FedEx may have the worst and least secure digital platform for a major company. Some examples I’ve noticed:
1. I moved into a 10-unit apartment building and wanted to set up FedEx Delivery Manager. I just put in my new address, no verification whatsoever, and I was immediately given access to the previous tenant’s delivery instructions which included the buildings private garage code. Any thief could have done the same.
2. When I moved out of that building I wanted to add my new address to delivery manager … but I couldn’t. The site errored every time. The reason? Some forums revealed the correct hypothesis that if you have special characters in your password then some parts of the site are permanently broken for you. Including the change password flow. So I had to have my wife make a new account with a worse password.
Truly amateur stuff for an otherwise very impressive company.
Is it impressive though? They have about a 50% success rate delivering things to me across multiple addresses and I know other people who have had similar long term issues.
At one of my addresses FedEx will happily sell anyone overnight shipping and then just keep the parcel at the depot for a week until they have a driver who can actually make the trip. I have had like 6 very urgent packages delayed like this. Once my wife ordered something perishable and they pulled this then told her she had to drive into town and pick it up at the airport.
I've also been nearly run off the road by FedEx drivers on the highway before. One guy was so angry that I was only going 10 over that he tailgated me within a foot and then punish passed me.
They're also the only service that still corrects my other address to the wrong address. I tried for a whole month to get ahold of anyone there who even knows what address correction is and then just stopped using them for anything important.
They doubled down on "digital" during the pandemic and fired a bunch of CSRs and stuff. It doesn't look like it's working out very well for them.
> just keep the parcel at the depot for a week until they have a driver who can actually make the trip.
Depot workers can get up to the weirdest stuff. One time I was returning unused product (oil well perforating guns, a UN 1.4D explosive device) via Yellow Freight. I handed over the cases and signed all the appropriate paperwork to handover custody at the depot and went on about my day. The supplier called me ~10 days later saying they never received the shipment! Perturbed, I called down to the depot who basically shrugged it off with "no idea lol not our problem". Their attitude changed when I told them that in accordance with my license and federal law I would be notifying the ATF at the end of the day that there were missing or lost explosives and it would very much be their problem.
A couple hours later they called back and told me the boxes had missed their truck and were just sitting in the corner of the secure cage in the loading dock, forlorn and forgotten. What the fuck, guys.
> dropped off oil well perforating guns at Yellow Freight
Holy fuck. We never shipped these using commercial couriers, but transported them using company trucks and company labor. We'd also have a heavily armed security person escorting them at all times.
For reference, these are long tubes containing many shaped charges. Sometimes you can have hundreds or thousands of shaped charges for a single perforation job. AFAIK, the oil field is the only industry that uses shaped charges outside of the military. Their primary application is piercing tank and ship armor. They kind of "implode" rather than "explode", and generate a sort of lightsaber-beam of superheated copper that lances straight through armor. In this video[0], blue is just a steel casing, yellow is the explosive, and red is the copper which pierces the target.
> Holy fuck. We never shipped these using commercial couriers, but transported them using company trucks and company labor. We'd also have a heavily armed security person escorting them at all times.
The manufacturer shipped them to us via Yellow, so we figured it was the simplest route to return the unused items via the same route, since they're properly credentialed and insured and all. It was a specialty project (perforating the casing in a newly drilled geothermal well at depths not more than 100m) so we only used in the realm of a dozen 50# cases of loose perforating guns and built the strings ourselves, bringing the high explosives (det cord that made up the string, detonators) from our own magazines.
> AFAIK, the oil field is the only industry that uses shaped charges outside of the military. Their primary application is piercing tank and ship armor.
They're quite often used in demolition as well, to shear through structural steel members. I've used them to bring down warehouses, bridge decks, bridge piers/supports, assorted industrial buildings and even hand built some crude shaped charges when scuttling a ship. I once went down a fun rabbit hole ordering custom built linear shaped charges for a demo project that saw the LSC's used so deep underwater that the static water pressure in the cavity of the charge would prevent the penetrator from forming properly. It was an interesting iterative design process with the manufacturer to make a sealed unit that maintained an air pocket inside the device at those depths and would seal flat agaisnt the object to be demolished. All akin to military uses sure (especially that last one, i bet the SEALS or some branch of frogmen have underwater satchel charges or limpet mines handy but those weren't available to us) but this was in the civilian construction domain.
Someone once suggested that if you are travelling by air and absolutely must have your checked bag arrived with you - put a starter's pistol in there (and fill out the appropriate paperwork).
The chances of that baggage being lost or misdirected is basically zero.
One of the big problems I find in the shipping industry is the reliance on insurance. The idea that most packages are insured or easily replaceable. When I was a bit younger and doing some seasonal postal work in a processing plant this was the mentality. The mentality being that sometimes things will go wrong and ruin a package, but hey, whatever. Machines would sometimes destroy a package, packages would get thrown around, heavy boxes would be stacked on very small/fragile ones, etc...
Myself and many of the people I worked with all tried their best. But at the end of the day there is only so much you can do as a temp seasonal worker to prevent such things. They'd rather have a higher amount of damaged/lost items and a higher throughput.
It'd be interesting to see a competitor that made it their goal to handle packages with more care and not have this attitude. However I can't see them getting too far. They would likely have to charge more money, and any of the big companies are not going to care to pay more. They'd rather take the risk and just ship it again if it gets broken on the way. It'll end up being cheaper for them that way. The ones who lose out are the smaller businesses and individuals shipping personal items. It pissed me off when I'd see a damaged package of an item that was clearly a personal homemade thing. Something that isn't easy to just quick send another copy of.
> It'd be interesting to see a competitor that made it their goal to handle packages with more care
There are "personal courier services" or "white glove courier services" where you hire a specific person to move your package from point A to point B. They stay with your package the whole time, and either carry it on a plane or drive it themselves.
It's expensive, obviously, but the service does exist.
Just like you, I'd love to see a middle-ground, scalable option exist.
Pharmacies use this type of personal courier service to deliver medicine filled in the store to a patient's home (since shipping prescription drugs FedEx is a great way for grandpa to run out of heart medicine). This service is often provided free of charge so it's worth checking out.
That's surprising. The CVS a mile from my house uses USPS Priority Mail. It might actually be cheaper if a pharmacy tech spent ten minutes driving it here.
I think there is something about the monkey brain in people that if you give them an item, they think they own it. It doesn't matter that it's just a loan or they are supposed to give it to someone else.. they think they can do whatever they want with it and anyone is lucky that they didn't mess with it. This seems to happen in the food service industry as well with the whole attitude of "be nice to us so we don't mess with your food!" The monkey brain can't help but think that it owns an item that it managed to grab.
That's why I think that we need a psychological trick to make humans in package management think differently about the packages. Maybe writing something like "Fedex FAMILY Owned" on each package could do the trick. Although when I worked in a shipping facility I think people were so busy that there wasn't much "thinking" either way possible. Still we will probably just go with robots though.
I think your last couple sentences is the reality. You are expected to be quick at your job and you don't have much time to think about each package. Was that a pretty heavy package you just put on top of a fragile one? That's unfortunate, but the company just doesn't give you the time to do it properly. And the company is okay with accepting that risk at the customers expense.
The true cost of destroying or misplacing a parcel is often higher than the nominal value of the item inside. Sometimes it’s a sentimental good, sometimes it’s time sensitive and not having it in time results in additional costs to the recipient, sometimes the recipient spends significant time attempting to locate the package.
None of these are appropriately compensated for.
Make these companies liable for the economic cost of the goods plus $200 and they’ll start taking more care.
Strangely, I've had perishable medicine delivered to me (a biologic injection) for two years without a single hiccup by FedEx. They have been the most consistently reliable delivery service where I live (though the post office is pretty good too). My house is at the bottom of a hill that is difficult for rear wheel drive vehicles in winter.
UPS, on the other hand, can go pound sand. They often refuse to deliver due to weather, then force me to either drive two hours round trip to their distribution center, or charge me to pick it up at the local UPS store.
When when FedEx couldn't get their truck to my house due to road conditions, they were totally fine with my picking it up at their store.
> They have been the most consistently reliable delivery service where I live (though the post office is pretty good too).
Every service relies on the USPS to some extent, which makes the Republican attempt to gut the organization so baffling. There's no replacement and nobody is looking to replace it.
From my perspective as an ex letter carrier, your personal experience with package delivery is determined almost entirely by whoever runs the local hub and handles last-mile. Unfortunately it's a McDonald's Assistant Manager kind of role; anyone truly competent will be able to find better work sooner or later.
Postmaster Dejoy began dismantling critical sorting machines, reducing and limiting overtime, &c only 6 months into lockdown, well before there was a COVID vaccine. Knowing full well the problems it would cause. For example, many remote rural addresses are only serviced by USPS, and people rely on it for timely prescriptions. IMO it was massive public outcry that prevented a great deal more destruction.
In Washington we were giving each other the advice to use ballot dropoff boxes because the postal service had disassembled half of their sorting machines in the month or two leading up to the November election and we were all concerned that mailing the ballots would have led to postmark dates after election day.
I live in an apartment. I get mail for 4 or 5 previous tenants. I get corporate spam. I have unsubscribed from as much as I can, I have a return to sender stamp and have used it, yet I am inundated with trash on a daily basis. Technically, it is illegal for me to throw out this trash. In my opinion there is a massive amount of waste moving through USPS and the organization could use some serious cuts in order to take stock of what actually needs to be delivered.
You've done everything except talk to the one human being involved who appears at your residence every single day. If I was your letter carrier and knew you felt this way I'd honestly be hurt that you didn't bother to ask me about any of it.
> the organization could use some serious cuts
Miss the part about them being the backbone of package delivery in this country? Or the part where there's nobody to replace them? Well it doesn't matter since the USPS is financially self-sustaining.
My letter carrier is a young man with headphones in who cannot be bothered to read the address on the penny saver that he stuffs into my mail slot (I have unsubscribed).
My letter carrier is fantastic. We stop and catch up for a bit when he's delivering. I see so much mail for previous residents in my Informed Delivery email that never arrives because he knows who lives here and returns to sender for us.
"The $company/government isn't doing their job, we need to fire/change government/privatise this function, it would solve everything!"
Well, where do you think the former employees will work after their previous employer shuts down? It's not the form of government/company culture that is the biggest problem I'm affraid.
I'm in the same camp. The single time they actually delivered it to me without saying I wasn't home they had actually delivered it one street over.
I spent 72 hours waiting (3x24 periods they told me to wait and call back tomorrow while they "investigated") for a $1300 package. Initially they said it must have been stolen and its my loss, to which I said "no I was home and near the front door all day, you didn't deliver it". Pretty absurd they can't just look where he was when it was "delivered" and deal with it. Or maybe they can and they just don't bother.
Eventually the person actually called me using my number on the box and said it was delivered there.
Still no recourse from FedEx, whom I have not informed I got the package in the end.
I’d quote this as the best federated peer-to-peer package delivery. Distribute in a nearby city and it will get to its destination eventually. Fortunately, your personal info is written in the clear for everyone to see, and anyone can open the box.
Yeah, in my experience FedEx drivers absolutely LOVE saying they “attempted delivery of my package, but nobody was home,” so I have to go get it from the depot. But I 100% was home, working from home all day, and they 100% never came.
That sounds like internal verification uses GPS. So in most cases it's going to be the customer's word against the astonishingly lazy driver's evidence.
I called them and questioned them about this - they didn't even come down my street, and yet claimed that they "attempted delivery". The customer service person was honest enough to say there was no code for the driver to say "too busy, can't meet my unrealistic targets".
At least that could explain why the driver showed up to the address without dropping off the package. If finding the package takes a non-trivial amount of time, it would add up over the course of the day.
It's otherwise just wild to me that the driver did 99% of the delivery and just noped out of the last 1%.
Why couldn't they threaten to stop delivering? I was under the impression that only the Postal Service (USPS) had a regulatory mandate to serve all US addresses.
If you got a judgment, you would get a prompt response.
Problem you'd probably have is getting the judgment, if they show up at the hearing. Their clickwrap agreements are one barrier. Also, you have no relationship with them -- you weren't the customer (and if you were see point 1).
Would be interesting to see what type of claim would work. Maybe conversion (ie theft) if they delivered it to the wrong address. But if they just hold it at the depot, I don't know what claim you could make. Would probably have to take it up with the seller.
A lien is a claim upon a part of another's property that arises because of an unpaid debt related to that property and that operates as an encumbrance on the property until the debt is satisfied.
No. They’re 100% useless in my experience, and literally never manage to deliver to me - everything ends up returned to sender. No other courier has this problem.
As for the SMSs - in Portugal, and I’d guess Australia too, they contract all of their local operations out to some random group of muppets who can’t organise their way out of a paper bag - the SMSs they send me come from a mobile number, are handwritten (they seem to literally have someone whose job it is to write messages, on a phone, and send them), as are the emails. When it comes to delivery, i’m inevitably the last delivery of the day as I live way out in the boonies, and they just go “it’s 5pm I’m going home”, and it goes back to the depot. They drive it back and forth for a week before declaring the parcel undeliverable.
These days, if I see someone has shipped something with FedEx, despite my instructions not to, I immediately request a refund, as I know it won’t arrive.
It really just depends on your local distribution hubs. My semi rural address regularly gets serviced by two different FedEx hubs, if I see it go to X hub I'll get it that day, but if it goes to Y hub it'll most likely be late.
They definitely are not impressive. I always avoid them if I am given a choice, because for the last 20 years they have always been sub-par. UPS isn't perfect, but they consistently do better than FedEx. Sadly these days it's pretty uncommon for vendors to give you the choice of who they use to ship the package, so I can't always avoid them.
They certainly can be quite impressive, I recently had something delivered from China I bought through Alibaba to South Africa, shipping cost less than 5USD and it arrived in about 13 days, 1 day less than the maximum estimate.
In my case I got an email about customs and tax payment which was needed, but the link was clearly to fedex.com.
in my country fedex isn't popular, but I had one international package delivered by them and I was very positively surprised because they paid duties for me to speed up process and invoiced me that costs.
That’s a bit better than my experience with DHL :) they’ve delivered packages to random people multiple times across the UK, France, Switzerland and South Africa. Important documents they’ve handed over to strangers, like my passport, for example…
"50% success rate delivering packages" is a totally different level of risk from "automated system gives your garage access code to anyone who claims to live there"
i mean in the first case what's at risk is the five-dollar trinket you bought off amazon
I ordered a computer from Southern California, they shipped it to Texas, Florida, Maine, and then back to Northern California. My last two orders were just stolen from someone at FedEx. They got the shipment, but it never left the facility after that. Customer service is an offshore apology machine that can't help with anything. I used to prefer fedex, but the standard of service is so subpar I go out of my way to avoid them.
I assume you know that you can open a claim? They'll either find your package really fast, or will have to pay its full value. Often the vendor has to initiate the claim. If the vendor doesn't want to open a claim, refund. If the vendor doesn't want to refund, chargeback.
Be careful about those chargebacks. I bought two new pixel phones directly from Google and only one arrived. Google support was of course awful and Fedex did absolutely nothing outside of asking me what color the phone was. lol
I ended up reversing charges for the missing phone and Google immediately wrecked me - I was using Fi at the time so they killed my cell service and killed my ability to use Google Pay for anything - including the Play Store. Probably some other stuff I don't even remember.
Between my personal account and my business accounts I realized at that moment that Google could completely wreck my life. Be careful about retaliation for a chargeback, if you live within one company's ecosystem it can be a brutal retaliation you're not ready for.
Retaliation for charge back probably elevates this from a civil matter to a criminal one; you should totally contact your local DA. They might think it's fun.
I wouldn't be surprised if it's just covered by the EULA. There's almost certainly a clause in there about Google being able to terminate service for any reason.
My last two stolen packages required the vendor to open a claim, I did in both cases and both vendors refunded me. Fedex wouldn't even entertain trying to help me.
I had this with an Apple Watch return. The package was either lost or stolen in transit, and neither FedEx nor Apple were interested in helping me. Only got it resolved after emailing Tim Cook's address, which goes to executive customer relations.
Much worse than that. I wanted to get some free shipping supplies from FedEx, so I had to sign up for a shipping account. Account could not be created due to password issues on the website, forgot how I got around it but maybe had to use the mobile app which used a different flow.
After getting the account, immediately I get shipping bills for international shipping in the thousands of dollars, both sender and recipient have nothing to do with me. Credit card on file was auto-charged. Removed credit card, started getting thick FedEx bills in physical mail.
It turns out FedEx allows billing to be charged to any account as long as you have their nine-digit account number, so of course scammers do this all the time just generating random numbers. FedEx didn't give a shit, denied my reporting of fraud, allowed more scam shipping even after I reported. Finally I had to initiate chargeback via the credit card issuer and only then did they close the account. But I still get marketing emails that I can no longer turn off. Absolutely not a company anyone should use.
They ask for an ID whenever you use an account number. I have to FedEx stuff to my home address for work. The guy at the counter is always perplexed when I tell him the destination address is the same one as the one on my ID.
I'd put Spectrum up against them. A few years back, an incoming neighbor typoed their address in a new account setup request to my address and Spectrum very helpfully inferred that the previous resident would want their account terminated and they turned off my service. Apparently, you can DOS any person on the planet you want from the entire Internet by simply knowing their address.
I once moved into a duplex and Spectrum's precursor told me I already had service. After 8 hours on the phone I talked to someone in customer service who told me "I know the problem you have, I know how to fix it. I can 100% fix it. You are welcome to stay on the phone, but it will take more than 6 hours for me to create an account for you". So in the end it took days to open a new account.
When I moved they someone opened a second account in my name and kept billing me for the original account.
I bought an OP-1 from teenage engineering years ago and fedex delivered it inside of the mailbox. USPS removed the fedex package from the mailbox and impounded it at our local USPS post office without ever notifying me. After 1-2 months of waiting/assuming the package had been stolen, I call the USPS office and asked if they somehow had the package in their custody/possession and, lo-and-behold, they did (in the "undeliverable mail room") and started lecturing me about how it was illegal for fedex to deliver a package into the mailbox, which is usps/government property etc. etc.
I called Fedex to try to rectify this and, as far as I remember, they either never answered the phone or told me they had no way of contacting the delivery driver (??).
I've always avoided fedex (and UPS, for that matter, since they destroyed two antique lamps that I ordered through ebay) since then.
The mailbox? On your property? that you paid for an installed (or bought off the previous owner), is government/usps property and they'll steal a parcel that someone else has delivered to it?
No, it goes further than that, all the way back to 1934. USPS is the only authorized service to use a mailbox. Here is an altogether far too detailed study of the law: https://www.gao.gov/assets/ggd-97-85.pdf
You need separate bins/boxes/whatever for other services to use.
Re password reset workflow issues: I had an account at a bank where password reset always failed. I had to go through a VERY convoluted process with customer website support to get it fixed. It turned out that the problem was that my registered email address was just two characters (my initials) to the left of the "@", e.g., ab@mydomain.com. They allowed me to enter and use it throughout the system without any error flagging whatsoever, but it completely broke the password system. They claim to have raised it as a bug, but never fixed in 3 years+ (moving away from them now).
I specifically got a custom domain and email address for any non-personal/"professional" comms, which is essentially just me@<custom-domain-featuring-my-name>.com.
At least with non-ASCII characters in passwords, while I think it is stupid to not handle those properly, I can at least see some sort of an excuse there, no matter how weak it is. All it takes to mess this up is not thinking about handling those scenarios, so I can definitely see "this issue was created due to us not thinking about this possibility or not willing to deal with handling it."
But what's even the reason to not allow sub-3-character local portions of emails? How does one even mess those up, aside from intentionally setting some triggers for less than 3 characters in local portions of email addresses?
> But what's even the reason to not allow sub-3-character local portions of emails? How does one even mess those up, aside from intentionally setting some triggers for less than 3 characters in local portions of email addresses?
Wild guess: someone copy-pasted an incorrect email address validation regex, and different parts of the system are using different criteria for email address validation.
FWIW I have an email that is me@...org, and I've been using it for over a decade now without a single issue despite having lots of accounts created using it.
Same. I've had this 2-char email addr for nearly two decades and this is the only issue I've had, but it's a doozy. It even took their tech support days to find it. I'm still boggled that it's a problem.
After 50 years of software crud, eventually a civilisation ending bug occurs and it can't be fixed (like how Telstra couldn't fix their phone system because the phone system was down). That's why we are all alone in the universe. Enjoy life while civilisation still works!
UPS is up there, too. I still get text messages about an old address on an account I can't log into for...reasons. (Special characters sound plausible! And of course the password reset flow doesn't work.)
UPS is better in my experience with them always requiring a code sent to me via USPS to verify access to UPS My Choice, except for when I signed up with a new construction address - It also seems to only show me packages with my last name on it, packages with just a company name did not show up.
I can’t believe it’s 2024 and we are still seeing bugs with handling “special” characters. Unicode has been here for how long? Robust string handling is supported in every language. There is no such thing as a special character. My name should be able to contain Chinese characters. My password should be able to contain emojis. What is this Stone Age shit still running on companies’ backends?
It's probably better if it shouldn't. It's generally better to prevent passwords from containing characters that can't be entered on a decent proportion of devices you may encounter.
Emojis are particularly problematic because new ones keep being added which require OS upgrades, and you might find yourself needing to log in from another device that just doesn't support those emojis yet.
Also it's not like Unicode makes everything easy. For example, you have to remember to normalize the password before hashing. Otherwise something as simple as "ñ" may be a totally different byte sequence depending on which device you're using.
If a system cannot handle ñ in a password then it is completely broken. We are not talking about the latest emoji here but about a character which is part of one of the most common languages in the world, included in 8859-1 / Latin-1, etc.
It is no longer realistic to pretend that only ASCII exists and try to get away with that.
Even a lot of Unicode-aware code written by a developer aware of at least some Unicode issues often fails to normalize properly, most likely because they're not even aware it's an issue. Passwords are a case where you need to run a Unicode normalization pass on the password before hashing it, but, unfortunately, if you're already stored the wrong password hash fixing it is rather difficult. (You have to wait for the correctly-incorrect password to be input, then you can normalize and fix the password entry. This requires the users to input the correctly-incorrect password; if they only input an incorrectly-incorrect password you can't do anything.) I'd suspect storing a lot of unnormalized passwords before learning the hard way this is an issue is the majority case for homegrown password systems. You hear "don't roll your own crypto" and think reaching for a bcrypt or scrypt library solves it, but don't realize that there's some stuff that needs to be done before the call to those things still.
With built in emoji entry keywords in every modern OS how many devices are left that can't type emoji? Even if you plan to restrict to Unicode Version N - 1 or N - 2 where N is the current version to avoid "user can't type password on older hardware", the proportion of emoji you can reliably type today on just about any device is huge.
People are still using Windows 7 -- it's the third most popular Windows version after 10 and 11 -- and it only supports Unicode 5.1.
Emoji weren't officially supported until Unicode 6.0, though there are a subset of current emoji (less than a quarter) that work on Windows 7 in practice.
Meanwhile the current standard is 15.1.
There's no security or convenience necessity whatsoever for supporting emoji in passwords, but inconsistent OS support is an excellent reason against it.
Windows 7 market share is barely at 3% on the internet per statcounter.com. Third place doesn't mean "popular", especially not right now.
There's quite a bit of convenience, and some concomitant security, to using emoji in passwords. Emoji are high entropy code points that are easily visually distinguishable across most language boundaries. A "short" password of just emoji is going to have way higher entropy and be way harder to brute-force/rainbow table than any equivalent "length" (by visual character count) ASCII-only password. That should go without saying. The fact that huge boost in entropy also comes with a massive benefit in how quickly a user can glance at their password and know that they typed in right/wrong often faster than they could if forced to build a line-noise password is a huge bonus. (Related to why Windows 10 experimented with Picture Passwords and a lot of Android users use some form or another of Gesture PINs.)
That said, I think the real solution is of course to eliminate passwords altogether (and yes Passkeys are our best hope right now). But saying that we have to stick to ASCII for passwords because that's a lowest common denominator for keyboards is very much like saying that we should stick only to passwords that you can T-9 on flip phones or send in an SMS or that passwords shouldn't really be longer than 8 characters just in case some Unix system needs to use the old DES-based crypt() function or that passwords shouldn't contain quote marks, semicolons, or percentage signs because those might be SQL injection attacks and you might have some PHP apps that are vulnerable to those. You are letting silly technical lowest common denominator bugs stop you from increasing security for the median/mean user.
Sure? But what definition of "popular" does "large amount of people" meet? "Of or relating to the general public"? The general public is using Windows 10 and 11. "Suitable to the majority"? Again, the vast majority is 10 and 11. Same for "frequently encountered or accepted" and "commonly liked or approved": the most frequently encountered is Windows 10. So too is the most "commonly liked". 3% is still 3% and far and away a minority and definitely not in any way "popular", by any definition I can find.
It seems like a very good idea to not allow passwords that can't be input on 3% of commonly used Windows computers. 3% is still a very significant number when it comes to compatibility, customer support, etc.
I'm pretty sure that most of the on-screen keyboards for TV / streaming device platforms don't support emoji.
(I've spent about 6 years of my career running video streaming services... People watch a lot of video on TVs, it turns out, so you probably don't want to let them put these sorts of characters into their passwords when they sign up on mobile or computer devices.)
For better and a (lot) worse most of the TV / streaming device platforms are Android-derived and have access to emoji keyboards if not intentionally disabled, even on TV form factors. I realize it is a wide spectrum of users and a long tail of devices, but at some point again it isn't a technical reason that we are banning emoji from passwords but a political and lowest common denominator reason.
I'm not trying to invalidate your personal experience. You've seen a lot of good social reasons users probably "can't" be trusted with emoji passwords. but at a purely technical level the number of OSes in 2023 that can't pop up an emoji keyboard if asked is incredibly slim and the number that can't have an emoji keyboard in user space as a software addon is even slimmer. If a device doesn't support at least UTF-8 encodings in 2024 that's an entirely different can of worms (and probably a bad sign for the security of the device itself).
Both the Xbox and PS4+ have emoji keyboards. Apple TV has an emoji keyboard. Almost every version of Android TV and Samsung Tizen and Roku and Fire OS and ….
Go ahead, tell me you have a lot of customer support problems that you don't want to support emoji in passwords. That I can believe. I can't believe it's a technical problem in 2023. Emoji are universal enough now in 2024 that OSes are broken if they can't send/receive emoji and don't have some sort of keyboard to input them. Even if we are still turning off the emoji buttons on password fields because we don't trust users to do it for social reasons rather than technical ones.
> I can't believe it's a technical problem in 2023. Emoji are universal enough now in 2024 that OSes are broken if they can't send/receive emoji
As I said, it's not about support for emoji as a class.
It's about support for specific emoji. Different OS's are on different versions of Unicode that support different sets of emoji. The older versions don't support the newer emoji.
So yes, in 2024, it would be incredibly easy to create a password using an emoji on your up-to-date Mac that simply can't be entered on your Android-based TV you purchased 3 years ago, because it doesn't have that emoji even though in supports emoji in general.
So no -- it's not for social reasons, it's very much for technical ones.
And trying to implement a rule like "emoji are allowed but only the ones that were present in Unicode 6.0" is incredibly confusing and opaque for end-users, so it's a better experience just to not allow emoji at all.
I'm sure that's true - but, as an application developer and service operator, we don't really have the option to access the keyboards that are hidden by the TV OSs that we are running on.
Additionally, I'm not sure that supporting full Unicode access (or even just the hundreds (?) of emoji) using a D-pad as an input device would be a good UX.
Most companies don't like rewriting their code. If it ain't broke, don't fix. (Weird password issues don't count as broke.) There's no guarantee, after all, that the rewrite won't have major edge cases and mistakes of it's own.
The upper layer might change now and then, to give a veneer of modernity. But just like Windows being built on 90s technology, the stuff underneath could be even more ancient.
A software that can't accept a % as part of your password is absolutely, positively broken--in any industry or application. In many companies, this would be a P0 "don't go home until it's fixed" production emergency if a bug like this crept in to the software. We need to stop excusing long-standing bugs in horrible legacy software just because they are long-standing.
If 10% of customers have passwords that now can't log in and submit orders, that would be an emergency.
We're taking OP's word for it that FedEx doesn't allow certain characters as passwords (actually, from the description, it seems more like FedEx only allows specific characters which is even worse). If either of those are true, it is most certainly a defect. Whether FedEx treats that defect as an emergency is up to them I guess. I'm saying many modern companies would.
You originally said "Weird password issues don't count as broke." I think this might just be a case where we have to "agree to disagree".
> it seems more like FedEx only allows specific characters which is even worse)
If I read it right it sounds even worse. Fedex allows the characters and then random stuff just breaks.
It is much preferred to get a simple "only english alphabet and numbers please" warning message when you are trying to set the password than not getting any warning and then things breaking.
I've had this before at a University I used to attend. I had a password with either a % or a & and I found I couldn't log into one specific system. I changed my password to a different one, but still had one of those special characters. I was curious and tried a more "basic" password and I was able to get in. The system just wouldn't accept certain characters in your password. The main University password manager did disallow certain special characters, but clearly not enough of them.
It never makes you feel very confident in an institutions security when they can't even figure out how to get a username/password to work properly on their systems.
> You originally said "Weird password issues don't count as broke." I think this might just be a case where we have to "agree to disagree".
I meant broke in the sense of "if it ain't broke, don't fix." If there are over 300 microservices running code, connected to mainframes running code that was originally from the 80s, but they occasionally have password issues - the risks caused by trying to fix it might be greater than it's worth.
That doesn't mean FedEx can't do a better job telling people not to use special characters - or detecting if their current password contains them and forces a password change.
> If there are over 300 microservices running code, connected to mainframes running code that was originally from the 80s, but they occasionally have password issues
And we ended up where the thread originally begin "FedEx may have the worst and least secure digital platform for a major company."
Besides that is horrible! There should be 1 microservice which deals with passwords, the authentication one. Everything else should just get a token attesting that the user is authenticated (or not).
Unfortunately the InfoSec Red Team determined that % in a password could be an attempt at an SQL Injection Attack and the Security Priority is to not fix the current behavior and instead other password checks in the company should also start erroring for % and other such "power characters" used in attacks.
I'm in complete agreement about usernames, but if you're at the point where you want to use Unicode in a password, you might as well make the jump to WebAuthn. Going from a UTF-8 input to a normalized bitstream that gets fed into a KDF could be tricky.
Alright cool but maybe they can put the exact phrase "IF you put an ampersand in your password, your account will be bricked and we wont help you with it" on the password form.
Or, even more hilariously, that said truncation happens on the client, and varies between different clients that they have. I personally ran into this with Wells Fargo, where their mobile app would leave one more (or one less, I don't remember exactly now) character than their website.
PayPal used to do the same thing, but even worse they weren't consistent about it. The page to create your password truncated it, but the login page did not. I found out the hard way when I couldn't log in because of that stupid behavior.
Thankfully they fixed it at some point, but it's absolutely mind blowing to me that anyone thought it was acceptable in the first place.
This drove me absolutely crazy as well and I was equally shocked that anyone thought it was a good idea. Ended up going through several rounds of password resets before figuring it out. Further reinforced the perception that PayPal is a crap company and continue to avoid using them as much as possible.
Heh, that's the same company that sends physical mail to me every time I make a trade because they believe that email sent to my personal domain is "undeliverable" and automatically opt me out of e-statements no matter how many times I opt-back in. They have to be losing money on me by paying for so much postage at this point.
(And no, nothing is wrong with my email, it's hosted by a professional email host with the proper MX records and literally only Schwab claims to have this problem with me).
My college had a credit union with an ATM in the cafeteria. It was in your interest to keep enough money in the credit union to pay for lunch etc. while you were a student there.
When I graduated, I pulled the money back out. Apparently they issued the final interest payment after I'd emptied the account. For at least a year after that, I got monthly statements informing me that I had an account with less money in it than the postage on the statement.
Back in the 1970s, I lived for a while in Boston. I needed both Canadian and American accounts, for reasons. So I opened an account with the Boston branch of the Bank of Nova Scotia. Things worked ok for a while, and then I moved back to Canada. I withdrew the pittance I had in the account, and asked the bank staff to close the account. For the next two years or so, I got account statements, showing the glorious zero balance. I think it only stopped when I moved and didn't notify them of a forwarding address.
A different bank that I use will occasionally tell me that I'm about to be opted out of email because I haven't opened any of their mails and they don't think they're getting through. Which I assume is just because I have thunderbird set to not show remote images and that breaks their tracking.
Earlier this winter, I got a bunch of those letters completely out of the blue. I was also receiving emails from Schwab throughout the several weeks they were sending me a pile of letters saying they couldn't deliver emails to my address. Then the letters stopped.
I remember comparing notes with fellow employees at a previous job, and depending on when you'd started working, the system had different password rules for you (users who'd been created earlier had a smaller set of allowed characters, etc.). Pretty sure it worked out to some Oracle nonsense.
Years ago I found a glaring security hole in schwab where when imputing a security question answer, if you got it wrong you could just hit the back button and try again.
to their credit, they took me seriously and I believe they fixed it reasonably promptly.
My favorite was when they put my well-marked mail-order medicine right at the exit of the roof gutter pipe, instead of the front door. Sometimes it feels like the workers want to purposely cause chaos.
Maybe, but UPS is close to it. They for example are sending out emails that request users to log into their account to "avoid losing their profile". If this is not ripe for phishing then I don't know what will be.
I wonder if that's why I can't change my password with petco - every time I shop there they tell me I have rewards but I can't load them because the site errors out when I try to reset my password.
I used to be able to load the rewards to my account without logging in at all, just clicked the link in my email, but I guess they fixed that and then I realized I didn't know my password.
They're an amateur company. They claimed three times to have tried to deliver a package to me last year even though they never even came down my street one time.
The package got returned to the sender who wouldn't respond. When I quibbled with my credit card company (Cash App) they said the package had been delivered to the sender, so it was technically "delivered" and I was not eligible for a refund. When I persisted they permanently terminated my account with them so I can never have another Cash App account, thanks to FedEx.
Up until a few years (well, it feels like it) ago wells Fargo had a case insensitive password for accounts. I didn't believe it since my password was upper and lower case and special characters but I tried one day and sure enough got right in.
I've had FedEx hand packages to other couriers who promptly lost them never to be seen again. When I contact them they said this counts as delivering the package.
I no longer use FedEx for any shipment that I need to have arrive.
Of the carriers, FedEx is the worst for me (North Carolina, USA). DHL is the fastest and most reliable. UPS and USPS tie for second place, slightly below. (People I talk to in person hate USPS, but I've had consistently good experiences with them for both sending, and receiving). Then FedEx several rungs below; Out for delivery, then rescheduled every time.
1. I moved into a 10-unit apartment building and wanted to set up FedEx Delivery Manager. I just put in my new address, no verification whatsoever, and I was immediately given access to the previous tenant’s delivery instructions which included the buildings private garage code. Any thief could have done the same.
2. When I moved out of that building I wanted to add my new address to delivery manager … but I couldn’t. The site errored every time. The reason? Some forums revealed the correct hypothesis that if you have special characters in your password then some parts of the site are permanently broken for you. Including the change password flow. So I had to have my wife make a new account with a worse password.
Truly amateur stuff for an otherwise very impressive company.