Sorry, that password is already in use
BIG red flag. Abort. Abort.
Also I love when they only support certain special characters. So the psuedo random noise created by my password generator won’t work until I curate out the unsupported characters.
So is that maximum length
Funniest thing was when I registered on a website which parsed the \0 sequence and hence truncated the password in the background unbeknownst to me. This way you could circumvent the minimum length and creare a one character password.
Once I registered on a website. I used an auto generated password. Next time I tried to log in to the website I was confused that my stored password didn’t work. Requested to change the password, but I used the stored password again. To my surprise, it said the password must be different from the current one.
After a bit back and forth I finally figured it out. Apparently the site had a max length on the password. Any password longer than that is truncated. This truncation wasn’t applied in the login form. Only when creating a password.
I always just refresh the password until I get a random one without the characters the randomly choose to forbid 😂
I was changing my password on a pretty big company website the other day.
The password generated by my password manager kept giving me a http error (500 I think)
I generated a new password and deleted all the special characters other than the obvious ones. Boom, worked first time.
So looks like someone is not sanitising their inputs properly.
I sent them an email so hopefully they will fix.
I sent them an email so hopefully they will fix.
One can only hope. But based on my experience, they usually do not. I once sent an email to Microsoft telling them that their Microsoft account app had a vulnerability, and I even sent them the XML line they needed to add to their Android Manifest to fix it, and they wouldn’t do it because it required physical access to the device to exploit. I mean, that’s fair enough, but it was literally one line of code to plug the hole.
They eventually did add that line about 6 years later.
It boggles sometimes.
I remember about 2015 (?) In the vicinity anyway, PayPal has a 12 character MAXIMUM on their passwords.
PayPal, you know the place where you can literally transfer all the money. A 12 character MAXIMUM
I emailed them to suggest they change this requirement. And they replied saying that 12 characters was sufficient if you used special characters and numbers.
Glad they have finally changed it now.
My bank has an 8 character limit. Not minimum, limit
God thats horrible
Password1’); DROP TABLE Passwords;–
Robert’); DROP TABLE Students;–
I know the frustration. Fucked up part is that all that crap makes it least secure not more.
Only if you write it down on a piece of paper or save it in your notes. Guaranteeing longer passwords with a variety of different symbols does make the passwords stronger though.
Password1!It’s surprising how many times I have seen this and variations.
The only one that actually reduces security is the length, as it implies it’s stored as plaintext.
The rest do improve complexity for cracking.
Looks like someone’s been playing the password game https://neal.fun/password-game/
That game made me want to punch.
I too love the Password game! Please save Paul! ~I truly care about him!~ Truly!
(Sorry, I sometimes like to post really bad comments…)
I haven’t known that one yet, hilarious :)
Man, when I played, poor Paul got burnt to a crisp. I’m still having flashbacks from that shock.
My Roman numerals should multiple to equal 35, but then the county I got starts with a C… how do you multiply by fractions in Roman numerals?!
You don’t need capital letters in the country name
Haha this is great, got to the chess part before giving in
Qxh6
I’m starting to want to learn chess after learning about the password game. I need to go get further!
Same. My country was Jordan. Took way too long to figure out, because it dropped me in the middle of an empty amphitheater with no visible road signs, license plates, etc…
When I last played it I got dropped in a place where I had actually visited IRL (Uluru), made that part of the game easy
I just pasted all the countries and ditched the ones that were wrong.
Ah, dictionary based brute force attack. Classic.
Yup. I couldn’t figure out the answer from the network requests (that’s basically how I do the Wordle part of it) so I decided I’ll dump everything in there.
I got stuck on rule 14 where I had to guess the country in Google maps.
Au2WonderfullyshellnIcepigsXXXV!85mayy4n6mfiend🌘
I guess it’s kind of secure. Does the password change daily with the current wordle word?
it does change a lot with every try
if you walk down the path like 20m there’s a sign that tells you where you are
I stopped playing when my whole password caught fire lmao
Thanks. I was only on my phone and didn’t feel like zooming in for that much.
Don’t you have to delete paul to win?
Bruh, it just made me google dork to find out where a random street view was. 10/10 would recommend
Have you been given the egg yet? Don’t forget to feed him!
It was great until that step 20 where some ‘fire’ deleted everything I made. It’s one thing to make you think, it’s a completely different thing to just delete everything and make you start over. Fuck that noise.
Yeah, I just got to the password on fire and survived, but I wanted to move Paul to an edge so he doesn’t get killed if there’s another fire. But apparently cutting/pasting him kills him. :(
Edit: I went back and got to rule 25. Rule 24 was a bitch and a half, but I did it. Then I had to sacrifice letters, and I thought, oh, I can’t use M or D because they are roman numerals for 1000 and 500, so I chose those. It included lowercase as well, and that made some previous rules impossible. In my anger, I may have overreacted, because I intentionally overfed Paul to kill him.
That’s brutal
I gave up at the ‘find a youtube video of an exact length’ step
my laziness limit had been reached
The worst part is that if they know that password is already in use… then they aren’t storing their passwords appropriately.
You could store the passwords as hashes and just compare the hashed value.
yes, but then they are not salted, which is what they should be doing.
But are they peppered?
True, but for the same big O they can salt the password for each user and compare it to what they have stored. My big pet peeve (that I’ve actually seen) is when they say your password is too similar to an old one. I have no idea how that could be reasonably done if they’re storing your password correctly.
Good call.
Lol, at this point just generate a password for me to save in my bitwarden.
Bitwarden has a pseudorandom generated password feature. As does Firefox.
Why aren’t you people using pseudorandomly generated passwords?
Yeah, I switched from LastPass (after one of their many data breaches) to 1Password. I don’t know any of my passwords anymore because they’re all just generated and saved automatically. And that’s a good thing.
Spoken like someone who has never had to deal with corporate ‘security’ before. Password managers are great, but if your workplace has incompetent IT (e.g. probs 90% of workplaces), then you’re SOL and must play the increments game.
Because I want control of my passwords in my head not some software, it’s not like a string of random characters is any more secure than one that can actually be remembered
Do you remember every single unique passphrase for every single account you have on everything? Because if so, that’s impressive.
Yes because I have an easily remembered system for a unique passphrase for any given site. Not trying to shit on password managers though, just providing a different perspective
Because it’s much more fun to come up with passphrases like Correct Battery Horse Staple.
It’s a lot easier to remember that than #@?Zk23!nPw
You are not supposed to have to remember anything but your master password. :)
I’d rather try and remember than have a single point of failure for all my accounts’ security.
If the passwords are stored offline then I can’t get at them if I’m away from where they’re stored. If they’re stored online they’re not secure.
Some are online, but encrypted, with options to export the passwords in case the service goes down.
“Why should I trust them?”
Well, the software is open source, and regularly audited by people using it. Many password managers, such as Bitwarden (not sponsored, although I’d like to get a sponsorship) uses end-to-end encryption to secure the passwords so someone hacking the servers or a rogue employee can’t access anything, It would just look like random noise. You don’t have to know coding, you just have to trust that someone in the world will have the knowledge to inspect the code and report any suspicious code. Just regularly back up the passwords to a local file so you still have them in case they shut down.
Trying to remember passwords made me constantly stressed trying to remember them. A password made life much easier. Better than a single point of failure like your brain. One password is much easier to remember, and that one password can be as complex as you want, because that’s the only one you’d have to worry about.
Sincerely,
Someone who’s depressed af and constantly forget passwords
Encryption can be decrypted. A password manager encrypting your passwords is like saying your car has working brakes. It’s totally unsafe to even consider operating without but it doesn’t say much when it is there.
It’s not a matter of “why should I trust them” but “why should I trust them more than the system that already exists”. I get the appeal, but the hole is big.
If I forget a password I reset it. If I forget my manager’s password can it be reset? Is the reset option, if extent, susceptible to attack?
If an account gets compromised it could have moderate repercussions, but probably minimal depending on the account, with maybe a couple exceptions. If managed passwords get compromised that’s potentially everything. There has not, and likely never will be, an impenetrable system, so it is a possibility if not a concern.
FAIR ENOUGH!
Tacking onto this, because I mix password types too, I don’t want all my passwords in the same (even pseudorandom) style.
Tons of websites reject pseudo randomly generated passwords, too
deleted by creator
That’s inherently blocking pseudo random password generators.
Max length doesn’t bother me if it’s at least 128 characters, but only allowing specific special characters is a sin.
As of last year, Wells Fargo’s passwords were even cause insensitive. Dunno if they’ve fixed it since then, but probably not
We allow memes here?
removed by mod
Bad memes, too. This is some fwd: fwd: fwd shit.
Boomer memes
The number of times I’ve gone through that only to have it fail without explanation when I exceed the length limit - forcing me to guess if that must be the issue - is FAR higher than it should be.
And fuck any system that doesn’t provide the criteria up front.
Also fun is when the field to initially set the password is also character limited and you choose a password that’s longer than the field but don’t notice until you’ve set it and get repeated login failures afterward
Yeah that nearly makes me want to smash something when it happens. Anyone that silently truncates passwords should NOT do it, or at least truncate the creation AND login forms. Just say the limit and give a error, or handle extra input the way you’re supposed to in the enceyption algorithm and hash it to to the correct length. A length limit of say, the amount of bits the encryption key has, like 32/64/128 chracters for 256/512/1024 bit, is reasonable, any other limit is stupid.
YES, I have hit this too!
That password is already in use by user ‘gigachad’.
This is one of the reasons why I am totally dependent on my password manager now.
60 character alphanumeric randomly generated password: sorry, that password is not secure enough, please include a special character
Type “Letmein69!” : perfect, very secure password
Me: 🤨
Yeah that really bugs me.
Like come one, “Ma5terp!ece” is more secure than “Regain Refinance Clarify Cuddle9”
Maybe in bizaro world.
My favorite is when you forget your password and try to reset it but it cries that you can’t use passwords you already used
Mother fucker if I remembered what I used I wouldn’t be doing this
I hate that most places don’t remind you what the rules of their passwords are if you’ve forgotten yours. Odds are I’d be able to correctly guess it if I knew.
Is there any actual services that check if the password is already in use?
I’ve heard that some really obscure website even told you who used that exact password, because the CEO of the company owning said website complained for not having it, then the IT company who made the website had to add it. (If you ask: it was some Hungarian-owned website, and not space Karen’s 1000IQ idea)
There are definitely services that fuss if you use a password you’ve used before.
-Try to log in, password incorrect.
-Try to log in, password incorrect.
-Try to log in, password incorrect.
-Weird, ok reset password.
-“Enter new password.” Enter the password I’ve been typing the whole time. “Sorry, you can’t use your old password.”
-DAMMIT!
I’m pretty convinced this happens because their password validation isn’t responding quickly enough and it defaults to “password incorrect.”
HorseBatteryStaple
correct
Sorry, you must have a special character. Oh... Not THAT special character, it has to be a special special character, that one isn't valid. Ah, no, that one's too long. It should be shorter. It needs to be between 11 and 11.5 characters.Half the time I now just enter random nonsense until it lets me create an account. Then, when I want to access a website/app again, I just ‘forget’ my password and reset it to some other random nonsense.
They could cut steps and just ask for the email and send the link with an access token that will authenticate the user directly.
I click Bitwardens generate password button and im done. Also the password is automatically saved.
Recommend it :)
