Healthcare.gov

Markbnj · Oct 24, 2013

Ok, so I decided to give this a try to see for myself what the real situation is. Here is a step-by-step account of what I experienced.

1. On navigating to www.healthcare.gov I saw a javascript function name displayed briefly in the top header as the page loaded. That was reassuring.

2. Clicked the "Apply Online" button which started the multi-step process. Nothing really negative to say about the design or the page flow.

3. Added my basic user info and clicked through to the screen where a login password are entered.

4. For the login I entered "Markbnj" and when tabbing off the system presented the following validation message:

"The username is case sensitive. Choose a username that is 6-74 characters long and must contain a lowercase or capital letter, a number, or one of these symbols _.@/-"

Neither my colleague nor myself could decipher exactly how my user name needed to change to satisfy the rule as described, so I added a 1 on the end and that worked.

5. Entered a moderately strong password. The system responded with:

"Your password must contain 8-20 characters. There must be at least 1 upper case letter, 1 lower case letter, and 1 number. It must be different from your last 6 passwords. It can't contain your username or any of these characters = ?<> ( ) " / \ &"

I capitalized the first letter and it was happy.

6. I then proceeded to the security questions. The site was pleasingly specific about what they wanted from me:

"The answers to your security questions must contain letters or numbers and can't be longer than 30 characters. The following special characters are allowed, as long as they follow a letter or number. This means that your answers can't start with one of these characters, apostrophe ('), hyphen (-), spaces, period (.)."

7. For security question three I chose "What is your parents' wedding anniversary date?" I entered "2/6/1960" and the system responded with: that is not a valid date. I picked a different question.

8. After completing and submitting the form I was redirected to a helpfully informative URL:

https://www.healthcare.gov/marketplace/global/en_US/registration#registrationSignUpResults:waiting

I was in fact waiting. After waiting for several minutes, the system responded with:

My colleague and I had a chuckle and I closed the window. About a half hour later I received the following email:

"Your Marketplace account has been created. There is one more step left before you can use your account. Click on this link to verify your email address: https://www.healthcare.gov/marketplace/global/en_US/emailVerification?trackingId=XXXXXXXXX"

Well, this should be fun, so...

9. I clicked on the validation link. The system responded with:

"We're processing your request. This may take a few moments."

I waited approximately 2-4 minutes, and the system responded with:

"Oops. You didn't check your email in time.

You should've gotten an email from the Marketplace with a link, but too much time has passed for that link to work. Re-enter your information now, and we'll send you another email. Check your email soon, and click the link in the email to create your Marketplace account. If you've already verified your email address, you can log in If you've already verified your email address, you can log in here."

At this point I admit to expressing amusement in various forms.

Train · Oct 24, 2013

What was the initial price tag for this site? $620 million?

I need to be making govt software.

Train · Oct 24, 2013

That's a user perspective. I've seen lots of screenshots floating around twitter of people who inspected the HTML and JS source.

It was obviously done by many subcontractors with no effort whatsoever to keep them on the same page. Not to mention they were all pretty amateurish. The JS is uncompressed, full of buggy code with horrifying comments.

Ken g6 · Oct 24, 2013

Markbnj said:
7. For security question three I chose "What is your parents' wedding anniversary date?" I entered "2/6/1960" and the system responded with: that is not a valid date. I picked a different question.

Yes, nobody seems to do date parsing right. Ruby has a gem that does it right, but nobody seems to use it.

Markbnj said:
8. After completing and submitting the form I was redirected to a helpfully informative URL:

I clicked that. It took me to a page that complained about NoScript, and had this text in a <span> prominently displayed:

$ffeUserTool.getFFEUserPrincipal().getFirstName()

And they don't give you 24 hours to respond to an email?! D:

Anyway, I don't have to deal with that site. I have to deal with this site. I've been putting it off, but plan to work on it this weekend.

Edit: And by that I mean signing up; I don't get to fix it or anything.

Train · Oct 24, 2013

Password min of 8 seems ok.

Though for something as sensitive as healthcare info, they should really consider two factor auth. The treasury dept already does this and it's actually a nice system.

Password max of 20 is just dumb. Password maxes should be at least 100

Cogman · Oct 24, 2013

Train said:
Password min of 8 seems ok.

Though for something as sensitive as healthcare info, they should really consider two factor auth. The treasury dept already does this and it's actually a nice system.

Password max of 20 is just dumb. Password maxes should be at least 100

100? Might as well be 1000. Really, the password should be hashed anyways so what does it matter if it is too long? Having a small password size is a horrifying sign, makes me suspect that passwords are stored as plaintext.

The only reason for putting any restriction to the length of a password is to avoid having the system taken down from the hashcode algorithm.

Train · Oct 24, 2013

Cogman said:
100? Might as well be 1000. Really, the password should be hashed anyways so what does it matter if it is too long? Having a small password size is a horrifying sign, makes me suspect that passwords are stored as plaintext.

The only reason for putting any restriction to the length of a password is to avoid having the system taken down from the hashcode algorithm.

Note I said a minimum max. I never said more than 100, or 1000, were too much.

I've read that 24 characters of type-able Unicode is actually all that is required to avoid pigeonholing a 256 hash. But remembering 24 chars of random and difficult to type stuff would be hard unless you use a password manager. Which is why you should allow for correct horse battery staple type pass phrases.

beginner99 · Oct 24, 2013

It can't contain your username or any of these characters = ?<> ( ) " / \ &"

makes you wonder what the reason that is for? looks like to prevent either sql injection stuff and/or XSS...in a dumb way obviously.

Markbnj · Oct 24, 2013

beginner99 said:
makes you wonder what the reason that is for? looks like to prevent either sql injection stuff and/or XSS...in a dumb way obviously.

Especially since ruling out special characters makes it more difficult to get entropy in the password.

Markbnj · Oct 24, 2013

Ken g6 said:
I clicked that. It took me to a page that complained about NoScript, and had this text in a <span> prominently displayed:
Quote:
$ffeUserTool.getFFEUserPrincipal().getFirstName()

That's funny. I clicked it again after a few hours and it still gives me the "Please wait we're processing your crap" message.

Paul98 · Oct 24, 2013

Sounds like it is having major load problems, along with the problems with inadequate testing time especially load testing and code problems with having so many different contractors.

Train · Oct 24, 2013

Obamacare website fixes will meet deadlines, contractors say

ha ha, yeah right.

“The experience will be improved as we go forward, and people will be able to enroll by the Dec. 15 time frame,” Cheryl Campbell, senior vice president for CGI Federal, the company that helped build the government website, told members of the House Energy and Commerce Committee. “We’re seeing improvements day over day.” (People who want their coverage to become effective Jan. 1 must enroll by Dec. 15.)

10 weeks? There's more than 10 weeks of fixes on this thing.

Markbnj · Oct 24, 2013

Train said:
Obamacare website fixes will meet deadlines, contractors say

ha ha, yeah right.

10 weeks? There's more than 10 weeks of fixes on this thing.

You can get a lot done in 10 weeks if you know what the problems are. I can't believe they didn't see this stuff in testing, so they must have a pretty good idea of what is screwed up.

Train · Oct 24, 2013

Markbnj said:
You can get a lot done in 10 weeks if you know what the problems are. I can't believe they didn't see this stuff in testing, so they must have a pretty good idea of what is screwed up.

A good team can rock some amazing stuff out in 10 weeks. Any of the teams that made this site... I don't think so.

And even if you replaced all the contractors with an all star team, they are starting fresh, with a government-esque set of req's.

If I were a betting man, I would either predict they blow right past this deadline, or do some serious feature pruning to make a deadline release feasible.

Markbnj · Oct 24, 2013

Train said:
A good team can rock some amazing stuff out in 10 weeks. Any of the teams that made this site... I don't think so.

And even if you replaced all the contractors with an all star team, they are starting fresh, with a government-esque set of req's.

If I were a betting man, I would either predict they blow right past this deadline, or do some serious feature pruning to make a deadline release feasible.

Yeah, all true. And when Obama mentioned a "tech surge" to fix the issues I wanted to throw a copy of "Mythical Man Month" at the screen.

uclabachelor · Oct 24, 2013

Markbnj said:
Ok, so I decided to give this a try to see for myself what the real situation is. Here is a step-by-step account of what I experienced.

1. On navigating to www.healthcare.gov I saw a javascript function name displayed briefly in the top header as the page loaded. That was reassuring.

2. Clicked the "Apply Online" button which started the multi-step process. Nothing really negative to say about the design or the page flow.

3. Added my basic user info and clicked through to the screen where a login password are entered.

4. For the login I entered "Markbnj" and when tabbing off the system presented the following validation message:

"The username is case sensitive. Choose a username that is 6-74 characters long and must contain a lowercase or capital letter, a number, or one of these symbols _.@/-"

Neither my colleague nor myself could decipher exactly how my user name needed to change to satisfy the rule as described, so I added a 1 on the end and that worked.

5. Entered a moderately strong password. The system responded with:

"Your password must contain 8-20 characters. There must be at least 1 upper case letter, 1 lower case letter, and 1 number. It must be different from your last 6 passwords. It can't contain your username or any of these characters = ?<> ( ) " / \ &"

I capitalized the first letter and it was happy.

6. I then proceeded to the security questions. The site was pleasingly specific about what they wanted from me:

"The answers to your security questions must contain letters or numbers and can't be longer than 30 characters. The following special characters are allowed, as long as they follow a letter or number. This means that your answers can't start with one of these characters, apostrophe ('), hyphen (-), spaces, period (.)."

7. For security question three I chose "What is your parents' wedding anniversary date?" I entered "2/6/1960" and the system responded with: that is not a valid date. I picked a different question.

8. After completing and submitting the form I was redirected to a helpfully informative URL:

https://www.healthcare.gov/marketplace/global/en_US/registration#registrationSignUpResults:waiting

I was in fact waiting. After waiting for several minutes, the system responded with:

My colleague and I had a chuckle and I closed the window. About a half hour later I received the following email:

"Your Marketplace account has been created. There is one more step left before you can use your account. Click on this link to verify your email address: https://www.healthcare.gov/marketplace/global/en_US/emailVerification?trackingId=XXXXXXXXX"

Well, this should be fun, so...

9. I clicked on the validation link. The system responded with:

"We're processing your request. This may take a few moments."

I waited approximately 2-4 minutes, and the system responded with:

"Oops. You didn't check your email in time.

You should've gotten an email from the Marketplace with a link, but too much time has passed for that link to work. Re-enter your information now, and we'll send you another email. Check your email soon, and click the link in the email to create your Marketplace account. If you've already verified your email address, you can log in If you've already verified your email address, you can log in here."

At this point I admit to expressing amusement in various forms.

If you think that's bad, wait until you see what gets loaded on the login form. Piles upon piles of javascript, css, and other WTF files for a seamingly straightforward signup form.

Although the password restriction on those characters does make the back end seem more vulnerable to getting hacked.

Cogman · Oct 24, 2013

So from an article I read (somewhere, I don't know where) They had some pretty crappy requirements right up until the release. For example, it wasn't until september that settled on the idea that they were going to require registration.

That said, for something like this contract work is simply the wrong way to approach this. This website is always going to have a good amount of traffic and anything short of a dedicated team of programmers is the wrong solution.

Fallen Kell · Oct 24, 2013

Markbnj said:
4. For the login I entered "Markbnj" and when tabbing off the system presented the following validation message:

"The username is case sensitive. Choose a username that is 6-74 characters long and must contain a lowercase or capital letter, a number, or one of these symbols _.@/-"

Neither my colleague nor myself could decipher exactly how my user name needed to change to satisfy the rule as described, so I added a 1 on the end and that worked.

Someone must not be accustomed to reading lawyer's instructive English. Your username fails because it did not contain either a number or one of the symbols mentioned. You need to do parsing of the rule which makes it more obvious:

Choose a username:
(1) that is 6-74 characters long
(2) and must contain:
(2A) a lowercase or capital letter,
(2B) a number, or one of these symbols _.@/-

Markbnj said:
7. For security question three I chose "What is your parents' wedding anniversary date?" I entered "2/6/1960" and the system responded with: that is not a valid date. I picked a different question.

It probably required 2-digit month and day, it expected "-"'s instead of "/"'s, no separating marks at all, or expected YYYYMMDD format. Or worse, the programmers used an input validation date function based on EPOCH, not realizing that time existed before 1/1/1970 GMT. This is UI and Date programming 101 that they should have stated the format in either the question or in the instructions.

Markbnj said:
"Your Marketplace account has been created. There is one more step left before you can use your account. Click on this link to verify your email address: https://www.healthcare.gov/marketplace/global/en_US/emailVerification?trackingId=XXXXXXXXX"

Well, this should be fun, so...

9. I clicked on the validation link. The system responded with:

"We're processing your request. This may take a few moments."

I waited approximately 2-4 minutes, and the system responded with:

"Oops. You didn't check your email in time.

You should've gotten an email from the Marketplace with a link, but too much time has passed for that link to work. Re-enter your information now, and we'll send you another email. Check your email soon, and click the link in the email to create your Marketplace account. If you've already verified your email address, you can log in If you've already verified your email address, you can log in here."

At this point I admit to expressing amusement in various forms.

Yeah that is just completely broken. So many piss poor programming/design mistakes that people out of high school would have made in that system, but not someone who has had ANY kind of web development would have made.

Red Squirrel · Oct 24, 2013

This is to be expected from a CGI product. All the stuff at my work is also coded by CGI (the Canadian division) and there's always problems and they don't really care about fixing them since they already made their money.

That site is probably also going to be going down for 16 hours every Saturday for maintenance, just like our ticket system does.

I find it hilarious that they used CGI. I guess at least they outsourced to Canada and not India, but even India would do a better job than CGI. Really for something that is public though they should really do it in house. ex: Hire US citizens. I'm saying that, and I'm Canadian.

EagleKeeper · Oct 24, 2013

CGI was probably the low bidder. No gov person has the need to cross check references/prev projects.

Listing a gov entity is enough to qualify.

Markbnj · Oct 24, 2013

Fallen Kell said:
Someone must not be accustomed to reading lawyer's instructive English. Your username fails because it did not contain either a number or one of the symbols mentioned. You need to do parsing of the rule which makes it more obvious:

Choose a username:
(1) that is 6-74 characters long
(2) and must contain:
(2A) a lowercase or capital letter,
(2B) a number, or one of these symbols _.@/-

I'm actually painfully familiar with it, and agree that is the correct parsing. I am sure the unwashed masses will also have no problem figuring it out.

Fallen Kell · Oct 25, 2013

Yeah, but as someone already said, this is what you get for picking the lowest bidder to win a contract. I wish someone would grow some balls and actually say that in the current hearings going on down in Congress. Some of the Senators/Representatives were spouting things like you don't see Amazon crashing on Black Friday. I want to slap them across the face and say Amazon didn't hire the least expensive programers they could find, but instead hired some of the MOST expensive.

Train · Oct 25, 2013

Fallen Kell said:
Yeah, but as someone already said, this is what you get for picking the lowest bidder to win a contract. I wish someone would grow some balls and actually say that in the current hearings going on down in Congress. Some of the Senators/Representatives were spouting things like you don't see Amazon crashing on Black Friday. I want to slap them across the face and say Amazon didn't hire the least expensive programers they could find, but instead hired some of the MOST expensive.

Are we certain this was a lowest bidder kind of deal? I don't want to make those kind of assumptions until we know that was the case.

The way govt works these days, it's probably more likely they just went with a company that had a Senator in their back pocket.

Crusty · Oct 25, 2013

This yahoo article provides some good background info on why the site sucks so much. No surprise that Oracle is in the middle of it all.

Markbnj · Oct 25, 2013

Crusty said:
This yahoo article provides some good background info on why the site sucks so much. No surprise that Oracle is in the middle of it all.

Ha, a bunch of federal contractors and subcontractors, Oracle, and Experian. What could go wrong?

Healthcare.gov

Elite Member <br>Moderator Emeritus

Lifer

Lifer

Programming Moderator, Elite Member

Lifer

Lifer

Lifer

Diamond Member

Elite Member <br>Moderator Emeritus

Elite Member <br>Moderator Emeritus

Diamond Member

Lifer

Elite Member <br>Moderator Emeritus

Lifer

Elite Member <br>Moderator Emeritus

Senior member

Lifer

Diamond Member

No Lifer

Discussion Club Moderator<br>Elite Member

Elite Member <br>Moderator Emeritus

Diamond Member

Lifer

Lifer

Elite Member <br>Moderator Emeritus