Mastodon

What the f*** were they thinking?! Crazy website biases exposed by naughty words lists (the NSFW version)

I’ve long held the view that passwords should consist of as many crazy things as the owner deems fit. If I want to create a password that looks like a dog just ate the keyboard and threw up all the keys, then good for me. (Chances are that Fido is going to cough up a pretty unique password too but before PETA gets on my case, try using a password manager like 1Password instead.)

Now I’m used to seeing all sorts of ridiculous limits on passwords – no “special” character, limit of 12 chars, no spaces, can’t use letters “q” or “z”, can’t use letters at all – but the banning of specific words is something else altogether. I don’t mean words like “select” or “drop” either, you know, the kind that shows someone has done a sloppy job of their SQL injection mitigations, I mean words like these:

A jar of Extreme Nut Butter

I’ll come back to the impact of passwords named after this particular sandwich spread. Banning certain words is one thing, but inadvertently publishing the entire list is quite another and it discloses some very interesting biases on behalf of the site.

Biases implied by the words a site allows versus those it blocks doesn’t need to remain the domain of passwords alone. There are other cases where words are blocked and again, the list is exposed publicly for (assumedly unintentional) scrutiny. When I say “biases”, I’m talking about everything from religious views to gender equality to which animals zoophilia may be off limits for. Yep, it’s that weird and it all begs the question – what the fuck are they thinking?! (Get used to the language, the title of the post warned you!)

The perpetrators

I’m going to single out two here and the first is Virgin. Hang on – Virgin has an issue with something naughty?! You mean the guys who thought this would be a good idea?!

Virgin's urinals which appear like an open woman's mouth

Surely I can’t be talking about the same company whose very ethos is grounded on the principles of clean living and a healthy respect for women?!

Richard Branson with bikini babes

Yep, those guys. As it happens, they’re more easily offended than you’d expect. Not only are they offended by naughty passwords, they were so offended that I pointed out they were easily offended that they removed the offending offensive passwords (for posterity sake, they were originally located here but have now been removed from within the remaining JavaScript). That’s right folks, the evidence of their dislike of “wanker”, “hardon” and “fart” (oh c’mon, even my 2 year old says fart!) has been removed from their client side script and relegated to the server side… except for the backup I put on Pastebin in case they need it again later.

And then there’s PayPal. Yep, those guys, the financial one. Turns out that PayPal has this Create Your Own site designed where you can sell some stuff or buy some stuff or, well, to be honest I don’t quite know, all I know is that it can’t be a “shlong” or a “sausage queen” or a “fart” (oh c’mon, you guys too?!) I know this because they too have a publicly accessible bad words list (and a Pastebin backup should they later think better of it).

Now this isn’t passwords per se, rather a publicly facing facility which attempts to censor words it deems inappropriate, for example:

Creating a PayPal entry for "Super awesome facial cream"

Clearly, this term is an affront to humanity and must be censored for our own protection:

PayPal's "Oop, no naughty words please" response

You may not have known that was a “naughty” word, am I right? Oh, which word? Facial, of course (you might need to Google some of these – from the privacy of your own home – after the kids go to bed – grab a stiff drink first – oh, and it’s ok to use the word “stiff”, just sayin’)

But on a (very slightly) more serious note, by exposing their swear list on the client side where it’s easy to grab hold of, both Virgin and PayPal also disclose some totally bizarre reasoning, teach us (or at least teach me) some terms I’d never heard of and in all likelihood, demonstrate some pretty discriminatory behaviour. Grab that stif… uh, har… ah stuff it, get a beer and read on.

Why ban naughty words in passwords?

This question has quite rightly been asked a few times now and the answer is both profound and simple – because you don’t want to upset the operator who reads it. Hang on – wait – what?! Yeah, you know that password you created on the website and expected to be hashed with a strong algorithm suitable for password storage (you were thinking this, right?), yeah, not so much and apparently they have some pretty serious security deficiencies when it comes to how they handle them.

Of course it must be people that are likely offended by words because frankly, computers couldn’t care less. No really, try it on a site we know is taking security seriously like Google or Microsoft or Appl… well try it on Google or Microsoft and see how you go. You see, the problem is that if you create a password using one of those “pass phrases” that are all the rage these days and you choose something like “this password is totally shit”, then you call up Virgin and they want to validate your identity so they ask for your password and you say “this password is totally shit”, you might crush the gentle spirit of the operator on the other end of the phone as they learn of your foul-mouthed preferences (and we’re starting out mildly here).

This, of course, raises all sorts of interesting questions; why can they see my password? Why do they need to see my password? And in the case of both Virgin and PayPal, how the hell do you even decide what’s in and what’s out without frankly, looking a bit ridiculous? Speaking of which, let’s just cover off some of the insights their word lists give us.

The insanity of banned word selection

When you see PayPal excluding such words as “assfukka” and “cocksukka” (and equivalents with only a single “k”), you have to wonder just what the point of it all is. I mean if it’s coming down to excluding words which might phonetically be off limits, you’re well and truly fighting a losing battle because there’s nothing to stop someone from choosing “assfukker” and “cocksukker”. It’s utter madness too because they’ve covered “assfucker” and “assfukka” but not ““assfukker” – consistency guys!

Then you’ve even got stuff like brand names – you can’t have “viagra” but you can have the competitor’s “cialis”. Pluralisation is also an oddity in that you can’t have one “blowjob” nor multiple “blowjobs” yet whilst you can’t have a “dick”, you can have multiple “dicks”. If your name really is “Dick”, you’re gonna have problems and if it’s “Dick Van Dyke” you’re completely stuffed!

And really – “bunny fucker”?! But don’t despair because if you have a penchant for small furry mammals because you’re ok with “rabbit fucker”. Maybe there’s a greater likelihood of “bunny” being the word of choice because of the whole Playboy thing, I don’t know, I can only guess at the insanity behind it.

While we’re on animals, you can’t choose “dog-fucker” but “dog fucker” without the hyphen hasn’t been called out as per the bunny equivalent. Another off limits animal is “pigfucker”, oddly enough all as one word and then just to add to all the fucking weirdness, you also can’t have “cyberfucker”, “cyberfuc”, “cyberfuck”, “cyberfucked” (one of a number of past tenses), “cyberfuckers” (because sometimes there’s more than one of them) or cyberfucking (in case you’re doing it right now).

You can’t imply that someone might be a “cnut” but they could be a “kunt” – no really, they literally could be a Kunt because apparently that’s a popular surname in Turkey and they wouldn’t want to exclude someone simply because of an ethnic name, would they? Right?

Other absurdities that are off limits include “nut butter” per the opening image in this blog, “flog the log” (ok, I get it, but where do you stop with euphemisms of that genre?!) and “kinky Jesus” (I had to Google it – it’s a thing).

Then there’s the really, really oddly specific stuff like “fuckingshitmotherfucker” – but you’re ok if you’d like to rearrange your profanities a little (apparently). The “bang (one's) box” is also a little odd in its specificity, all the way down to the punctuation which assumedly could be omitted if you genuinely wanted to express your fondness of box banging.

While I mention box banging, that’s fine so long as only one box is involved because if there’s two boxes (or presumably more), that opens up a whole other can of worms that may actually have a serious side.

On potential discrimination…

Let’s just get ever so slightly more serious for a moment and talk about gay. No, not the kind of gay that keeps popping up in the oldie worldy kids books and seems so out of place in the modern context, but the sexual orientation definition. At least that’s what I assume Virgin is referring to when they disallow the word “gay” in their list. They’ve also ruled out “queer”. No “lesbo” either, apparently, although I admit I’m unsure as to whether that’s accepted slang in today’s vernacular or if it has derogatory intent. “Lezbo” and “lezzer” are off limits but you’re fine if you prefer “lezzo” which, as I understand it, remains popular in some circles.  “Faggot” is out so if you’re fond of bundles of sticks then tough luck (you knew it once meant that, right?), but arguably it’s frequently used as an insult too so I can kind of get that.

The thing is though, some of these words are perfectly reasonable, socially acceptable ways of describing same-sex relationships. However, if you’ve chosen the more traditional man / woman path then you’re most welcome to use the words “hetro” or “hetrosexual” or “straight” or any other term that came to mind. Seems to me that this is the sort of thing that rightly or wrongly, often cops an organisation some seriously bad press.

In some ways, PayPal is even worse; you can have “sex”, but you can’t have “gaysex”. There’s also no “fag”, “fagging”, “faggitt”, “faggot”, “faggs”, “fagot”, “fagots” or “fags” – homophobes rejoice! But seriously, that’s a lot of effort to go to in order to keep someone with a homosexual persuasion from expressing their views.

Whilst we’re talking discrimination, PayPal has a distinct dislike of “god” (it’s not clear which one) yet “allah” is good to go. “Buddha” is also good as are a broad range of deities. “Jesus” is ok but as we’ve already established, only if he’s not kinky. How they decided whose belief system was in and whose was out remains a mystery.

Upsetting Scunthorpe

By now you’re probably looking at this and thinking “Oh yeah, I think a Scunthorpe is where the girl goes like this and the guy, well…”. No, not quite, Scunthorpe is actually a place and as you can see, it’s totally obscene. Hang on – wait – it’s what now? Yeah, can’t you see it? Read the word carefully…

Yes, the Scunthorpe Problem is a thing and it impedes otherwise well-intentioned citizens the world over. That may be because of a partial word match, the acronym the words form, or simply a dislike of the word because “reasons”.

Yes, a “flange” can have a phallic connotation but it’s also a pretty damn essential piece of a heap of very well engineered machinery. A “chink” might sometimes be a racial slur, but you can also get one in your armour and leave you vulnerable to a well-aimed sabre attack.

I get that “fook” is sometimes used as a colloquialism, but it’s also a very nice Chinese restaurant:

Kam Fook Restaurant

Other Scunthorpian errors mean you can’t have our tastiest cheese:

Coon cheese

Or this:

Horny lizard

Or even this:

Ballbag

That’s right, think about it.

Go forth and discover more craziness

Don’t for one moment think that naughty word shenanigans remain the domain of Virgin and PayPal, for from it. In fact all it takes is a casual GitHub search for some everyday words – try fuck shit dickhead – and along with comments I’ve made when trying to get CSS working in Internet Explorer, you’ll find a great many repositories with banned words (approaching 5k at the time of writing). Of course many of those appear in code that remains within the domain of the server without ever seeing the light of day by client script – and that’s a very smart idea!

I’m told Virgin has now moved to keep their bigotry on the server rather than expose it on the client and whilst I can’t test it myself without an account, it makes a lot of sense. It’s now a whole lot hard to discover which kind of homosexual they deem inappropriate or what other Scunthorpian faux pas they may have committed.

As for PayPal though, they’re still loudly and proudly announcing their displeasure of the “wang”, the “schlong” and the “boner”. Bur don’t despair if you want to express your name via their service and you’re a “Johnson” or a “Peter”, just so long as you’re not a “Willy”!

Security Passwords
Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals