Journal
Archives Favs
Gallery
Videos
Friends
Followers
Content
Links Pages Files
roy
Roy Kim
San Diego, California, United States

About

The weblog of Roy Kim

Categories

 
February 14, 2007

obscure error messages

The following errors have occurred.
(13) The merchant login ID or password is invalid or the account is inactive.

So which is it? Do I have an invalid ID, password, or is the account inactive?

Bad error messages are the suck. There's no reason the system shouldn't know which of these three cases is the reason for failing.

Followup: The context of this error is I'm attempting to connect to authorize.net's gateway to process some credit card transactions (unfortunately I'm stuck doing these boring, menial webmaster-esque tasks every once in a while). Obviously, I didn't want to run through an actual credit card transaction, so I was using (what I thought) was their test gateway which would work with *my* user credentials (https://test.authorize.net). However, what I'm supposed to do is use their real gateway (https://secure.authorize.net) and send in a stringified boolean x_test_request. So that error message was actually telling me: "Hey, the API login you're using is actually a "live" account ID (as opposed to a "test" account ID), so please use https://secure.authorize.net. Unless you have a test account, in which case you've input the wrong login id, the wrong password, or your test account is inactive.

...

...

...

Posted by roy on February 14, 2007 at 12:21 PM in Ramblings | 7 Comments

Related Entries

Want to comment with Tabulas?. Please login.

spaceinthewho
Comment posted on February 15th, 2007 at 02:28 PM
I actually think that's a security best-practice. Don't tell the user why their login credentials are wrong... so that it doesn't narrow down the list of possibilities.

Although, as a user... it is annoying :P
Reply to this comment

roy
Comment posted on February 15th, 2007 at 02:36 PM
I've heard that, but it makes no sense.

Security through obfuscation is a hack - either an attacker has the full creds to hijack the account, or they don't; they're not going to try to brute force passwords on an API with just a login, especially if the API is (properly) designed in a way to not allow for a flood of auth tryins.
Reply to this comment

PeteE (guest)
Comment posted on February 15th, 2007 at 12:31 PM
Oh man Roy I feel sorry for you. At my last consulting job I had the privilege (add _TONS_ of sarcasm here) of working with AuthNet. I can't tell you how many phone calls and emails to their techs it took for them to finally give us a suitable test env. I finally found an internal contact there who actually had a clue and would help us out. Ugh, you brought back some horrible memories! jerk ;)
Reply to this comment

hapy
Comment posted on February 14th, 2007 at 03:47 PM
any hot dates for tonight? if not, you and i are the suck. yush too, i suppose... but not tim and alex.
Reply to this comment

roy
Comment posted on February 14th, 2007 at 05:24 PM
i got a hot date with dark angel season 2 starring jessica alba.

i know you're jealous.
Reply to this comment

hapy
Comment posted on February 14th, 2007 at 07:21 PM
i got kristin belle
Reply to this comment

PM5K (guest)
Comment posted on February 14th, 2007 at 03:34 PM
Damn, I know exactly what you mean!

I guess it acts as a retarded security feature, but I don't think that's the point, I think it's simply poor programming.

And I saw what you talked about previously with the retarded question/answers, I don't remember where it was but I saw on a website and I didn't know the answer to any of the questions, at least yours had mothers maiden name.
Reply to this comment