this post was submitted on 14 Jul 2023
1179 points (92.1% liked)

Technology

59581 readers
4728 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

We've all been there.

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 103 points 1 year ago* (last edited 1 year ago) (16 children)

I too love the Password game! Please save Paul! ~I truly care about him!~ ^Truly!^

(Sorry, I sometimes like to post really bad comments...)

[–] [email protected] 32 points 1 year ago (3 children)

Haha this is great, got to the chess part before giving in

[–] [email protected] 15 points 1 year ago (2 children)

Same. My country was Jordan. Took way too long to figure out, because it dropped me in the middle of an empty amphitheater with no visible road signs, license plates, etc…

[–] [email protected] 11 points 1 year ago (2 children)

I just pasted all the countries and ditched the ones that were wrong.

load more comments (2 replies)
load more comments (1 replies)
load more comments (2 replies)
load more comments (15 replies)
[–] [email protected] 57 points 1 year ago (6 children)

“Sorry, that password is already in use” ruins it for me. That’s not a realistic message to receive.

Maybe “Your password cannot be one you’ve used previously”.

[–] [email protected] 15 points 1 year ago (5 children)

Should be: "your password cannot be one of your last 24 passwords"

load more comments (5 replies)
[–] [email protected] 12 points 1 year ago (1 children)

It follows the vein of some of the password rules and feedback reducing security itself. Like why disallow any characters or set a maximum password length in double digits? If you're storing a hash of the password, the hash function can handle arbitrary length strings filled with arbitrary characters. They run on files, so even null characters need to work. If you do one hash on the client's side and another one on the server, then all the extra computational power needed for a ridiculously long password will be done by the client's computer.

And I bet at least one site has used the error message "that password is already in use by " before someone else in the dev team said, "hang on, what?".

load more comments (1 replies)
load more comments (4 replies)
[–] [email protected] 40 points 1 year ago (9 children)

Fun fact: password controls like this have been obsolete since 2020. Standards that guide password management now focus on password length and external security features (like 2FA and robust password encryption for storage) rather than on individual characters in passwords.

[–] [email protected] 22 points 1 year ago* (last edited 1 year ago)

Since 2017 at least; and IIRC years before that; that's just the earliest NIST publication on the subject I could find with a trivial Web search.

https://pages.nist.gov/800-63-3/sp800-63b.html

Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

"Memorized secrets" means classic passwords, i.e. a one-factor authentication through a shared secret presumed to be known to only the right person.

[–] [email protected] 10 points 1 year ago (7 children)

I wouldn’t say obsolete because that implies it’s not really used anymore. Most websites and apps still use validation not too dissimilar from the OP, even if it goes against the latest best practices.

load more comments (7 replies)
load more comments (7 replies)
[–] [email protected] 34 points 1 year ago* (last edited 1 year ago) (5 children)

Sorry, that password is already in use

BIG red flag. Abort. Abort.

Also I love when they only support certain special characters. So the psuedo random noise created by my password generator won't work until I curate out the unsupported characters.

[–] [email protected] 19 points 1 year ago (3 children)

I was changing my password on a pretty big company website the other day.

The password generated by my password manager kept giving me a http error (500 I think)

I generated a new password and deleted all the special characters other than the obvious ones. Boom, worked first time.

So looks like someone is not sanitising their inputs properly.

I sent them an email so hopefully they will fix.

[–] [email protected] 10 points 1 year ago (3 children)

I sent them an email so hopefully they will fix.

One can only hope. But based on my experience, they usually do not. I once sent an email to Microsoft telling them that their Microsoft account app had a vulnerability, and I even sent them the XML line they needed to add to their Android Manifest to fix it, and they wouldn't do it because it required physical access to the device to exploit. I mean, that's fair enough, but it was literally one line of code to plug the hole.

They eventually did add that line about 6 years later.

load more comments (3 replies)
load more comments (2 replies)
load more comments (4 replies)
[–] [email protected] 33 points 1 year ago (2 children)

For those wanting to play this as a game, there is this wonderfully fiendish website.

https://neal.fun/password-game/

Rule 13 Your password must include the current phase of the moon as an emoji.

load more comments (2 replies)
[–] [email protected] 33 points 1 year ago (5 children)

My favorite, though, is:

types in password "Password incorrect" goes to reset password "please enter a new password" types in password "your new password cannot be the same"

load more comments (5 replies)
[–] [email protected] 30 points 1 year ago

My favorite is when you forget your password and try to reset it but it cries that you can't use passwords you already used

Mother fucker if I remembered what I used I wouldn't be doing this

[–] [email protected] 30 points 1 year ago (1 children)

The worst part is that if they know that password is already in use.... then they aren't storing their passwords appropriately.

[–] [email protected] 19 points 1 year ago (1 children)

You could store the passwords as hashes and just compare the hashed value.

[–] [email protected] 31 points 1 year ago (3 children)

yes, but then they are not salted, which is what they should be doing.

[–] [email protected] 18 points 1 year ago

True, but for the same big O they can salt the password for each user and compare it to what they have stored. My big pet peeve (that I've actually seen) is when they say your password is too similar to an old one. I have no idea how that could be reasonably done if they're storing your password correctly.

[–] [email protected] 13 points 1 year ago

But are they peppered?

load more comments (1 replies)
[–] [email protected] 29 points 1 year ago (1 children)

Lol, at this point just generate a password for me to save in my bitwarden.

[–] [email protected] 28 points 1 year ago (12 children)

The worst one is when it only supports up to like 16 characters but doesn't tell you so it will only use the first 16 characters and ignore the rest. The next time you need to enter it and get the 64 character password from your password manager it will just say it incorrect and you're left with no idea on why it's wrong.

load more comments (12 replies)
[–] [email protected] 23 points 1 year ago (8 children)
load more comments (8 replies)
[–] [email protected] 22 points 1 year ago (1 children)

Looks like someone's been playing the password game https://neal.fun/password-game/

[–] [email protected] 12 points 1 year ago

That game made me want to punch.

[–] [email protected] 21 points 1 year ago (1 children)

This is one of the reasons why I am totally dependent on my password manager now.

[–] [email protected] 24 points 1 year ago (1 children)

60 character alphanumeric randomly generated password: sorry, that password is not secure enough, please include a special character

Type "Letmein69!" : perfect, very secure password

Me: 🤨

[–] [email protected] 13 points 1 year ago

Yeah that really bugs me.

Like come one, "Ma5terp!ece" is more secure than "Regain Refinance Clarify Cuddle9"

Maybe in bizaro world.

[–] [email protected] 20 points 1 year ago (3 children)

I've seen this but with a final message of "Sorry, that password is already in use by user [email protected]."

load more comments (3 replies)
[–] [email protected] 18 points 1 year ago (7 children)

Password can't exceed 32 characters

Garbage

load more comments (7 replies)
[–] [email protected] 18 points 1 year ago (3 children)

A password prompt should include all criteria upfront so that you can setup your password manager to generate a fitting password.

Getting the criteria or even just partial after you entered one is fucking atrocious.

load more comments (3 replies)
[–] [email protected] 14 points 1 year ago (2 children)

Sorry, you must have a special character. Oh... Not THAT special character, it has to be a special special character, that one isn't valid. Ah, no, that one's too long. It should be shorter. It needs to be between 11 and 11.5 characters.

Half the time I now just enter random nonsense until it lets me create an account. Then, when I want to access a website/app again, I just 'forget' my password and reset it to some other random nonsense.

load more comments (2 replies)
[–] [email protected] 14 points 1 year ago (2 children)

that password is already in use

lmao, "security" moment

load more comments (2 replies)
[–] [email protected] 12 points 1 year ago* (last edited 1 year ago)

My new favorite is the minimum time between password changes. My last 2 jobs set it to 24 hours, so IT guy gives you the temp password and you can't change it for 24 hours. But wait, when you try to change it the error you get is "doesn't meet your organization's minimum complexity requirements" which does not help AT ALL and the IT guy thinks you're an idiot because you can't figure out the complexity requirements. What a great feature!

[–] [email protected] 11 points 1 year ago (1 children)

And that's when they tell you what you did wrong. Sometimes they'll reject the password without telling you why, because of some rule they didn't list. For example, I set a password in a parking app (Flowbird) which had an unmentioned restriction against spaces and Swedish letters (dispite targeting the Swedish market). Also, it lets you set a fairly long password, but when you try to log in on their webpage they've set maxlength="32" on the password field. So if you have a longer password you have to edit the DOM and remove that attribute to log in.

load more comments (1 replies)
[–] [email protected] 11 points 1 year ago

I lent my spouse's mother our apple ID while theirs was toasted. But of course I had to change it first, since OhFuckMeH@rd3rYouFucks was finally an acceptable password for Apple but not for in-laws.

[–] [email protected] 10 points 1 year ago* (last edited 1 year ago) (5 children)

In what world are passwords unique.

load more comments (5 replies)
[–] [email protected] 10 points 1 year ago

I hate that most places don't remind you what the rules of their passwords are if you've forgotten yours. Odds are I'd be able to correctly guess it if I knew.

[–] [email protected] 10 points 1 year ago (3 children)
load more comments (3 replies)
load more comments
view more: next ›