I too love the Password game! Please save Paul!
~I truly care about him!~ ^Truly!^
(Sorry, I sometimes like to post really bad comments...)
Haha this is great, got to the chess part before giving in
Same. My country was Jordan. Took way too long to figure out, because it dropped me in the middle of an empty amphitheater with no visible road signs, license plates, etc…
I just pasted all the countries and ditched the ones that were wrong.
Ah, dictionary based brute force attack. Classic.
Yup. I couldn’t figure out the answer from the network requests (that’s basically how I do the Wordle part of it) so I decided I’ll dump everything in there.
When I last played it I got dropped in a place where I had actually visited IRL (Uluru), made that part of the game easy
Qxh6
I'm starting to want to learn chess after learning about the password game. I need to go get further!
Bruh, it just made me google dork to find out where a random street view was. 10/10 would recommend
Have you been given the egg yet? Don't forget to feed him!
My Roman numerals should multiple to equal 35, but then the county I got starts with a C… how do you multiply by fractions in Roman numerals?!
You don't need capital letters in the country name
I gave up at the 'find a youtube video of an exact length' step
my laziness limit had been reached
It was great until that step 20 where some 'fire' deleted everything I made. It's one thing to make you think, it's a completely different thing to just delete everything and make you start over. Fuck that noise.
Yeah, I just got to the password on fire and survived, but I wanted to move Paul to an edge so he doesn't get killed if there's another fire. But apparently cutting/pasting him kills him. :(
Edit: I went back and got to rule 25. Rule 24 was a bitch and a half, but I did it. Then I had to sacrifice letters, and I thought, oh, I can't use M or D because they are roman numerals for 1000 and 500, so I chose those. It included lowercase as well, and that made some previous rules impossible. In my anger, I may have overreacted, because I intentionally overfed Paul to kill him.
That’s brutal
Don't you have to delete paul to win?
Man, when I played, poor Paul got burnt to a crisp. I'm still having flashbacks from that shock.
I haven't known that one yet, hilarious :)
I got stuck on rule 14 where I had to guess the country in Google maps.
Au2WonderfullyshellnIcepigsXXXV!85mayy4n6mfiend🌘
I guess it's kind of secure. Does the password change daily with the current wordle word?
if you walk down the path like 20m there's a sign that tells you where you are
I stopped playing when my whole password caught fire lmao
Thanks.
I was only on my phone and didn't feel like zooming in for that much.
“Sorry, that password is already in use” ruins it for me. That’s not a realistic message to receive.
Maybe “Your password cannot be one you’ve used previously”.
Should be: "your password cannot be one of your last 24 passwords"
Yeah, this is important. Make it a really big number too so that I have to change my password lots of times in a row in order to put it back to what it was. ;)
Especially for those places that want your password changed every two weeks.
If they want to play that game - the calendar date becomes part of the password. It's never the same, but you can always work it out!
Or just append a letter that increments every time you change your password, and keep a note of what the current letter is.
Passworda
Passwordb
Passwordc
...
When your z password expires, just wrap back around to a.
At my work they wanted better security, and made the rule of minimum 12 characters, must include all sorts of numbers, special characters, etc, no previously used password and it must be changed every month, 3 attempts then the account is locked and you have to call IT.
The result was that people wrote their passwords on post-its on the screen, so it led to worse security overall and they had ro relax the rules.
It follows the vein of some of the password rules and feedback reducing security itself. Like why disallow any characters or set a maximum password length in double digits? If you're storing a hash of the password, the hash function can handle arbitrary length strings filled with arbitrary characters. They run on files, so even null characters need to work. If you do one hash on the client's side and another one on the server, then all the extra computational power needed for a ridiculously long password will be done by the client's computer.
And I bet at least one site has used the error message "that password is already in use by <account>" before someone else in the dev team said, "hang on, what?".
It's true, most of these rules are harmful, but also most are in common use and accepted, for some reason. I have heard of a password system that had that warning, perhaps even the account, but it was in a softwaregore screenshot context.
Should say by who. :)
Now we are talking :)
It shouldn't be.
But it is.
Fun fact: password controls like this have been obsolete since 2020. Standards that guide password management now focus on password length and external security features (like 2FA and robust password encryption for storage) rather than on individual characters in passwords.
Since 2017 at least; and IIRC years before that; that's just the earliest NIST publication on the subject I could find with a trivial Web search.
Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
"Memorized secrets" means classic passwords, i.e. a one-factor authentication through a shared secret presumed to be known to only the right person.
I wouldn’t say obsolete because that implies it’s not really used anymore. Most websites and apps still use validation not too dissimilar from the OP, even if it goes against the latest best practices.
Yeah, the most recent one for me was creating a password at lemmy.world
I wouldn’t say obsolete because that implies it’s not really used anymore.
I'm not sure where you heard someone use the word "obsolete" that way, but I assure you that there are thousands if not millions of examples of obsolete technologies in constant and everyday use.
For today's 10,000 who have never seen it, https://xkcd.com/936/ succinctly explains why the whole mixed character types thing isn't favoured.
I'm still waiting on an XKCD that references #936 with the fact that we soon as we have reliable, functional quantum computing, all of the passwords from before that point in time will be completely and utterly broken. That the only way to make a password that a quantum computer would have a tough time breaking is if it was made by another quantum computer. Unless of course the comic has already been made and I just missed it, which is a complete possibility because this year for me has been utterly crap.
Some of them are broken by quantum computers, but not all of them. For example, SHA256. You can use Grover's algorithm to take sqrt(n) steps to check n possible passwords, which on the one hand means it can be billions of times faster, but on the other hand, you just need to double the length of the password to get the same security vs quantum computers. Also, this is the first I've heard of a hash that uses a quantum computer. Do you have a source? Hashes need to be deterministic, and quantum computers aren't, so that doesn't seem like it would work very well.
Maybe you're getting mixed up with using quantum encryption to get around quantum computers breaking common encryption algorithms?
Except you can run a dictionary attack on that and suddenly it's only 4 variables that are cracked way faster than the first password.
Except you can run a dictionary attack on that and suddenly it's only 4 variables that are cracked way faster than the first password.
People should be made aware of all the tools available to properly manage tons of passwords. Not even going too deep into "passkey" stuff or any modern shenanigans, but a password manager used to generate random passwords for each separate sites is such a simple step.
Yeah! And nowadays the industry is pushing towards password less authentication. Github just started rolling it out to beta users
Sorry, that password is already in use
BIG red flag. Abort. Abort.
Also I love when they only support certain special characters. So the psuedo random noise created by my password generator won't work until I curate out the unsupported characters.
I was changing my password on a pretty big company website the other day.
The password generated by my password manager kept giving me a http error (500 I think)
I generated a new password and deleted all the special characters other than the obvious ones. Boom, worked first time.
So looks like someone is not sanitising their inputs properly.
I sent them an email so hopefully they will fix.
I sent them an email so hopefully they will fix.
One can only hope. But based on my experience, they usually do not. I once sent an email to Microsoft telling them that their Microsoft account app had a vulnerability, and I even sent them the XML line they needed to add to their Android Manifest to fix it, and they wouldn't do it because it required physical access to the device to exploit. I mean, that's fair enough, but it was literally one line of code to plug the hole.
They eventually did add that line about 6 years later.
It boggles sometimes.
I remember about 2015 (?) In the vicinity anyway, PayPal has a 12 character MAXIMUM on their passwords.
PayPal, you know the place where you can literally transfer all the money. A 12 character MAXIMUM
I emailed them to suggest they change this requirement. And they replied saying that 12 characters was sufficient if you used special characters and numbers.
Glad they have finally changed it now.
My bank has an 8 character limit. Not minimum, limit
Funniest thing was when I registered on a website which parsed the \0 sequence and hence truncated the password in the background unbeknownst to me. This way you could circumvent the minimum length and creare a one character password.
Once I registered on a website. I used an auto generated password. Next time I tried to log in to the website I was confused that my stored password didn’t work. Requested to change the password, but I used the stored password again. To my surprise, it said the password must be different from the current one.
After a bit back and forth I finally figured it out. Apparently the site had a max length on the password. Any password longer than that is truncated. This truncation wasn’t applied in the login form. Only when creating a password.
So is that maximum length
I always just refresh the password until I get a random one without the characters the randomly choose to forbid 😂
types in password
"Password incorrect"
goes to reset password
"please enter a new password"
types in password
"your new password cannot be the same"
That just means you entered it wrong the first time.
It often means that one could have derived the correct password from the set of rules - but those rules are not shown when asking for the old password
Exactly this. I want to normalize showing the password requirements when you don't immediately get the password - if you made me jump through hoops the first time, at least remind me what they were!
i have had this happen on some websites occasionally while using my password manager.
Sometimes it means the page checking the password is following a different ruleset eg. the main page is case sensitive and the change password page isn't. Sometimes it's stuff like the entered password is silently truncated to a fixed number of characters and because of that won't let you log in. Sometimes it's wierd character expansions being passed directly to the password checking routine (& or similar).
For those wanting to play this as a game, there is this wonderfully fiendish website.
Rule 13
Your password must include the current phase of the moon as an emoji.
I got stuck on the chess one. Used to think I was pretty decent at the game. After a few tries I gave up and tried a few websites that claim to be able to solve it and none found the "correct" move.
The worst part is that if they know that password is already in use.... then they aren't storing their passwords appropriately.
You could store the passwords as hashes and just compare the hashed value.
yes, but then they are not salted, which is what they should be doing.
True, but for the same big O they can salt the password for each user and compare it to what they have stored. My big pet peeve (that I've actually seen) is when they say your password is too similar to an old one. I have no idea how that could be reasonably done if they're storing your password correctly.
But are they peppered?
Good call.
My favorite is when you forget your password and try to reset it but it cries that you can't use passwords you already used
Mother fucker if I remembered what I used I wouldn't be doing this
Lol, at this point just generate a password for me to save in my bitwarden.
The worst one is when it only supports up to like 16 characters but doesn't tell you so it will only use the first 16 characters and ignore the rest. The next time you need to enter it and get the 64 character password from your password manager it will just say it incorrect and you're left with no idea on why it's wrong.
Holy shit you might have just explained why I have to reset my password every time for a local fast food joints own website
So secure even you don't know the password. It's like built in MFA.
This was me on a bank's site till I clued in that I need to shorten my password.
Why do you have an account for your local fast food joint?!
so he can get even faster food? idk
To order through their site, I try to use the places own sites instead of justeat etc so they get more of the money. As you can imagine they aren't the best websites though.
You can't just order per telefon?
I can do you one worse.
My banking app password was not case sensitive for many, many years. They finally fixed it a few years back though!
I think walmart.com was or is that way. Took me a while to figure that crap out.
This has happened to me so many times. Frustrating and stupid being belief. Are they hiring 10 year olds to write the html/script? Sheesh.
This is one of the reasons why I am totally dependent on my password manager now.
60 character alphanumeric randomly generated password: sorry, that password is not secure enough, please include a special character
Type "Letmein69!" : perfect, very secure password
Me: 🤨
Yeah that really bugs me.
Like come one, "Ma5terp!ece" is more secure than "Regain Refinance Clarify Cuddle9"
Maybe in bizaro world.
Password can't exceed 32 characters
Garbage
i wouldn't even mind if it was 32. 32 is a damn strong password.
I've seen as low as 10 digits in the past
My Wells Fargo password used to be max 8 characters, and when you use the phone you you can basically use the keypad to log in.
So it's basically 8 DIGITS
Wow, super secure!
32 is a damn strong password
Not necessarily: only if it's generated properly, and only for the moment - that will change in the next few years.
You do realize that length and symbol type are only 2 out of many other factors that go into a strong password?
Ok, fair, not all 32 digit passwords will be secure.
11111111111111111111111111111111 is not secure, but I was trying to imply, in a properly generated password, 32 digits long is very secure.
but I was trying to imply, in a properly generated password, 32 digits long is very secure.
I understand, and I think you make a valid point as far as the discussion is concerned.
It's unfortunately still a little more complicated than that, though.
Like I said, there's more to a password than length and symbol type.
Even something like cF*+@aXbIdFHje2vZiU-1 is less secure than if it were generated by a good PRNG.
D0@ndro!dsDr@3@m0f3l3ctr!cSh33p? is also insecure, though it might have been considered secure 4-5 years ago.
You see what I'm saying?
Then of course there's hash algorithms and how those are used to authenticate the passwords themselves, etc.
You think that's bad, a decade ago I had to use a government-run website that required passwords be exactly 8 characters
A password prompt should include all criteria upfront so that you can setup your password manager to generate a fitting password.
Getting the criteria or even just partial after you entered one is fucking atrocious.
And that exact text should be available when you're trying to log in.
Ultimately that makes it easier to break.
How many people do you suppose don't exceed minimum requirements? Once you've got that you can reduce how much you need to generate.
Yeah, you can get that by going to the sign up process, but it generates an extra step that would also increase automation/scraping efforts since it's rarely in the same place.
It wouldn’t really increase the effort much. A human would have to go through the process once, then just pass those requirements off to the script. The initial setup isn’t something you typically hand off to automation.
I've seen this but with a final message of "Sorry, that password is already in use by user about2getOwned@gmail.com."
Login to their account
Change their password to something else
Set your password
But what if the password you want to set is already in use?
Refer to my above comment until that is no longer the case.
Sorry, you must have a special character. Oh... Not THAT special character, it has to be a special special character, that one isn't valid. Ah, no, that one's too long. It should be shorter. It needs to be between 11 and 11.5 characters.
Half the time I now just enter random nonsense until it lets me create an account. Then, when I want to access a website/app again, I just 'forget' my password and reset it to some other random nonsense.
I click Bitwardens generate password button and im done. Also the password is automatically saved.
Recommend it :)
They could cut steps and just ask for the email and send the link with an access token that will authenticate the user directly.
that password is already in use
lmao, "security" moment
Brute force user names instead of password. Big Brian moment
Large Brian Moment, for real
My new favorite is the minimum time between password changes. My last 2 jobs set it to 24 hours, so IT guy gives you the temp password and you can't change it for 24 hours. But wait, when you try to change it the error you get is "doesn't meet your organization's minimum complexity requirements" which does not help AT ALL and the IT guy thinks you're an idiot because you can't figure out the complexity requirements. What a great feature!
And that's when they tell you what you did wrong. Sometimes they'll reject the password without telling you why, because of some rule they didn't list. For example, I set a password in a parking app (Flowbird) which had an unmentioned restriction against spaces and Swedish letters (dispite targeting the Swedish market). Also, it lets you set a fairly long password, but when you try to log in on their webpage they've set maxlength="32" on the password field. So if you have a longer password you have to edit the DOM and remove that attribute to log in.
This already happened to me in a big service provider (electricity) website. It's infuriating.
I lent my spouse's mother our apple ID while theirs was toasted. But of course I had to change it first, since OhFuckMeH@rd3rYouFucks was finally an acceptable password for Apple but not for in-laws.
I did once encounter a site in the early 2000s that wouldn't let me use a password because it was already in use by someone else. I was too young at the time to realize how bad that was, but I remember thinking it didn't make sense.
It MIGHT not be as bad as you think. If the UI was just terrible at communicating and what it actually meant was, "that password is in our database of known compromised passwords," then that would be reasonable. Google does this now too, but I think they only do it after the fact (e.g. you get a warning that your password is in a database of compromised passwords).
Can confirm that Google will do this for you. Also, I switched to Bitwarden and Firefox last year so most of these passwords have either been changed or I haven't been on the site in years and don't much care and im not actually this exposed anymore 😂😂
The one where LastPass lobbied the government via time travel shenanigans.
Within the tiny, circumscribed world of a single instance.
I hate that most places don't remind you what the rules of their passwords are if you've forgotten yours. Odds are I'd be able to correctly guess it if I knew.
As a sysadmin, can I just say: BAD PASSWORD: more than 3 consecutive characters of the same class
The number of times I've gone through that only to have it fail without explanation when I exceed the length limit - forcing me to guess if that must be the issue - is FAR higher than it should be.
And fuck any system that doesn't provide the criteria up front.
Also fun is when the field to initially set the password is also character limited and you choose a password that’s longer than the field but don’t notice until you’ve set it and get repeated login failures afterward
Yeah that nearly makes me want to smash something when it happens. Anyone that silently truncates passwords should NOT do it, or at least truncate the creation AND login forms. Just say the limit and give a error, or handle extra input the way you're supposed to in the enceyption algorithm and hash it to to the correct length. A length limit of say, the amount of bits the encryption key has, like 32/64/128 chracters for 256/512/1024 bit, is reasonable, any other limit is stupid.
YES, I have hit this too!
Is there any actual services that check if the password is already in use?
I've heard that some really obscure website even told you who used that exact password, because the CEO of the company owning said website complained for not having it, then the IT company who made the website had to add it. (If you ask: it was some Hungarian-owned website, and not space Karen's 1000IQ idea)
There are definitely services that fuss if you use a password you've used before.
-Try to log in, password incorrect.
-Try to log in, password incorrect.
-Try to log in, password incorrect.
-Weird, ok reset password.
-"Enter new password." Enter the password I've been typing the whole time. "Sorry, you can't use your old password."
-DAMMIT!
I'm pretty convinced this happens because their password validation isn't responding quickly enough and it defaults to "password incorrect."
That password is already in use by user 'gigachad'.
This is why one of my passwords is something like forFUCKSAKE123$#!
I know the frustration. Fucked up part is that all that crap makes it least secure not more.
Password1!
It's surprising how many times I have seen this and variations.
The only one that actually reduces security is the length, as it implies it's stored as plaintext.
The rest do improve complexity for cracking.
Only if you write it down on a piece of paper or save it in your notes. Guaranteeing longer passwords with a variety of different symbols does make the passwords stronger though.
As a hamster enthusiast, I approve of each password provided by this user.
It's best to avoid passwords that include your fetish
If someone gets to know you, they can more easily guess that you're a Hamtaro or Richard Gere fetishist
Richard Gere... Lemmiwinks... Lemmy... Oh god, we're all Richard Gere fetishists, aren't we?
If a password input form asks any of these questions, consider the website or service compromised right from the beginning. The reason for this, is that it means they are not storing salted/hashed passwords and your password will be stored as plain text on their servers. There's no reason for any limitations on a password. In the event of a breach, your password will be visible in any database dumped by a hack. Always makes me wince when a password form complains about password length, as it really should not matter. When you hash a password, it will be stored in the database at a specific string length;
All of those things can be verified before storing the password in any way, encrypted or not, and checking them would be a requisite before storing it.
While it's true that they don't have a significant impact on the hash generated, they make it significantly more difficult for anyone to guess your password. It's much easier to guess password321 than something like Or^9L%u&QQ12XxI@. And that has nothing to do with how the password is ultimately stored.
Of course, requiring at least one symbol or upper case letter etc is a good idea, along with a minimum length. Many websites won't let you use a password longer than a certain amount of characters. The only reason for that limitation is that they are storing the database field as plaintext, and anything longer will not fit into that column.
That’s just not true, all of these things can be achieved without saving the password as plain text
How is it not true? If a site is saying for example, "password must be less than 20 characters" -- that is purely a limitation based on the size of the database field, which you can only assume it's being adding to that field as plain text. A hash will always be the same length and password length would not matter.
I'll keep my aswer short, but first of all, usually this format enforcement is done on the client before it is ever sent to the backend, there are many reasons to limit the maximum length other than string length limitations on the database ( not that I can think of many actual good reasons).
Second of all, the client should send the actual password to the backend (allowing you validate these same password requirements on your backend), not the hashed password, hashing the password on the client side would be no better than storing the password as "plain text".
And never is the "plain text" password stored in any database, only sent over to the backend and hashed, every time you set a new password, or log in using an existing one.
Any site worth its salt (heh) will verify criteria on client for UI reasons, not just in the backend
My favorite password is the string "a", but I never get to use it anywhere due to these ridiculous restrictions 😔 Can you tell me which online services you administer so I can sign up for them and enjoy unfettered use of my favorite password?
In not that many years password cracking capabilities would surpass any reasonable password length and character combination.
I too love the Password game! Please save Paul! ~I truly care about him!~ ^Truly!^
(Sorry, I sometimes like to post really bad comments...)
Haha this is great, got to the chess part before giving in
Same. My country was Jordan. Took way too long to figure out, because it dropped me in the middle of an empty amphitheater with no visible road signs, license plates, etc…
I just pasted all the countries and ditched the ones that were wrong.
Ah, dictionary based brute force attack. Classic.
Yup. I couldn’t figure out the answer from the network requests (that’s basically how I do the Wordle part of it) so I decided I’ll dump everything in there.
When I last played it I got dropped in a place where I had actually visited IRL (Uluru), made that part of the game easy
Qxh6
I'm starting to want to learn chess after learning about the password game. I need to go get further!
Bruh, it just made me google dork to find out where a random street view was. 10/10 would recommend
Have you been given the egg yet? Don't forget to feed him!
My Roman numerals should multiple to equal 35, but then the county I got starts with a C… how do you multiply by fractions in Roman numerals?!
You don't need capital letters in the country name
I gave up at the 'find a youtube video of an exact length' step
my laziness limit had been reached
It was great until that step 20 where some 'fire' deleted everything I made. It's one thing to make you think, it's a completely different thing to just delete everything and make you start over. Fuck that noise.
Yeah, I just got to the password on fire and survived, but I wanted to move Paul to an edge so he doesn't get killed if there's another fire. But apparently cutting/pasting him kills him. :(
Edit: I went back and got to rule 25. Rule 24 was a bitch and a half, but I did it. Then I had to sacrifice letters, and I thought, oh, I can't use M or D because they are roman numerals for 1000 and 500, so I chose those. It included lowercase as well, and that made some previous rules impossible. In my anger, I may have overreacted, because I intentionally overfed Paul to kill him.
That’s brutal
Don't you have to delete paul to win?
Man, when I played, poor Paul got burnt to a crisp. I'm still having flashbacks from that shock.
I haven't known that one yet, hilarious :)
I got stuck on rule 14 where I had to guess the country in Google maps.
Au2WonderfullyshellnIcepigsXXXV!85mayy4n6mfiend🌘
I guess it's kind of secure. Does the password change daily with the current wordle word?
if you walk down the path like 20m there's a sign that tells you where you are
I stopped playing when my whole password caught fire lmao
Thanks. I was only on my phone and didn't feel like zooming in for that much.
“Sorry, that password is already in use” ruins it for me. That’s not a realistic message to receive.
Maybe “Your password cannot be one you’ve used previously”.
Should be: "your password cannot be one of your last 24 passwords"
Yeah, this is important. Make it a really big number too so that I have to change my password lots of times in a row in order to put it back to what it was. ;)
Especially for those places that want your password changed every two weeks.
If they want to play that game - the calendar date becomes part of the password. It's never the same, but you can always work it out!
Or just append a letter that increments every time you change your password, and keep a note of what the current letter is.
Passworda
Passwordb
Passwordc
...
When your z password expires, just wrap back around to a.
At my work they wanted better security, and made the rule of minimum 12 characters, must include all sorts of numbers, special characters, etc, no previously used password and it must be changed every month, 3 attempts then the account is locked and you have to call IT.
The result was that people wrote their passwords on post-its on the screen, so it led to worse security overall and they had ro relax the rules.
It follows the vein of some of the password rules and feedback reducing security itself. Like why disallow any characters or set a maximum password length in double digits? If you're storing a hash of the password, the hash function can handle arbitrary length strings filled with arbitrary characters. They run on files, so even null characters need to work. If you do one hash on the client's side and another one on the server, then all the extra computational power needed for a ridiculously long password will be done by the client's computer.
And I bet at least one site has used the error message "that password is already in use by <account>" before someone else in the dev team said, "hang on, what?".
It's true, most of these rules are harmful, but also most are in common use and accepted, for some reason. I have heard of a password system that had that warning, perhaps even the account, but it was in a softwaregore screenshot context.
Should say by who. :)
Now we are talking :)
It shouldn't be.
But it is.
Fun fact: password controls like this have been obsolete since 2020. Standards that guide password management now focus on password length and external security features (like 2FA and robust password encryption for storage) rather than on individual characters in passwords.
Since 2017 at least; and IIRC years before that; that's just the earliest NIST publication on the subject I could find with a trivial Web search.
https://pages.nist.gov/800-63-3/sp800-63b.html
"Memorized secrets" means classic passwords, i.e. a one-factor authentication through a shared secret presumed to be known to only the right person.
I wouldn’t say obsolete because that implies it’s not really used anymore. Most websites and apps still use validation not too dissimilar from the OP, even if it goes against the latest best practices.
Yeah, the most recent one for me was creating a password at lemmy.world
I'm not sure where you heard someone use the word "obsolete" that way, but I assure you that there are thousands if not millions of examples of obsolete technologies in constant and everyday use.
https://www.merriam-webster.com/dictionary/obsolete
For today's 10,000 who have never seen it, https://xkcd.com/936/ succinctly explains why the whole mixed character types thing isn't favoured.
I'm still waiting on an XKCD that references #936 with the fact that we soon as we have reliable, functional quantum computing, all of the passwords from before that point in time will be completely and utterly broken. That the only way to make a password that a quantum computer would have a tough time breaking is if it was made by another quantum computer. Unless of course the comic has already been made and I just missed it, which is a complete possibility because this year for me has been utterly crap.
Some of them are broken by quantum computers, but not all of them. For example, SHA256. You can use Grover's algorithm to take sqrt(n) steps to check n possible passwords, which on the one hand means it can be billions of times faster, but on the other hand, you just need to double the length of the password to get the same security vs quantum computers. Also, this is the first I've heard of a hash that uses a quantum computer. Do you have a source? Hashes need to be deterministic, and quantum computers aren't, so that doesn't seem like it would work very well.
Maybe you're getting mixed up with using quantum encryption to get around quantum computers breaking common encryption algorithms?
Except you can run a dictionary attack on that and suddenly it's only 4 variables that are cracked way faster than the first password.
Except you can run a dictionary attack on that and suddenly it's only 4 variables that are cracked way faster than the first password.
People should be made aware of all the tools available to properly manage tons of passwords. Not even going too deep into "passkey" stuff or any modern shenanigans, but a password manager used to generate random passwords for each separate sites is such a simple step.
Yeah! And nowadays the industry is pushing towards password less authentication. Github just started rolling it out to beta users
BIG red flag. Abort. Abort.
Also I love when they only support certain special characters. So the psuedo random noise created by my password generator won't work until I curate out the unsupported characters.
I was changing my password on a pretty big company website the other day.
The password generated by my password manager kept giving me a http error (500 I think)
I generated a new password and deleted all the special characters other than the obvious ones. Boom, worked first time.
So looks like someone is not sanitising their inputs properly.
I sent them an email so hopefully they will fix.
One can only hope. But based on my experience, they usually do not. I once sent an email to Microsoft telling them that their Microsoft account app had a vulnerability, and I even sent them the XML line they needed to add to their Android Manifest to fix it, and they wouldn't do it because it required physical access to the device to exploit. I mean, that's fair enough, but it was literally one line of code to plug the hole.
They eventually did add that line about 6 years later.
It boggles sometimes.
I remember about 2015 (?) In the vicinity anyway, PayPal has a 12 character MAXIMUM on their passwords.
PayPal, you know the place where you can literally transfer all the money. A 12 character MAXIMUM
I emailed them to suggest they change this requirement. And they replied saying that 12 characters was sufficient if you used special characters and numbers.
Glad they have finally changed it now.
My bank has an 8 character limit. Not minimum, limit
Password1'); DROP TABLE Passwords;--
Robert'); DROP TABLE Students;--
Funniest thing was when I registered on a website which parsed the \0 sequence and hence truncated the password in the background unbeknownst to me. This way you could circumvent the minimum length and creare a one character password.
Once I registered on a website. I used an auto generated password. Next time I tried to log in to the website I was confused that my stored password didn’t work. Requested to change the password, but I used the stored password again. To my surprise, it said the password must be different from the current one.
After a bit back and forth I finally figured it out. Apparently the site had a max length on the password. Any password longer than that is truncated. This truncation wasn’t applied in the login form. Only when creating a password.
So is that maximum length
I always just refresh the password until I get a random one without the characters the randomly choose to forbid 😂
My favorite, though, is:
types in password "Password incorrect" goes to reset password "please enter a new password" types in password "your new password cannot be the same"
That just means you entered it wrong the first time.
It often means that one could have derived the correct password from the set of rules - but those rules are not shown when asking for the old password
Exactly this. I want to normalize showing the password requirements when you don't immediately get the password - if you made me jump through hoops the first time, at least remind me what they were!
i have had this happen on some websites occasionally while using my password manager.
Sometimes it means the page checking the password is following a different ruleset eg. the main page is case sensitive and the change password page isn't. Sometimes it's stuff like the entered password is silently truncated to a fixed number of characters and because of that won't let you log in. Sometimes it's wierd character expansions being passed directly to the password checking routine (& or similar).
For those wanting to play this as a game, there is this wonderfully fiendish website.
https://neal.fun/password-game/
Rule 13 Your password must include the current phase of the moon as an emoji.
I got stuck on the chess one. Used to think I was pretty decent at the game. After a few tries I gave up and tried a few websites that claim to be able to solve it and none found the "correct" move.
The worst part is that if they know that password is already in use.... then they aren't storing their passwords appropriately.
You could store the passwords as hashes and just compare the hashed value.
yes, but then they are not salted, which is what they should be doing.
True, but for the same big O they can salt the password for each user and compare it to what they have stored. My big pet peeve (that I've actually seen) is when they say your password is too similar to an old one. I have no idea how that could be reasonably done if they're storing your password correctly.
But are they peppered?
Good call.
My favorite is when you forget your password and try to reset it but it cries that you can't use passwords you already used
Mother fucker if I remembered what I used I wouldn't be doing this
Lol, at this point just generate a password for me to save in my bitwarden.
The worst one is when it only supports up to like 16 characters but doesn't tell you so it will only use the first 16 characters and ignore the rest. The next time you need to enter it and get the 64 character password from your password manager it will just say it incorrect and you're left with no idea on why it's wrong.
Holy shit you might have just explained why I have to reset my password every time for a local fast food joints own website
So secure even you don't know the password. It's like built in MFA.
This was me on a bank's site till I clued in that I need to shorten my password.
Why do you have an account for your local fast food joint?!
so he can get even faster food? idk
To order through their site, I try to use the places own sites instead of justeat etc so they get more of the money. As you can imagine they aren't the best websites though.
You can't just order per telefon?
I can do you one worse.
My banking app password was not case sensitive for many, many years. They finally fixed it a few years back though!
I think walmart.com was or is that way. Took me a while to figure that crap out.
This has happened to me so many times. Frustrating and stupid being belief. Are they hiring 10 year olds to write the html/script? Sheesh.
https://neal.fun/password-game/
Had to give up at rule 20 because I was using a phone.
::: spoiler Spoiler As much
funpain as that was, highlighting with a touch screen is nowhere near fast enough to put out the fire. :::Would love to see a speedrun leaderboard for this, though.
Thank you, I'm thoroughly annoyed.
Me too.
Fuck. I gave it a try for real this time and hit a permanent game over condition.
::: spoiler spoiler Apparently you can overfeed Paul :::
Darn, I wanted to see what came next. Some of those rules were hilarious. But I'm not doing that all again.
That was my limit too!
I got to the "wordle" one before giving up. jesus lol, nice meme
It was crone btw.
wow, spoilers /jk
Looks like someone's been playing the password game https://neal.fun/password-game/
That game made me want to punch.
This is one of the reasons why I am totally dependent on my password manager now.
60 character alphanumeric randomly generated password: sorry, that password is not secure enough, please include a special character
Type "Letmein69!" : perfect, very secure password
Me: 🤨
Yeah that really bugs me.
Like come one, "Ma5terp!ece" is more secure than "Regain Refinance Clarify Cuddle9"
Maybe in bizaro world.
Garbage
i wouldn't even mind if it was 32. 32 is a damn strong password.
I've seen as low as 10 digits in the past
My Wells Fargo password used to be max 8 characters, and when you use the phone you you can basically use the keypad to log in.
So it's basically 8 DIGITS
Wow, super secure!
Not necessarily: only if it's generated properly, and only for the moment - that will change in the next few years.
You do realize that length and symbol type are only 2 out of many other factors that go into a strong password?
Ok, fair, not all 32 digit passwords will be secure.
11111111111111111111111111111111 is not secure, but I was trying to imply, in a properly generated password, 32 digits long is very secure.
I understand, and I think you make a valid point as far as the discussion is concerned.
It's unfortunately still a little more complicated than that, though.
Like I said, there's more to a password than length and symbol type.
Even something like cF*+@aXbIdFHje2vZiU-1 is less secure than if it were generated by a good PRNG.
D0@ndro!dsDr@3@m0f3l3ctr!cSh33p? is also insecure, though it might have been considered secure 4-5 years ago.
You see what I'm saying?
Then of course there's hash algorithms and how those are used to authenticate the passwords themselves, etc.
You think that's bad, a decade ago I had to use a government-run website that required passwords be exactly 8 characters
A password prompt should include all criteria upfront so that you can setup your password manager to generate a fitting password.
Getting the criteria or even just partial after you entered one is fucking atrocious.
And that exact text should be available when you're trying to log in.
Ultimately that makes it easier to break.
How many people do you suppose don't exceed minimum requirements? Once you've got that you can reduce how much you need to generate.
Yeah, you can get that by going to the sign up process, but it generates an extra step that would also increase automation/scraping efforts since it's rarely in the same place.
It wouldn’t really increase the effort much. A human would have to go through the process once, then just pass those requirements off to the script. The initial setup isn’t something you typically hand off to automation.
I've seen this but with a final message of "Sorry, that password is already in use by user about2getOwned@gmail.com."
But what if the password you want to set is already in use?
Refer to my above comment until that is no longer the case.
Sorry, you must have a special character. Oh... Not THAT special character, it has to be a special special character, that one isn't valid. Ah, no, that one's too long. It should be shorter. It needs to be between 11 and 11.5 characters.Half the time I now just enter random nonsense until it lets me create an account. Then, when I want to access a website/app again, I just 'forget' my password and reset it to some other random nonsense.
I click Bitwardens generate password button and im done. Also the password is automatically saved.
Recommend it :)
They could cut steps and just ask for the email and send the link with an access token that will authenticate the user directly.
lmao, "security" moment
Brute force user names instead of password. Big Brian moment
Large Brian Moment, for real
My new favorite is the minimum time between password changes. My last 2 jobs set it to 24 hours, so IT guy gives you the temp password and you can't change it for 24 hours. But wait, when you try to change it the error you get is "doesn't meet your organization's minimum complexity requirements" which does not help AT ALL and the IT guy thinks you're an idiot because you can't figure out the complexity requirements. What a great feature!
And that's when they tell you what you did wrong. Sometimes they'll reject the password without telling you why, because of some rule they didn't list. For example, I set a password in a parking app (Flowbird) which had an unmentioned restriction against spaces and Swedish letters (dispite targeting the Swedish market). Also, it lets you set a fairly long password, but when you try to log in on their webpage they've set maxlength="32" on the password field. So if you have a longer password you have to edit the DOM and remove that attribute to log in.
This already happened to me in a big service provider (electricity) website. It's infuriating.
I lent my spouse's mother our apple ID while theirs was toasted. But of course I had to change it first, since OhFuckMeH@rd3rYouFucks was finally an acceptable password for Apple but not for in-laws.
We allow memes here?
Bad memes, too. This is some fwd: fwd: fwd shit.
Boomer memes
In what world are passwords unique.
I did once encounter a site in the early 2000s that wouldn't let me use a password because it was already in use by someone else. I was too young at the time to realize how bad that was, but I remember thinking it didn't make sense.
It MIGHT not be as bad as you think. If the UI was just terrible at communicating and what it actually meant was, "that password is in our database of known compromised passwords," then that would be reasonable. Google does this now too, but I think they only do it after the fact (e.g. you get a warning that your password is in a database of compromised passwords).
The one where LastPass lobbied the government via time travel shenanigans.
Within the tiny, circumscribed world of a single instance.
I hate that most places don't remind you what the rules of their passwords are if you've forgotten yours. Odds are I'd be able to correctly guess it if I knew.
HorseBatteryStaple
...so close
https://xkcd.com/936/?correct=horse&battery=staple
correct
As a sysadmin, can I just say: BAD PASSWORD: more than 3 consecutive characters of the same class
The number of times I've gone through that only to have it fail without explanation when I exceed the length limit - forcing me to guess if that must be the issue - is FAR higher than it should be.
And fuck any system that doesn't provide the criteria up front.
Also fun is when the field to initially set the password is also character limited and you choose a password that’s longer than the field but don’t notice until you’ve set it and get repeated login failures afterward
Yeah that nearly makes me want to smash something when it happens. Anyone that silently truncates passwords should NOT do it, or at least truncate the creation AND login forms. Just say the limit and give a error, or handle extra input the way you're supposed to in the enceyption algorithm and hash it to to the correct length. A length limit of say, the amount of bits the encryption key has, like 32/64/128 chracters for 256/512/1024 bit, is reasonable, any other limit is stupid.
YES, I have hit this too!
Is there any actual services that check if the password is already in use?
I've heard that some really obscure website even told you who used that exact password, because the CEO of the company owning said website complained for not having it, then the IT company who made the website had to add it. (If you ask: it was some Hungarian-owned website, and not space Karen's 1000IQ idea)
There are definitely services that fuss if you use a password you've used before.
-Try to log in, password incorrect.
-Try to log in, password incorrect.
-Try to log in, password incorrect.
-Weird, ok reset password.
-"Enter new password." Enter the password I've been typing the whole time. "Sorry, you can't use your old password."
-DAMMIT!
I'm pretty convinced this happens because their password validation isn't responding quickly enough and it defaults to "password incorrect."
That password is already in use by user 'gigachad'.
This is why one of my passwords is something like forFUCKSAKE123$#!
I know the frustration. Fucked up part is that all that crap makes it least secure not more.
Password1!It's surprising how many times I have seen this and variations.
The only one that actually reduces security is the length, as it implies it's stored as plaintext.
The rest do improve complexity for cracking.
Only if you write it down on a piece of paper or save it in your notes. Guaranteeing longer passwords with a variety of different symbols does make the passwords stronger though.
Fifty fucking cabbages, the 2023 version
My cabbages!
https://youtu.be/zRFDr8Vgp_Q
Here is an alternative Piped link(s): https://piped.video/zRFDr8Vgp_Q
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I'm open-source, check me out at GitHub.
Thanks for introducing me to Piped!
As a hamster enthusiast, I approve of each password provided by this user.
It's best to avoid passwords that include your fetish
If someone gets to know you, they can more easily guess that you're a Hamtaro or Richard Gere fetishist
Richard Gere... Lemmiwinks... Lemmy... Oh god, we're all Richard Gere fetishists, aren't we?
If a password input form asks any of these questions, consider the website or service compromised right from the beginning. The reason for this, is that it means they are not storing salted/hashed passwords and your password will be stored as plain text on their servers. There's no reason for any limitations on a password. In the event of a breach, your password will be visible in any database dumped by a hack. Always makes me wince when a password form complains about password length, as it really should not matter. When you hash a password, it will be stored in the database at a specific string length;
Eg; using sha-1 hashing:
All of those things can be verified before storing the password in any way, encrypted or not, and checking them would be a requisite before storing it.
While it's true that they don't have a significant impact on the hash generated, they make it significantly more difficult for anyone to guess your password. It's much easier to guess
password321than something likeOr^9L%u&QQ12XxI@. And that has nothing to do with how the password is ultimately stored.Of course, requiring at least one symbol or upper case letter etc is a good idea, along with a minimum length. Many websites won't let you use a password longer than a certain amount of characters. The only reason for that limitation is that they are storing the database field as plaintext, and anything longer will not fit into that column.
That’s just not true, all of these things can be achieved without saving the password as plain text
How is it not true? If a site is saying for example, "password must be less than 20 characters" -- that is purely a limitation based on the size of the database field, which you can only assume it's being adding to that field as plain text. A hash will always be the same length and password length would not matter.
I'll keep my aswer short, but first of all, usually this format enforcement is done on the client before it is ever sent to the backend, there are many reasons to limit the maximum length other than string length limitations on the database ( not that I can think of many actual good reasons).
Second of all, the client should send the actual password to the backend (allowing you validate these same password requirements on your backend), not the hashed password, hashing the password on the client side would be no better than storing the password as "plain text".
And never is the "plain text" password stored in any database, only sent over to the backend and hashed, every time you set a new password, or log in using an existing one.
Any site worth its salt (heh) will verify criteria on client for UI reasons, not just in the backend
My favorite password is the string "a", but I never get to use it anywhere due to these ridiculous restrictions 😔 Can you tell me which online services you administer so I can sign up for them and enjoy unfettered use of my favorite password?
In not that many years password cracking capabilities would surpass any reasonable password length and character combination.