7mo ago

I hate passwords

How on earth can you both not accept the password I copied from my password safe and tell me that I cannot use the same pasaword again?

45 comments

If there has been a data leak, they might block your current password because the hash has been leaked
- Yes, that might be a plausible theory. Basically a bad yersion of you must change your password.
- If there has been a data leak, they might block your current password because the hash has been leaked
  I'm sure that makes them feel much better, lol.
  
  The leak doesn't even need to happen on their site, they could check the password hash against known leaked hashes (from have I been pwned for example) and block it
I once had to reset my password as the new one got truncated without telling me.
Yes. It was deemed too long.
It was for an company that got plenty of my personal data
- Why on earth would someone truncate a password? I could make at least 10 more memea about bad handling of passwords
  
  Why? Probably some wild row length limit being hit where a table storing user data was storing an asinine amount of data, just terrible DB organization in an org where someone said “who even needs a DBA.”
  How? If you can truncate user passwords, you should never handle user passwords again, unless you’re a student or hobbyist learning a valuable lesson.
  
  There's no good reason. Whoever did it, did it for a bad reason. (Oh, well, there's no good reason until you reach several thousand characters.)
  That said, it could be worse. Some sites do not truncate your password at the creation form, and only truncate it on the login screen. (Yeah, that happened to me, in 2 different sites.)
This often happens when you entered the right password but have a typo in the user name. Everyone tries the password again, but nobody spell checks their email or username.
- You're right, this is plausible
- What about my banking app????
  Six digits!!! Only six digits!!!
this is probably some half of the site is silently truncating the password, while the other half isn't
- Or adding a space because pasting. That happens a lot too
- It's surprisingly often that the login page doesn't use the same password processing code as the password reset/account creation pages, and it can be very frustrating at times.
I had this happen once where input validation on login and password change were different. I was allowed to set my password to a string containing a special character not accepted by the login form. Top men.
- I've had a similar experience with a service that automatically truncated passwords if they were too long
  
  Note that for others reading this, what normal people think of as too long probably doesn't signify. Some asshat somewhere may have decided greater than something like 8 characters is "too long." Without telling you. Said asshat may indeed even be on the database side, and concluded somehow that varchar(8) should be sufficient for storing passwords. Right???
  It is not only easy for flagrantly badly designed web systems to display this behavior, but also depressingly common. And more closely the page or system you're using is related to your local government, the probability of it being hilariously incompetently designed moves ever closer to becoming 1.
Get a password manager.
- I have some weird mental block regarding starting to use them. I really should stop procrastinating.
  
  Yes, please get a password manager. This improves both security and ease of use.
  
  Start using it! You dont have to insert all your passwords immediately. It can naturally grow, minimizing startup cost
  
  Get your shit together bro. Wtf are you even doing with your life. They're free ffs.
Lol I usually abort the password reset flow and try to login with the same password lmao
As someone who regularly uses a vpn, I've noticed that there's a surprising number of sites that will just lock your account if they decide they don't like your ip address.
- Yeah, I hate that. They don't always lock it but will just reject the password with no indication of why.
I've never really understood why most systems are set up to reject a password reset if it's the same password. Is there a security issue there that I'm not picking up on?
It seems like they should just let you reset your password anyway if you've reached that screen (usually using some kind of authorisation, like using a link with a token in it that gets emailed to you or something).
- The security risk I see is that the cause of you resetting your password could be that it is leaked. For that case, it is good to remind the user that they shouldn't override it with their current password. That said it would be nice to have a "I know what I am doing" option and allow it anyway
  
  If you forgot your password and are trying to reset it with the exact same password you forgot, then you obviously don't know what you are doing.
  
  Ah, that's a great point!
- Having a "change password" option that allows you to not change your password would be somewhat strange ;)
It's like when you are trying to blindly install a USB type A . First orientation is wrong so you flip it. Second orientation is wrong so you get confused and flip it again only for it work easily lol.
- The joke I’ve heard is that USB cables exist in 4 dimensions, that’s why you need to flip them around twice before they connect.
They could be truncating the password in one form but not the other.

45 comments