• thanks_shakey_snake
    1092·
    9 months ago

    If they just showed the password rules on the login page, this would happen 80% less often to me.

    • sonnenzeit@feddit.de
      251·
      9 months ago

      It’s so annoying to have to discover the rules one rejected attempt at a time. Worse yet: sometimes you just get vague feedback a la “password contains illegal characters”. I usually let KeePassXC generate a safe password for me but in that case I then have to manually permutate the different character classes (numbers, letters, spaces, punctuation, etc) until I find the offender. No good.

      • stankmut@lemmy.worldEnglish
        28·
        9 months ago

        Password must contain an uppercase letter.
        Password must contain a special character.
        Not that one.
        Not that one either.
        Nearly had it there! Too bad you only get 5 attempts. Account locked.

    • bradmont
      193·
      9 months ago

      If they just showed the password on the login page, this would happen 100% less often to me.

      • Cethin@lemmy.zipEnglish
        6·
        9 months ago

        Use a password manager. The fact you use the same password on every site is very disturbing.

        KeepassXC (KeepassDX on android, I don’t know what I apple option is) is a good free open source option.

        • LifeInOregon@lemmy.world
          5·
          9 months ago

          iOS and macOS have a built in password generator and storage system that are encrypted. It also works with passkeys. Surprisingly, there are people (even people I’ve explained this to) who don’t use it and continue to use a single password everywhere. ¯\_(ツ)_/¯

          • Cethin@lemmy.zipEnglish
            11·
            9 months ago

            Just use a password manager. It’s super easy to get started with it and you’ll only need to know one password, so make it a very good one. I’m certain yours could be brute forced, especially since I know it’s now Lemmy with a “.” somewhere, probably using words so throw a dictionary attack at it and it’s probably easy.

          • Cethin@lemmy.zipEnglish
            2·
            9 months ago

            I haven’t used Bitwarden so I don’t know. It’s totally free though and stored locally. The only issue with this approach (which is much more secure) is there’s no built in syncing between devices. It’s fairly easy to do with Synchthing though so it’s not an issue.

            It can do everything you want a password manager can do. You can generate passwords, have notes and add other fields to entries (so you can store things like security question answers in it too, which you should generate a password for not answer with a real answer). It can connect to your browser with plug-ins for autofill/auto-generate. It has folders for grouping entries. Basically, there’s no feature I can think of that would be useful that it doesn’t have.

            • psud@lemmy.world
              3·
              9 months ago

              You can store it in the cloud, for example on a Google drive. Desktop KeePass has an extension that lets it use cloud storage, KeePass2Android either has cloud built in our can access Google drive via Android systems

              • Cethin@lemmy.zipEnglish
                2·
                9 months ago

                You can, but it isn’t the default. You have total control over the database is the point. You can do whatever you want with it from there.

                • psud@lemmy.world
                  3·
                  9 months ago

                  Yep, I just thought it good to call or specifically that it works in the cloud as many users want that

        • psud@lemmy.world
          1·
          9 months ago

          It’s a shame KeePass doesn’t have a setting to generate an IBM mainframe password. Those rules are hard to implement in the standard set of settings

      • psud@lemmy.world
        1·
        9 months ago

        I like $ and # as chars to put as the mandatory special when the requirements are hard to find

    • psud@lemmy.world
      9·
      9 months ago

      That’s number 1 in how to tell the organisation has really bad password management

      Number 2 is getting an email:

      Welcome to shittyTech

      Your account is successfully created with name “psud”, password "T<©“9_Pt#sbw«:r_R }$° Z-”

      *Edited to have a password like a sensible modern user would let their password manager set, instead of the XKCD one

    • frezik@midwest.social
      28·
      9 months ago

      I swear I’ve had this happen even with password managers, where there’s no way it’s being typed incorrectly. Some possibilities:

      • They’re truncating on one form but not the other
      • They’re being case insensitive on one but not the other
      • They’re otherwise filtering certain characters on one but not the other

      None of which bode well for that company’s password handling security.

      • psud@lemmy.world
        10·
        9 months ago

        My electric and gas utility truncates passwords, but lets you type hundreds of chars when setting a new password

        To log in, you need to intuit how much of your password they’re using, if you enter too many chars it fails like in the op image

          • psud@lemmy.world
            9·
            9 months ago

            Step 1: create a 20 character password, store it in your password manager

            Step 2: the account creation process keeps the first 16 characters

            Step 3: attempt to log in with the 20 character password, fail.

            I found the 16 character maximum in the password rules in their FAQ, so tried the first 16 chars of my password and it worked, so the above must be how it worked

            • Swarfega@lemm.eeEnglish
              4·
              9 months ago

              The text boxes shouldn’t have a character limit on them for this very reason. If they need to configure a limit they should allow the form to be submitted but return an error telling it’s too many characters. Truncating the user’s input is really bad for the exact reason you mention.

              There’s a lot of sites with bad ways of handling credentials. I really hate sites that stop you from pasting in passwords.

              • psud@lemmy.world
                2·
                9 months ago

                My bank used to block pasting, so I used a browser extension version of KeePass to auto type

                Luckily they changed that policy when password managers became the main recommended method of handling passwords

                So I no longer know my bank password, I saw it once when I accepted what KeePass generated

                • Swarfega@lemm.eeEnglish
                  1·
                  9 months ago

                  KeePass Auto-type is an amazing feature. One that many KeePass users also don’t seem to know about!

      • blind3rdeye@lemm.ee
        5·
        9 months ago

        I’ve had that happen a couple of times too. In the most striking example, I was able to log in by typing html escape tags instead of the special characters in the password. … … That’s a very bad sign for the website security for several obvious reasons.

      • dx1@lemmy.world
        5·
        9 months ago

        I hit the truncation thing just yesterday. People seriously have a password input clipped at like 16 characters. A big company too.

      • Pika@sh.itjust.worksEnglish
        2·
        9 months ago

        Walmart’s internal systems used to do this, if you used a special char in your password (such as an % or &) on newer devices you couldn’t log in anymore, only solution was having HR reset your login lol

      • shasta@lemm.ee
        11·
        9 months ago

        None of these possibilities have any effect on their password handling security since all of that is usually handled on the frontend (on your computer).

        • frezik@midwest.social
          11·
          9 months ago

          What? No. No matter where it happens (and it could be on either side, depending on the whims of the programmers), passwords shouldn’t be fiddled with this way. They should be passed through to the password hashing algorithm unchanged. There is no reason to ever fuck with them, and doing so will reduce security.

    • TheGreenGolem@lemm.ee
      21·
      9 months ago

      My company forces me to change the password every 3 months AND I cannot use the last 10. I use a very strong password and this rule is ridiculous. So I just change it 11 times, iterating a number at the end until I can use my last one. Fuck you.

      Also correcthorsebatterystaple.

      • Texas_Hangover@lemm.ee
        91·
        9 months ago

        The more convoluted the Password rules are, the more sticky notes with the monthly password are found.

        • Bytemeister@lemmy.worldΕλληνικά
          4·
          9 months ago

          It also normalizes resetting passwords all the time for IT. Like, the help desk can get social engineered into resetting your password for someone else. Even if you use Self-Service Password management, you’ll still have callers every day who can’t figure out that system.

      • Zoidsberg
        7·
        9 months ago

        You get three whole months? We have to change ours monthly. Everyone has passwords written on our laptops.

        • psud@lemmy.world
          3·
          9 months ago

          Microsoft recommends 3 months. Places that follow MS advice will be on 3 months. A few years ago the above was to change every month

      • Faresh@lemmy.mlEnglish
        3·
        9 months ago

        Couldn’t a password manager generate and remember them for you?

        • greenskye@lemm.eeEnglish
          11·
          9 months ago

          Typically you need your main company password reasonably typeable because you’ll be entering it constantly and often in places that don’t support password autofill.

          Which is also why forcing people to change passwords so often causes more issues than it solves. People just dumb it down until it meets the bare minimum requirements.

          • psud@lemmy.world
            2·
            9 months ago

            Speaking of corporate passwords, a shitty system has the modern windows network support modern passwords, but some important system you need reads the windows network password, but enforces ancient windows password rules, including a length limit of 16 characters

      • GustavoM@lemmy.worldEnglish
        114·
        9 months ago

        I feel your pain. Then again, that is a good way to exercise your brain, getting you some new/fresh braincells.

        Your “future you” will definitely appreciate those “brain workouts”.

  • tillary@sh.itjust.works
    91·
    9 months ago

    This’ll happen if there’s been a suspected data breach with poor password encryption or requirements. Gotta be safe and change the algorithm, breaking everyone’s existing passwords. But yeah, it is annoying…

    • TheLadyAugust@lemmy.world
      19·
      9 months ago

      I wouldn’t have a problem with this if the website just told us there was a breach and we need to change our password. The problem is when they gaslight me about it.

    • psud@lemmy.world
      3·
      9 months ago

      It also happens with the following process:

      1. create a new 20 char password
      2. system truncates your input to 16 chars
      3. try to log in with your 20 char password, fail since it doesn’t match the hash for the 16 char version of it
      4. go to 1 (or follow the op image if you use the same pass)
    • Psythik@lemm.ee
      2·
      9 months ago

      Oh, I thought it had something to do with password hashes, where websites don’t actually know your password, but if the hash is the same, then it assumes that you entered the right PW. At least that’s how my non-technical brain understands how it works.

      • tillary@sh.itjust.works
        1·
        9 months ago

        That’s correct, let’s say a database was breached and the hacker has every user and their password hashes. They can login with [email protected] with password “password123” and see if the generated hash matches any other user’s password hash. If so, they might be able to hack many accounts with the same password or even reverse engineer and decrypt every other password.

        Developers can make the hash more secure by adding arbitrary characters to the password (aka a salt), and this becomes the site’s “authentication algorithm”. But if the hashes are stolen, it may be a matter of time before the algorithm is figured out, which leads to updates, which leads to your pre-existing hash no longer matching.