UUUUUGH, "let's make people's lives harder because we're so stupid we think it improves security"
now it looks like they're setting up a bunch of "extra factors" like an email and phone call, prompting me for my email address again for no reason
it's setting up three new challenge questions whose use I can only shudder to imagine. I originally replaced the old list with these three new ones, but no, registration still asks the old ones, and you'll see later that that form is still handled somewhere on the site, so I'm keeping them as a first list followed by three more. also this is all terrible and I hate it
challenge questions: "Note: Your answers should be no more than 30 characters (no symbols)" (emphasis theirs)
to elaborate on that last part, the message when you violate this policy: "The answer you have entered is incorrect. Your answer must only contain letters, digits and/or space."
Re: every single option for questions, hope you're not an unemployed home-schooler with no close friends or extended family, here on the state benefits website, because if you are then the way that none of these questions apply to you because your existence has yet again been overlooked is really going to be yet another fucking kick in the teeth that you may no longer have due to inadequate dental care
session kicks after 30 minutes of inactivity
it's totally allowed to just use your temporary password as your new password
After "Enrollment confirmation" (finishing all this crap) , there's a page reviewing everything you entered, plus this radio:
Would you like us to remember this computer for future use? Learn More
Yes. I plan to use this computer in the future to access my account.
No. This is a public computer or one I do not plan on using often to access my account.
then an "Update your Settings" button beneath it that, no, doesn't commit these changes, it takes you BACK THROUGH THE LOOP. The one that DOES commit it is called "Finish", and it's allll the way in the bottom-right-hand corner, where toast popups will cover it up and you won't even notice it. smdh
Wait, no, that's just to change the answer to a question, the mail is just a confirmation link to apply the answer change, oh my god this site is a Lovecraftian nightmare
there's, afaict, still no way to change passwords while logged in, but I've rolled back the redflags entry for that because I'm documenting that kind of thing in pull requests right now
username reminder stub says "we have emailed you the user names associated with your email address" (emphasis mine), which gives some insight into the messed-up way they're factoring accounts - the email just calls it "the user id"
Oh boy do I have some things to say about this one.
the password reset form has a "my email address has changed" radio with no default, clicking "yes" or "no" is required
after logging in with the onetime password it says "Your password has expired" so I'm guessing there's a password expiration policy in place (ugh)
https://www.washingtonconnection.org/Support/js/script.js (included on some pages but not others), lines 3167-3169:
UUUUUGH, "let's make people's lives harder because we're so stupid we think it improves security"
now it looks like they're setting up a bunch of "extra factors" like an email and phone call, prompting me for my email address again for no reason
it's setting up three new challenge questions whose use I can only shudder to imagine. I originally replaced the old list with these three new ones, but no, registration still asks the old ones, and you'll see later that that form is still handled somewhere on the site, so I'm keeping them as a first list followed by three more. also this is all terrible and I hate it
challenge questions: "Note: Your answers should be no more than 30 characters (no symbols)" (emphasis theirs)
to elaborate on that last part, the message when you violate this policy: "The answer you have entered is incorrect. Your answer must only contain letters, digits and/or space."
Re: every single option for questions, hope you're not an unemployed home-schooler with no close friends or extended family, here on the state benefits website, because if you are then the way that none of these questions apply to you because your existence has yet again been overlooked is really going to be yet another fucking kick in the teeth that you may no longer have due to inadequate dental care
session kicks after 30 minutes of inactivity
it's totally allowed to just use your temporary password as your new password
After "Enrollment confirmation" (finishing all this crap) , there's a page reviewing everything you entered, plus this radio:
then an "Update your Settings" button beneath it that, no, doesn't commit these changes, it takes you BACK THROUGH THE LOOP. The one that DOES commit it is called "Finish", and it's allll the way in the bottom-right-hand corner, where toast popups will cover it up and you won't even notice it. smdh
You go to https://www.washingtonconnection.org/authservice/portalacct/accountmanagement.go to change your profile, answer a security question selected from a dropdown that does not include any of the ones I just filled out (only the ones from registration), and then it sends you an email
Wait, no, that's just to change the answer to a question, the mail is just a confirmation link to apply the answer change, oh my god this site is a Lovecraftian nightmare
there's, afaict, still no way to change passwords while logged in, but I've rolled back the redflags entry for that because I'm documenting that kind of thing in pull requests right now
username reminder stub says "we have emailed you the user names associated with your email address" (emphasis mine), which gives some insight into the messed-up way they're factoring accounts - the email just calls it "the user id"