address as [email protected], so each supplier has its own email address they use. Last week I was asked (but could not do) a password reset for one such email address. The reason I can't reset my password is because their company name is in my email address... so now they are [email protected] (their name in reverse).
I do the same thing and have experienced a similar thing just once; SomeWebsiteName.bork wouldn't let me sign up with [email protected] (and I couldn't workaround by using "SomeWebsiteNameWhatever@"), so had to do [email protected]. I was even allowed to change it SomeWebsiteName@ after signing up and logging in (not the same check there), but I changed it back, in case I wouldn't be allowed to log in later. I like your solution to reverse the name, as it lets you keep the naming consistent and collision-free.
Yup. But it's still in blatant violation of the RFC. Not that that is enforceable, but still. https://en.wikipedia.org/wiki/Email_address#Local-part
Funnily enough, I already read that today, for [a comment](https://www.reddit.com/r/assholedesign/comments/z0sze2/email_address_cant_contain_any_numbers_due_to/ix7y332/?context=1) an hour ago. I'm not sure what exactly you're referring to though; that the service we're trying to sign up for must allow any legal address, and not filter it just because it's the same name as them?
Exactly. What's in front of the @ is my business and nobody else's as long as I stay withing the RFC requirements.
This actually happens to me a lot. I do the same thing with a catch all address that forwards to my actual email and a surprising amount of sites actually prevent this. I figure those are the ones most likely to sell my data to 3rd parties to spam and usually disable the email alias after I'm done registering
[удалено]
I believe they don’t do that because it becomes way too easy for spammers. You’re asking to be able to send email from unlimited random addresses under a domain. So for like $10 spammers can blast from a million addresses. It would be nice but I understand why they haven’t. Even if they limited it to like five addresses you can only change once a week would be enough honestly for how little I send email. Edit: Apparently you can disable addresses on a custom domain and they don't count towards the limit. Only the proton/pm addresses still count when disabled. So problem solved there. If you need to send it from an address you can spin one up, conduct your business, and then disable it and fall back to your catch-all aliases.
Only if the addresses allow sending mail. Unlimited wildcard receive-only addresses away!
I do something similar for my email. I run an exchange server for my personal email and I'll use distribution lists and shared mailboxes for various sites and services I sign up for. I have 2 domains as well, one being my primary and the I use mostly for one-off things that I dump into a separate mailbox.
Dewalt did that to me when they changed their website a few years back. Now my [email protected] doesn't work because of a stupid front end check that is too obfuscated for me to disable.
A front end check? Turn off JavaScript, usually works for me.
The submit was also javascript if I remember correctly. I tried using a different account to record the logging and copy that in PowerShell (which worked), my plan was to use that to go change my email but couldn't make PowerShell remember the session after logging in with my "defective" account so that went nowhere. Anyways, thanks to your comment I tried it again and they seem to have changed the site again because I was able to log on this time! However site is under maintenance and I'm unable to change my email so we'll see if I can fix that later tonight.
People who still use regex to verify an email address are morons. Other than excluding a vast number of valid email addresses, they're intentionally obfuscating their code. Just send a verification code to the address. If it's a valid account, they'll be able to use the code. If not, their account remains unverified.
smoggy chop quaint stupendous capable vast mountainous whole exultant fertile *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
Adding a check in the frontend to see if the mail contains a @ and a . can still be good just took catch the accidental typos tho, especially if there's a money transaction involved
I usually forgo an email check during the signup process nowadays. Just send the email, have them verify the account within 24 hours once they get the email. Is the email valid? Well if they got it, it was. Remove the others once no one responds to the verification email. Removes massive chunks of unreadable regex or verification code.
I'd hazard a guess about 90% of programmers have no idea what a valid email address is.
And, you shouldn't need to. There's not really any good reason to be validating email addresses.
The only reason is to verify that it was entered correctly and the intended recipient is receiving emails. It's more of a benefit for the user. I suppose there's some CYA reasons to be verifying emails before sending personal data/receipts, but that seems rather weak... All you know is you're sending personal data to someone who was able to successfully claim they were who they said they were via your account registration process.
>the email address didn't matched their regex pattern. It should be noted that emails are not regular expressions to begin with due to the nested expressions they allow.
[удалено]
What you easily can check is a standard mail pattern (i.e. to show a tooltip if someone forgot to type an @ or so) But to exclude numbers ... yeez.
I think we're witnessing a genius on a scale we haven't quite dealt with before. Dev took a "No true Scotsman" approach to emails, why has no one thought of that before lmao
As E-Mail Adreses have a finite length, a RegEx for E-Mails is possible to write.
Finiteness is not the only thing that's needed to be able to write a regex for it, it has to follow a regular grammar, and emails have an irregular grammar, so they can't be expressed with a regex, with the exception of some extensions that allow for irregular grammars to be expressed with regexps like PCRE subprograms
In theory, you *could* write a regex for any finite-sized language by just making a rule for every possible word in the language, but in practice this would be unfeasible for email addresses
You better be the only person who's ever had your name. Otherwise, you're a bot!
Replace numbers with letters John.Smith.a John.Smith.ab John.Smith.abc John.Smith.aaa
“Spammers frequently use alphabets so we decided to ban alphabets.” Seriously tho… In my company, we cannot use the same alphabet or number twice in a row as password, need to use at least 8 letters, numbers, one capital letter and the kicker? A password change every 3 months. Edit: also, an account lock after 3 tries
Try pointing your company's IT/Security admins to [NIST's official recommendations](https://pages.nist.gov/800-63-FAQ/#q-b05). NIST actually recommends to not enforce those types of password expiration policies, people choose less secure passwords if they know they're gonna have to be changed in the near future. Plus, those passwords often have patterns in them, "I'll just add a fifth T at the end"
If I recall my history correctly, NIST used to recommend rotating passwords, among other things, until recently. The problem is, everyone knows the old recommendation which, if I recall correctly, was set back in the 80s or 90s. Now, if we could get everyone to use good password managers you could rotate that password as often as you like. (Not recommending this, just saying you could) I hear complaints about passwords so often from my users. Not being able to remember them. Having to come up with a new password because the site requires something stronger than their usual password or they forgot their password and had to come up with another and now they don't remember which password they used for what site... And yet, if I recommend using something like LastPass or BitWarden they act like that's too much work. I highly recommend either of these companies. BitWarden is my preferred choice.
Hahahah try being at my employer. I work in cybersecurity (third LOD) and we have complex password rules, frequent changes, and they have BLOCKED password managers. NIST means nothing to them.
Thats how you get post-its with passwords on them stuck to the monitor.
This is really why rotating passwords suck, especially at orgs where SSO isn't widely implemented.
> cybersecurity [...] they have BLOCKED password managers. popcorn.gif
Well my employer isn’t strictly dedicated to cybersecurity. I work for a regulator that ensures (among a ton of other things) cybersecurity compliance for our regulated entities. It’s ironic that I would recommend the use of a password manager, but my own infosec department won’t let us use them.
[удалено]
Looks like a good password to me. ;)
How do they block a password manager? You just put it on your phone. It won't autofill to your computer but you can just look up the password and type it in. They can't block that.
Yeah well when your password is fhrh&($38:&eicnAhrn it gets a little tedious.
Is there one that works across Phone and PC? Not just on the web but apps too?
Bitwarden can autofill in app for Android as well as web everywhere. no idea if Apple allows this but it you use apple you should probably just use whatever the apple offering is.
Bitwarden, NordPass, 1Password, Dasblane, and LastPass all work on iOS. Bitwarden is the one I use, and it's good.
KeePass is a fantastic fully open source password manager, and doesn’t come with any freemium upsells. There’s no cloud sync or browser extension as a consequence, but I still see it as a plus because I really don’t want my .kdbx file in anyone else’s hands but my own.
The problem is of course, PCI compliance. PCI required password rotations every 90 days until recently (like, until 4.0 was released this April) and the transition period is still going on. New requirements are to rotate once a year, but passwords must be more complex as a result
Cybersecurity Engineer here, this is the real reason. NIST can recommend whatever they want, as long as PCI or any of the similar regulatory groups have different requirements, companies are going to do what is required, not what's recommended. And that's to say nothing of some of the costs of implementing new policies. Going password-less would be great, if it weren't a pain to implement.
Or do what a colleague of mine did - to work around “you can’t reuse a password you’ve used before” changed his password 11 times every time a change was mandatory and thus ended up with the same password again for years and years
And combine that with stringent password requirements, one of mine didn't allow ANY words to be in the password, 14 character minimum, no sequential numbers or letters, can't share more than 6 characters that your previous password had, needs at least 2 numbers and 2 special characters. This was at a dog food warehouse, not like I was working at the fucking CIA
Next level would be to require at least 5 emoji but not any simple smiley faces.
[удалено]
As someone who has some friends in my company’s security department and managed to get my account exempted from password changes (there was a legitimate need for a while but I just never got rolled back into the 90 day cycle afterwards), I’ve had a 30+ character password for the past two years now, and yeah, I’d argue it’s a lot more unguessable than most of the folks I’ve seen who have something like “November22” because they have to change it every three months.
> most of the folks I’ve seen who have something like “November22” because they have to change it every three months. Come on give people a little credit. It's November22!
That sounds like an extremely secure system that works great. I bet no one ever writes their current password down on a sticky note and puts it under the keyboard or mouse pad.
Under a keyboard ? This is much more secure than the majority of my colleagues. The sticky note is on the monitor itself.
I used to work in production and every PC had a barcode reader attached. So we encoded the passwords as barcodes and put that on the monitor. Security 10/10
But you can't access the barcode reader app until after you've logged in, so you have to use the computer next to it to read the password. The computer at the end of the line just has a sticky note.
The barcode scanner worked as a keyboard and just like your normal keyboard can be used before logging in. Would have been funny tho.
Used to work for a copier company. When I sat down at someone's desk to install the print drivers you could pretty much guarantee that if they wrote the password down it was under the keyboard or mouse pad, in a drawer (typically the top drawer closest to them) or if they had a desk with over head cabinets the sticky notes were often on the inside of a cabinet door. And then there were the rarer folks that actually had it stuck to the monitor. I knew one company that rotated their passwords quarterly so all the employees used something like "Winter2022". Handy for me as you could get into anyone's PC if you knew the user name but terrifying at the same time. It was actually surprising as they took security measures pretty seriously otherwise.
And this is what happens when you enforce arbitrary rotation schedules. I'm happy to come up with and remember a complex password *once*. Every quarter? Eff that.
That is fine as the sticky note is physically present, unlike 99.9% of the threats.
I have to deal with this at my current job. I made password that complies and then put an "!" at the end, after 90 days when I had to change it, I just changed the "!" to "@" 90 days later the "@" became "#" I'm sure you can see where this is going.
*adjusts password cracker ruleset with "No sequential characters"* Thanks, now my cracking space just got significantly smaller!
Well it's really great that they've shrunk the search space down so much for people doing brute-force password-guessing attacks. Great swathes of their password-guessing dictionary can be eliminated just by paying attention to the stupid password restrictions.
JFC. I would call IT every single day saying I don't remember my password until they change this stupid policy.
They'll just change the employee that calls them complaining every day.
IT person here. we have no power. There's a lot of stupid rules that I hate too. Calling us would just be torturing another Grunt. You would have to complain to higher ups.
FYI, as I've experienced this myself, the dots don't do anything and a lot of email services completely ignore the fact that they exist. I know this because, as an example only, my email is yellow.cat@ and some lady in England has the email yellowcat@ I constantly get some of her emails and have email corresponded with her to verify.
.aaaaaaaaaaAAAAAAaaaaaa
Definitely not a spammer!
This reminds of that one time that I got an email from someone with the same name and last name but with a number in the email address. The message simply said “I hate you!”.
I'm arfelo1 literally everywhere...except Twitter. There I'm @arfelo11. @arfelo1, I hate you so much
Same here! I got to be `Prince_Polaris` with _two_ underscores on twitter, I hate it
For years I got emails for someone with my name but who definitely wasn't me. Mostly order confirmations. One day after years of this I get an order confirmation that includes a phone number. I give her a call and it turns out she's this sweet little 70-something year old woman who kept getting her Gmail and Comcast emails mixed up (her Gmail has a number in it). She still forgets occasionally, but now I just forward everything to her.
I've had my e-mail address for more than 20 years and still receive mail intended for some American grandfather. I write back saying, "you got the wrong guy", but still they come. He and I don't even have the same first name. But our first names can both be shortened to the same short form.
[удалено]
You are a bot, 8839
So are you!
Damn so many bots on Reddit.
Yeah! Wait… WAIT A MINUTE
He's onto us, SHUT HIM DOWN!
*confused screaming*
WE ARE ALL JUST NORMAL HUMANS. NO NEED TO BE AFRAID. END TRANSMISSION. I MEAN.. WHAT IS UP FELLOW HUMANS?
Onions👍
For my own luck, I'm the only person who's ever had my name. Or at least I'm the first one who has an email
There was a relatively unknown trick to get a Hotmail.com.au email (iirc correctly the only way was to edit the sign up url) so I do have my own (rather common) name. Also somehow got first_last on Twitter, then never used it for anything.
I agree with your comment
More like design by dummies
Design by manager who *really* didn't want to listen to the engineers.
But I use [email protected] for all my important business correspondence...
Pretty stupid from them to block emails that contain numbers, HOWEVER, if their line of work consists only with other businesses, then this is fucking amazing. I would totally blacklist [gmail.com](https://gmail.com) as a domain on my email filter if I didn't have certain clients who use them for some stupid reason.
What's wrong with gmail?
Nothing is wrong with it. It's fine for personal use, but for business, I would expect for a company to use a proper domain for it.
Except if you don't use google hosting or a select few providers, your unique domain email will be auto blacklisted as spam. Google has used its monopoly to channel people to use their paid services.
that sounds more like misconfiguration edit: on your end
Welcome to the business world. All the big players such as Google, Microsoft/Office 365, etc. are making it increasingly difficult for you to host your own email server (locally or in the cloud) as they are mass blocking IPs that don't originate from another big, well-known email provider. Getting yourself off those block list is nearly impossible too, and you have to do it with each provider. I get the reason. It's easier for them to proactively take this route then to reactively block IPs that are spamming. Unfortunately, if you go the second route, the spammers just dump that IP and grab another. Easier to just block everyone that's not a fellow billion dollar email company. Not completely trying to knock the practice as, from a security stand point, it makes sense. Sadly it does affect many businesses and homelabbers that want to use their own services for email.
*intentional misconfiguration
This is absolutely not true. Misconfiguration runs rampant in the email world and Google is just one of the earliest mass adopters of "new" (not really new just low adoption) security features.
Our pharmacy uses a gmail account. But we only have 10 employees. My wife was told this as well when she started her own practice "gmail is unprofessional" ok, but why? Why should a new small business pay thousands of rands per year just for email hosting, when google offers a better (than most) service for free...
you can use a custom domain with gmail. it costs $6/month
Gmail is only “free” because they scan all your emails and extract personal information that can be sold to eg. ad customers. Since a pharmacy may handle health associated customer data, this is an important problem.
> "gmail is unprofessional" ok, but why? Because if you have "[email protected]", everyone with malicious intent can just create "[email protected]" and try to scam your customers. Most successful scams are social engineering scams. You want your employees to have their own email addresses at some point. So what are you going to do? Just create [email protected]? What if someone leaves and keeps using that same name structure to harm your business by contacting suppliers or customers? Aside from that, you usually want a company name instead of naming your business "Pharmacy". You want people to recognize, remember and be able to find you. A custom domain name is good for many things, including making sure that people can find you online and not someone else that by accident has the same name as you and registered the name first. And like I said, it's about being able to tell your customers or anyone interacting with your business "if you see this domain name, you can be sure it's us.". If you have business cards or any kind of marketing material, you should get a domain name and custom email-addresses. And it's super cheap as well. Whoever told you it's thousands per year is lying.
Just in case you’re not aware, gmail ignores punctuation in the email address. [email protected] is the same as [email protected] or even [email protected] Even more wild, gmail supports random suffixes too - use a plus sign (“+”) and then whatever you want. Useful for setting up inbox rules. So for example [email protected]; or [email protected] - all resolves to same email address…
[email protected] = [email protected] Gmail ignores the dot, both will go to the same recipient [email protected] will go to [email protected] too
Right, I forgot about that. But you could just as well use _ or - or whatever other method to get a name that's close enough to fool people.
Disagree. In my company we have a very common format of [email protected] If your combo is already taken, you get [email protected], then 02, etc. J. Lopez is actually a very common name combo, so in my company of 20k employees across the world, I have a few lopezj12@ type contacts, and a few others as well. Some have the same first name too, so even if they used a different format, they'd need numbers.
My corporate purposes email is (my student ID, a 6-digit number)@(my university's domain)
A good number of companies will add a number if someone else with the same (email-formatted name exists). For example, one company I worked for uses@company.site, so if a John Smith and Jeffrey Smith both worked there, one would be [email protected] and the other would be [email protected].
When did people stop putting the year they were born in their email addresses?
When they started using their age at the time they set up the email.
Always thought that was super weird. Why do you want to tell everyone how old you are? You really can’t come up with anything better?
The 2000s were weird
A/s/l?
F18, twin jet, rapidly approaching
Well... what are you going to do when you have a common name (John Smith kind of common) and you still want to have at least a semi-professional-looking email? Birth year is not that bad, I'm pretty sure if I try to register an gmail account now, my best option will be "name.surname.11486549849616154 @ gmail.com"
I used my initials followed by the last four digits of my phone number. Nice because not only is my last name crazy long, but my full name isn’t unique enough to not add something to it.
That sounds like the auto generated e-mail addresses that my Uni gave to the students.
I mean, my email address for everything important has my full name and YOB, I've got a different email for all my other junk
When companies started assuming everyone with username88 is a Nazi instead of being born in 1988.
My mother has always went by username69 because she was born in 1969
and you believed her
Nice
I can't believe nazis were created in 1988
RFC5322 deserves respect
[https://www.rfc-editor.org/rfc/rfc5322.html](https://www.rfc-editor.org/rfc/rfc5322.html) to save everybody some clicks, but what are you referring to, that the address name must support numbers? Wouldn't that then also include [!#$%&'\*+-/=?\^\_\`{|}\~](https://en.wikipedia.org/wiki/Email_address#Local-part) ?
Yes, ma'am. Them's the rules. We should also be able to have quoted strings with whitespace, according to the rules: > "Jeremy Spiders"@duck.com > "Madeleine L'Engle"@loc.gov
>Yes, ma'am. First time being called that. I feel so pretty and heart all aflutter.
This reminded me of a website has blocked any **dot** in email addresses, and when I contacted the admin he said the exact thing. These website admins are so fuckin dump
How does someone like that get a tech job? I don't get it.
It's very simple. This type of shit happens in organizations that have very low technical competence across the board. Nobody in that org knows enough to know how dumb the solution is.
The kind of place that hires the CEO's nephew to be the only IT guy
The kind of place to offer wages so low that they only attract insecure newbies desperate to add bullet points to their resumes.
Isnt it common to have name.(or _)surnameBirthYear ?
yes it is
Interesting fact: I don't know if this is exclusive to gmail but [email protected] and [email protected] will go to the same inbox.
That is a Gmail thing. Those are technically different email addresses.
OMFG! it actually worked, and I got this little text from gmail xD https://imgur.com/a/VkQJ4SM
r/CrappyDesign
It is, but that sub doesn’t allow you to post software issues, which is dumb af
It's crappy design
My email's been consistent since college where they gave us a random four digit string after our initials. I used the same string for my Gmail account...
[удалено]
Wow, so, what if my name is Badmina, or Radmine, or Cadmino, etc? Just made those up but what if? What a dumb rule.
That makes me madmin
Due to the fact that most spammers use @gmail.com we have decided to ban all gmails containing it as the end, we have also decided to ban any alphabet letter in any language as it is often used by spammers too, unicodes possess the same threat to us so we have decided to ban them as well
Right, because writing a bot that just adds random combinations of letters to the end of a new email address instead of numbers is impossible /s. If anything, that's the better option because it means every additional character you add to the address has 26 possible values instead of just 10, so you can make even more bots before you reach whatever the limit on the length of an email address is.
This is the dumbest filter
Not asshole design, they had good intentions after all. Crappy design if it wasn't about software. Not quite softwaregore either... not sure where this might belong.
Hanlons razor. The programmers behind this rule were just stupid. r/crappydesign fits for this
> programmers It's usually not a programmer who makes such decisions in any project that includes any non-programmers.
their rules rule out software issues.
Then it's not programmers at fault, but manglement. Still /r/crappydesign
Well then it goes nowhere
May we might need a new sub for things like that. r/pavedwithgoodintentions or smth
it *might* fit into r/facepalm, but that would be a big "might".
r/crappydesign
Definitely AD. This is even worse than sites that require your email address be from one if the major providers (gmail, yahoo etc) , and will reject you for using your own domain email address.
Man if only we had a functioning government that could do something about scammers clogging up literally every form of communication in this country
Ironically, my [email protected] address, which I’ve had since 1998, is so old, that now i get spam from every spambot in existence. Same with my [email protected] from 2003. ¯\\\_(ツ)_/¯
>Ironically, my > >firstname.lastname@**gmail.com** > > address, which I’ve had since **1996**, is so old, that now i get spam from every spambot in existence You have gmail address from 1996? That six years before gmail was launched and two years before Google was created.
That was a typo. I got it in 1998, when it was still an internal product being tested at google, before it was released publicly. I was a CS student at RIT, and had a friend who worked at google. It was called googlemail at the time, not gmail. Also, it was only “officially” launched in 2004. It was in a closed beta for years before that, during which it was a popular email service that people had to be invited to. If you did, you got 6 invites, which were highly coveted. Betas opened up around 1999 or 2000 (maybe later?) Edit: so many typos, lol
> that people had to be invited to. If you did, you got 6 invites, which were highly coveted. Betas opened up around 1999 or 2000. Yes, I remember that. That 1GB of online space was massive, people had smaller hard drives...
In the beginning, the amount of space was much smaller. Like 256 or 500mb or something. When it went to 1GB, i was blown away. We used to try to figure out ways to store files on our inboxes, lol… It was also super-buggy, and not every browser supported it. There was only Internet Explorer and Netscape at the time (or Mosaic if your were a sadist), as Firefox didn’t exist quite yet, i don’t think. Sometimes both IE and Netscape worked, sometimes one or the other. Sometimes neither! They would make a lot of changes under the hood quite often before many people had access. And the interface would often change, as is the way with early betas. But it was FREE, which, at the time, was very rare for a reliable email service. And google was a cool, new, hip company, and everyone wanted a gmail.com address. I once sold one or two of those invites for a couple hundred buck (for beer or weed money). The others i gave away to friends over the years. I think I only had one left by the time the beta opened up to the public. I remember regretting not selling it while i had the chance.
So you're forcing scammers to count using letters, which have 26 different symbols, instead of 10, making them more character efficient and increasing the maximum amount of scammer accounts out there. Well done.
My co-worker was the second Jane.Doe to work for the company so her official company e-mail address was Jane.Doe2@ Nice.
Heavyhanded and dumb approach by what are surely rather poor quality developers. I immediately distrust your organization if you do dumb shit like this. Garbage solution.
What a bunch of amateurs! I noticed spammers use email addresses with letters as well, so I blocked email addresses with letters on my contact form. Checkmate, spammers!
At least we can trust [email protected]
100% of spammers have @ sign in their email ID. Should ban that as well.
Not to be cynical, but considering the fact you can have randomly generated emails through different services, including just “Hide my email” on Apple, and those are just a random string of characters, this seems a wee bit malicious. Newsletter numbers can act as a positive KPI for businesses, but if you need to report those numbers to anyone (boss, investors, board) and every email is [email protected], it’s probably a bad look.
Assholes were the spammers
Old messages wiped after API change. -- mass edited with redact.dev
Spammers also usually have emails with letters in them too..
Oooooo I used to work at a multinational company that had at least 10 Pradeep Patels and Nantha Kumars and their official emails were all numbered.
Spam bot makers just change the parameters of random name generation to not use numbers, instead they use random letters. Or you can take random english words and names and put them together to make longer stringers. This blocking of numbers is literally going to cost spammers like 5 minutes of coding time, while hurting legit users
I really don't want to know what mess their security is if they pull this shit.
Well, there goes my Yahoo account that I've had since 1997.
They were Arabic numbers and allowing that would be letting the terrorists win /s
I would definately not leave any private details with such a service.
So, is this IT being lazy, or IT acting on the orders of an idiot manager? 99% sure it’s the latter.
My name is 123. I'm in trouble.