Just take the string as bytes and hash it ffs

    • CaptPretentious@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      3 months ago

      Yep. Having to have requirements that doesn’t flow with people very well and requiring constant updates, people WILL find shortcuts. In the office, I’ve seen sheets of paper with the password written down, I’ve seen sticky notes, I’ve seen people put them in notepad/word so they could just copy paste.

      This is made worse, because you have to go out of your way for a password manager, which means you need to know what that is. And you need a good one because there has been (and I’m going to generalize here) problems with some password managers in the past. And for work, they have to allow a password manager for that to even be an option. Which you then end up with this security theater.

      • rekabis
        link
        fedilink
        English
        arrow-up
        3
        ·
        3 months ago

        And you need a good one because there has been problems with some password managers in the past.

        coughLastPasscough

        “Problems”. What an delightfully understated term to use.

    • Discover5164@lemm.ee
      link
      fedilink
      English
      arrow-up
      3
      ·
      3 months ago

      the password cannot contains the same sequences of characters as the old password.

      and i have seen this requirement in a service that requires changing it every month for some reasons.

      and this is to manage a government digital identity that allows to log it in all governments websites.

      • PM_me_your_doggo@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        1
        ·
        edit-2
        3 months ago

        the password cannot contains the same sequences of characters as the old password.

        That’s a weird way to say “we store your password in plaintext”

        • blackstrat@lemmy.fwgx.uk
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          1
          ·
          3 months ago

          Not necessarily. Presumably the change password form requires entering the old and new password at the same time. Then they can compare the two as plain text and hash the old password to make sure it matches, then if so, hash the new password and overwrite it. Passwords stored hashed, comparison only during the change process. A theme on this is checking password complexity rules during the login process and advising to update to something more secure. It’s possible because you’re sending the password as plain text (hopefully over a secure connection), so it can be analysed before computing the hash. This even works if the hash is salt and peppered.