Unfortunately a lot of jobs require passwords and they use outdated security processes, forcing people to have the old fashioned “must have uppercase, lowercase, number, and special character & you have to change it every 3 months for no reason” passwords instead of the stronger (and less annoying) alternatives.
i signed up at mba.com and it wouldn’t let me use a password because it contained a semicolon which wasn’t on the approved list of special characters, and then - get this - because I tried too many times to create a password - locked me out because I had “too many failed attempts”
Still frustrating. I generally try to make my passwords all lowercase in case I need to type them (especially on a phone). But a lot of places don’t allow that.
No offense but I’m kinda happy they dont allow that. Its horrible entropy a better approach for manual entry is using a randomly generated passphrase (6+ words should be enough with a special character as a seperator if needed) or again using the autofill of a password manager, there are many available for mobile devices. I recommend checking out bitwarden for anyone new to password managers
If I’m typing on a computer keyboard, typing words is easier than random letters, but on a phone it doesn’t make much of a difference. What I end up doing is typing my passphrase into my password manager on the computer, and then typing the password on there into my phone.
I do have a password manager app for my phone, but then I have to type the whole passphrase into it so I don’t use it unless necessary.
I hate that most places don’t remind you what the rules of their passwords are if you’ve forgotten yours. Odds are I’d be able to correctly guess it if I knew.
It follows the vein of some of the password rules and feedback reducing security itself. Like why disallow any characters or set a maximum password length in double digits? If you’re storing a hash of the password, the hash function can handle arbitrary length strings filled with arbitrary characters. They run on files, so even null characters need to work. If you do one hash on the client’s side and another one on the server, then all the extra computational power needed for a ridiculously long password will be done by the client’s computer.
And I bet at least one site has used the error message “that password is already in use by <account>” before someone else in the dev team said, “hang on, what?”.
It’s true, most of these rules are harmful, but also most are in common use and accepted, for some reason. I have heard of a password system that had that warning, perhaps even the account, but it was in a softwaregore screenshot context.
The worst one is when it only supports up to like 16 characters but doesn’t tell you so it will only use the first 16 characters and ignore the rest. The next time you need to enter it and get the 64 character password from your password manager it will just say it incorrect and you’re left with no idea on why it’s wrong.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !technology@lemmy.world
This is a most excellent place for technology news and articles.
Its been less frustrating since I moved to a password manager
Unfortunately a lot of jobs require passwords and they use outdated security processes, forcing people to have the old fashioned “must have uppercase, lowercase, number, and special character & you have to change it every 3 months for no reason” passwords instead of the stronger (and less annoying) alternatives.
that’s exactly why a password manager works. there’s a generator that you can configure to meet requirements
Must be changed every month, can’t use a previous password, AND, for some fucking reason, can only contain 8 characters.
And if you forgot your password, you can call IT and they’ll just read it to you because they have them all saved somewhere.
That was a great place to work at.
i signed up at mba.com and it wouldn’t let me use a password because it contained a semicolon which wasn’t on the approved list of special characters, and then - get this - because I tried too many times to create a password - locked me out because I had “too many failed attempts”
Sounds like it’s prime time for a SQL-injection
Still frustrating. I generally try to make my passwords all lowercase in case I need to type them (especially on a phone). But a lot of places don’t allow that.
No offense but I’m kinda happy they dont allow that. Its horrible entropy a better approach for manual entry is using a randomly generated passphrase (6+ words should be enough with a special character as a seperator if needed) or again using the autofill of a password manager, there are many available for mobile devices. I recommend checking out bitwarden for anyone new to password managers
If I’m typing on a computer keyboard, typing words is easier than random letters, but on a phone it doesn’t make much of a difference. What I end up doing is typing my passphrase into my password manager on the computer, and then typing the password on there into my phone.
I do have a password manager app for my phone, but then I have to type the whole passphrase into it so I don’t use it unless necessary.
I’ve seen this but with a final message of “Sorry, that password is already in use by user about2getOwned@gmail.com.”
Fifty fucking cabbages, the 2023 version
My cabbages!
https://youtu.be/zRFDr8Vgp_Q
I too love the Password game! Please save Paul! ~I truly care about him!~ Truly!
(Sorry, I sometimes like to post really bad comments…)
I haven’t known that one yet, hilarious :)
Don’t you have to delete paul to win?
My Roman numerals should multiple to equal 35, but then the county I got starts with a C… how do you multiply by fractions in Roman numerals?!
Man, when I played, poor Paul got burnt to a crisp. I’m still having flashbacks from that shock.
I know the frustration. Fucked up part is that all that crap makes it least secure not more.
My favorite is when you forget your password and try to reset it but it cries that you can’t use passwords you already used
Mother fucker if I remembered what I used I wouldn’t be doing this
I hate that most places don’t remind you what the rules of their passwords are if you’ve forgotten yours. Odds are I’d be able to correctly guess it if I knew.
HorseBatteryStaple
Garbage
i wouldn’t even mind if it was 32. 32 is a damn strong password.
I’ve seen as low as 10 digits in the past
My Wells Fargo password used to be max 8 characters, and when you use the phone you you can basically use the keypad to log in.
So it’s basically 8 DIGITS
Wow, super secure!
Not necessarily: only if it’s generated properly, and only for the moment - that will change in the next few years.
You do realize that length and symbol type are only 2 out of many other factors that go into a strong password?
Ok, fair, not all 32 digit passwords will be secure.
11111111111111111111111111111111 is not secure, but I was trying to imply, in a properly generated password, 32 digits long is very secure.
I understand, and I think you make a valid point as far as the discussion is concerned.
It’s unfortunately still a little more complicated than that, though.
Like I said, there’s more to a password than length and symbol type.
Even something like cF*+@aXbIdFHje2vZiU-1 is less secure than if it were generated by a good PRNG.
D0@ndro!dsDr@3@m0f3l3ctr!cSh33p? is also insecure, though it might have been considered secure 4-5 years ago.
You see what I’m saying?
Then of course there’s hash algorithms and how those are used to authenticate the passwords themselves, etc.
In not that many years password cracking capabilities would surpass any reasonable password length and character combination.
For those wanting to play this as a game, there is this wonderfully fiendish website.
https://neal.fun/password-game/
Rule 13 Your password must include the current phase of the moon as an emoji.
removed by mod
“Sorry, that password is already in use” ruins it for me. That’s not a realistic message to receive.
Maybe “Your password cannot be one you’ve used previously”.
Should be: “your password cannot be one of your last 24 passwords”
Especially for those places that want your password changed every two weeks.
If they want to play that game - the calendar date becomes part of the password. It’s never the same, but you can always work it out!
Or just append a letter that increments every time you change your password, and keep a note of what the current letter is.
Passworda
Passwordb
Passwordc
…
When your z password expires, just wrap back around to a.
It follows the vein of some of the password rules and feedback reducing security itself. Like why disallow any characters or set a maximum password length in double digits? If you’re storing a hash of the password, the hash function can handle arbitrary length strings filled with arbitrary characters. They run on files, so even null characters need to work. If you do one hash on the client’s side and another one on the server, then all the extra computational power needed for a ridiculously long password will be done by the client’s computer.
And I bet at least one site has used the error message “that password is already in use by <account>” before someone else in the dev team said, “hang on, what?”.
It’s true, most of these rules are harmful, but also most are in common use and accepted, for some reason. I have heard of a password system that had that warning, perhaps even the account, but it was in a softwaregore screenshot context.
The worst one is when it only supports up to like 16 characters but doesn’t tell you so it will only use the first 16 characters and ignore the rest. The next time you need to enter it and get the 64 character password from your password manager it will just say it incorrect and you’re left with no idea on why it’s wrong.
I can do you one worse.
My banking app password was not case sensitive for many, many years. They finally fixed it a few years back though!
This has happened to me so many times. Frustrating and stupid being belief. Are they hiring 10 year olds to write the html/script? Sheesh.
Holy shit you might have just explained why I have to reset my password every time for a local fast food joints own website
This was me on a bank’s site till I clued in that I need to shorten my password.
I think walmart.com was or is that way. Took me a while to figure that crap out.
Had this problem with mint mobile a while ago haha
My favorite, though, is:
types in password “Password incorrect” goes to reset password “please enter a new password” types in password “your new password cannot be the same”
lmao, “security” moment
Brute force user names instead of password. Big Brian moment
Large Brian Moment, for real