One week ago, I went to a branch office of Servicio de Administración Tributaria, the government office in charge of processing taxes. This year, I plan on doing something quite bold, as my Mexican friends will acknowledge: I will prepare my (quite simple, I hope) tax declaration by myself. I do not want to be held hostage of the accountant guild - So I might end doing some fuckup which in the end costs me money or time. I hope it is not the case.
Anyway... Last week I went to this office, as I needed either a CIECF (Clave de Identificación Electrónica Confidencial Fortalecida - Strengthened Confidential Electronic Identification Key) or a FIEL (Firma Electrónica Avanzada - Advanced Electronic Signature). No, please don't believe it is a security token, a card with printed numbers, a one-time-pad or the sort - The CIECF is... A password. Why is it strengthened? Because it has the feature of including a question, in case you forget the key, to allow you to change it. I guess the FIEL is a more reliable device, but I prefer not to even request it.
And as far as the questions go, the emergency questions for CIECF suck. First, I was not even asked the meta-question - I was not told why this information was needed. So imagine the clerk saying: Full name? ... Date of birth? ... RFC (Tax ID)? ... Favorite color? I was there just... Stunned. Why do you need it? Oh, just in case you forget your password. Ok... Don't you have any other questions which I am not prone to answer a different thing, and that are not dead obvious for a casual passer-by? (I guess that at least 1/4 of the public will say blue. Feel like brute-forcing SAT to its knees?) Other questions include your fathers' second family name, your favorite soccer team, your pet's name... It seems they took the first "security dos and don'ts" book off the wall, and started reading backwards.
But anyway, that's the system, and I must play nice with it. So I get back home, and decide to start hacking up my declaration. No, Mr. Policeman, I'm not saying I would try to break into the SAT - I just say it is a complex and non-obvious task to do. Now please release me. Thanks.
And I enter the system. Of course, I tried first with Iceweasel, knowing it would fail (it is documented: MSIE 5.5 recommended). I tried again with Konqueror. I tried, sigh, with MSIE from inside Wine. No luck. Well, even from within qemu's Windows 2000. Wrong password. WTF?! Stranger: It worked with SAT's My portal, although it didn't with the declaration, which is what matters now.
I cannot take the time every day to come to the SAT and move my data - It was a full week until I came back again. I insisted on fully logging in to the system, to be sure the password I entered this time was right. As well as my über-secret safety question, of course.
And it failed.
Until the clerk noticed something strange in the way I typed...
Sir, excuse me..., he muttered, why are you typing such a long password? Well, basically because I value my tax declaration, and I know brute force is a powerful force. (explain it, of course, in simple terms) Oh... No, the password must be eight characters long.
So I entered the first eight characters of my password, which was a true work of prose for their standards, at around 20 characters. And it worked.
Now, for bonus points: What do we gather from the fact that the long password works fine in one system, but in another system it only the short version? Why, but of course! I guess the passwords for every economically active Mexican is stored in their master database in plain text. Isn't it just beautiful?
Anyway, it seems I have a lot of work to do. If all goes as planned, maybe next year I will be for hire as a public accountant? Hmh, does not sound too much like fun, does it?