We’ve all been there.

  • FluffyPotato@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    The worst one is when it only supports up to like 16 characters but doesn’t tell you so it will only use the first 16 characters and ignore the rest. The next time you need to enter it and get the 64 character password from your password manager it will just say it incorrect and you’re left with no idea on why it’s wrong.

    • KairuByte@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      I can do you one worse.

      My banking app password was not case sensitive for many, many years. They finally fixed it a few years back though!

    • dlok@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      Holy shit you might have just explained why I have to reset my password every time for a local fast food joints own website

  • Tyler_Zoro@ttrpg.network
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Fun fact: password controls like this have been obsolete since 2020. Standards that guide password management now focus on password length and external security features (like 2FA and robust password encryption for storage) rather than on individual characters in passwords.

    • fubo@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      1 year ago

      Since 2017 at least; and IIRC years before that; that’s just the earliest NIST publication on the subject I could find with a trivial Web search.

      https://pages.nist.gov/800-63-3/sp800-63b.html

      Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

      “Memorized secrets” means classic passwords, i.e. a one-factor authentication through a shared secret presumed to be known to only the right person.

    • Corhen@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      i wouldn’t even mind if it was 32. 32 is a damn strong password.

      I’ve seen as low as 10 digits in the past

      • iopq@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        My Wells Fargo password used to be max 8 characters, and when you use the phone you you can basically use the keypad to log in.

        So it’s basically 8 DIGITS

      • graphite@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        edit-2
        1 year ago

        32 is a damn strong password

        Not necessarily: only if it’s generated properly, and only for the moment - that will change in the next few years.

        You do realize that length and symbol type are only 2 out of many other factors that go into a strong password?

        • Corhen@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Ok, fair, not all 32 digit passwords will be secure.

          11111111111111111111111111111111 is not secure, but I was trying to imply, in a properly generated password, 32 digits long is very secure.

          • graphite@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            1 year ago

            but I was trying to imply, in a properly generated password, 32 digits long is very secure.

            I understand, and I think you make a valid point as far as the discussion is concerned.

            It’s unfortunately still a little more complicated than that, though.

            Like I said, there’s more to a password than length and symbol type.

            Even something like cF*+@aXbIdFHje2vZiU-1 is less secure than if it were generated by a good PRNG.

            D0@ndro!dsDr@3@m0f3l3ctr!cSh33p? is also insecure, though it might have been considered secure 4-5 years ago.

            You see what I’m saying?

            Then of course there’s hash algorithms and how those are used to authenticate the passwords themselves, etc.

    • Revan343@lemmy.ca
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      You think that’s bad, a decade ago I had to use a government-run website that required passwords be exactly 8 characters

  • zeppo@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    “Sorry, that password is already in use” ruins it for me. That’s not a realistic message to receive.

    Maybe “Your password cannot be one you’ve used previously”.

      • quat@lemmy.sdfeu.org
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        At my work they wanted better security, and made the rule of minimum 12 characters, must include all sorts of numbers, special characters, etc, no previously used password and it must be changed every month, 3 attempts then the account is locked and you have to call IT.

        The result was that people wrote their passwords on post-its on the screen, so it led to worse security overall and they had ro relax the rules.

    • SSTF@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      1 year ago

      Unfortunately a lot of jobs require passwords and they use outdated security processes, forcing people to have the old fashioned “must have uppercase, lowercase, number, and special character & you have to change it every 3 months for no reason” passwords instead of the stronger (and less annoying) alternatives.

      • funkless@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        i signed up at mba.com and it wouldn’t let me use a password because it contained a semicolon which wasn’t on the approved list of special characters, and then - get this - because I tried too many times to create a password - locked me out because I had “too many failed attempts”

    • eth0p@iusearchlinux.fyi
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      1 year ago

      Had to give up at rule 20 because I was using a phone.

      Spoiler

      As much fun pain as that was, highlighting with a touch screen is nowhere near fast enough to put out the fire.

      Would love to see a speedrun leaderboard for this, though.

    • CoderKat@lemm.ee
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      1 year ago

      Fuck. I gave it a try for real this time and hit a permanent game over condition.

      spoiler

      Apparently you can overfeed Paul

      Darn, I wanted to see what came next. Some of those rules were hilarious. But I’m not doing that all again.