this post was submitted on 14 Jul 2023
1179 points (92.1% liked)

Technology

59197 readers
3083 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

We've all been there.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 57 points 1 year ago (4 children)

“Sorry, that password is already in use” ruins it for me. That’s not a realistic message to receive.

Maybe “Your password cannot be one you’ve used previously”.

[–] [email protected] 15 points 1 year ago (3 children)

Should be: "your password cannot be one of your last 24 passwords"

[–] [email protected] 6 points 1 year ago

Yeah, this is important. Make it a really big number too so that I have to change my password lots of times in a row in order to put it back to what it was. ;)

[–] [email protected] 5 points 1 year ago (1 children)

Especially for those places that want your password changed every two weeks.

[–] [email protected] 4 points 1 year ago (1 children)

If they want to play that game - the calendar date becomes part of the password. It's never the same, but you can always work it out!

[–] [email protected] 2 points 1 year ago

Or just append a letter that increments every time you change your password, and keep a note of what the current letter is.

Passworda
Passwordb
Passwordc
...

When your z password expires, just wrap back around to a.

[–] [email protected] 1 points 1 year ago

At my work they wanted better security, and made the rule of minimum 12 characters, must include all sorts of numbers, special characters, etc, no previously used password and it must be changed every month, 3 attempts then the account is locked and you have to call IT.

The result was that people wrote their passwords on post-its on the screen, so it led to worse security overall and they had ro relax the rules.

[–] [email protected] 12 points 1 year ago (1 children)

It follows the vein of some of the password rules and feedback reducing security itself. Like why disallow any characters or set a maximum password length in double digits? If you're storing a hash of the password, the hash function can handle arbitrary length strings filled with arbitrary characters. They run on files, so even null characters need to work. If you do one hash on the client's side and another one on the server, then all the extra computational power needed for a ridiculously long password will be done by the client's computer.

And I bet at least one site has used the error message "that password is already in use by " before someone else in the dev team said, "hang on, what?".

[–] [email protected] 6 points 1 year ago

It's true, most of these rules are harmful, but also most are in common use and accepted, for some reason. I have heard of a password system that had that warning, perhaps even the account, but it was in a softwaregore screenshot context.

[–] [email protected] 3 points 1 year ago (1 children)
[–] [email protected] 7 points 1 year ago (1 children)
[–] [email protected] 1 points 1 year ago

Now we are talking :)

[–] [email protected] 2 points 1 year ago

It shouldn't be.

But it is.