We’ve all been there.

  • zeppo@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    “Sorry, that password is already in use” ruins it for me. That’s not a realistic message to receive.

    Maybe “Your password cannot be one you’ve used previously”.

      • quat@lemmy.sdfeu.org
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        At my work they wanted better security, and made the rule of minimum 12 characters, must include all sorts of numbers, special characters, etc, no previously used password and it must be changed every month, 3 attempts then the account is locked and you have to call IT.

        The result was that people wrote their passwords on post-its on the screen, so it led to worse security overall and they had ro relax the rules.

  • SevenDigitCode@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    My favorite, though, is:

    types in password “Password incorrect” goes to reset password “please enter a new password” types in password “your new password cannot be the same”

      • tony@lemmy.hoyle.me.uk
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        1 year ago

        Sometimes it means the page checking the password is following a different ruleset eg. the main page is case sensitive and the change password page isn’t. Sometimes it’s stuff like the entered password is silently truncated to a fixed number of characters and because of that won’t let you log in. Sometimes it’s wierd character expansions being passed directly to the password checking routine (& or similar).

  • Tyler_Zoro@ttrpg.network
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Fun fact: password controls like this have been obsolete since 2020. Standards that guide password management now focus on password length and external security features (like 2FA and robust password encryption for storage) rather than on individual characters in passwords.

    • fubo@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      1 year ago

      Since 2017 at least; and IIRC years before that; that’s just the earliest NIST publication on the subject I could find with a trivial Web search.

      https://pages.nist.gov/800-63-3/sp800-63b.html

      Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

      “Memorized secrets” means classic passwords, i.e. a one-factor authentication through a shared secret presumed to be known to only the right person.

    • Rufio@lemm.ee
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      I wouldn’t say obsolete because that implies it’s not really used anymore. Most websites and apps still use validation not too dissimilar from the OP, even if it goes against the latest best practices.

      • Tyler_Zoro@ttrpg.network
        link
        fedilink
        English
        arrow-up
        0
        ·
        1 year ago

        I wouldn’t say obsolete because that implies it’s not really used anymore.

        I’m not sure where you heard someone use the word “obsolete” that way, but I assure you that there are thousands if not millions of examples of obsolete technologies in constant and everyday use.

        • toomanyjoints69@lemmygrad.ml
          link
          fedilink
          English
          arrow-up
          0
          ·
          1 year ago

          Yeah i agree. The best example of this is Linux. To anyone who disagrees, why does a modern operating system require you to use a terminal, or edit config files instead of changing settings in a gui?

          Its THE example of ancient software being pushed on to niave techies that would rather have an insecure open source project than a safe, walled garden like Microsoft Windows 11.

          Although Windows 11 does have its problems. The chief of which is bogging down the streamlined simplicity with things a normal user wont need like a package manager.

          • Tyler_Zoro@ttrpg.network
            link
            fedilink
            English
            arrow-up
            0
            ·
            1 year ago

            The best example of this is Linux.

            Ouch… so, you might want to learn more about technology before commenting in a Technology community…

            why does a modern operating system require you to use a terminal

            Because a terminal is one of the most powerful modes of interaction ever invented. It can serve as a relatively low-tech UI, but it is also simple enough to be used as a machine interface. It is lightweight, works even when other protocols and interfaces are thwarted by infrastructure issues, because it is simple text, but also meant to be read by a human, it can make for a great interface for logging, you don’t have to guess at which obscure standard (if any) to use to talk to it, compliance with relevant standards is baked into nearly every language ever written, etc.

            Try building a system like Kubernetes on graphical UIs… I dare you.

            Its THE example of ancient software being pushed on to niave techies

            What industry are you working in?! AWS is nearly all Linux. Google Cloud is nearly all Linux. Android is Linux. Hell, even Microsoft finally relented and is now strongly supporting their Windows Subsystem for Linux (WSL) because it’s necessary for supporting modern cloud applications.

            that would rather have an insecure open source project than a safe, walled garden like Microsoft Windows 11.

            Okay, this has to be a troll… right? This is a troll? Please tell me you can’t be serious.

            • toomanyjoints69@lemmygrad.ml
              link
              fedilink
              English
              arrow-up
              0
              ·
              edit-2
              1 year ago

              I know it can be hard to have your ideas quedtioned, but at least try to be civil. I never questioned your intentions, yet youre acting like im crazy. A walled garden is obviously more secure than an open source project because nobody can even see the code to find vulnerabilities in it. There is a reason why Android is moving further and further away from open sores code.

              What industry are you working in?! AWS is nearly all Linux. Google Cloud is nearly all Linux. Android is Linux. Hell, even Microsoft finally relented and is now strongly supporting their Windows Subsystem for Linux (WSL) because it’s necessary for supporting modern cloud applications.

              I understand that you like horses. You ride one every day, and you might have evwn named your horse. The fact is that its time to buy a car. Notice i said buy. Quality software costs money, and always will. Its time to move into the future with the rest of us.

              the terminal is simple

              Yes i agree. Throwing rocks is also simpler than firing a gun, yet modern militaries arent training slingers anymore. Ive developed games using Windows exclusivley (for a lot of money i asure you) and ive never once had to use a terminal ever. I literally just have to email my source code to my boss, and he compiles it. I have no need to know how, because its not my problem. Theres no need to use a terminal when i have Visual Studio and Outlook. If you want to be a cool hackerman you can, but id rather use something thats intuitive and works.

              I think anyone who uses Linux is stuck in the past. Communism doesnt work either, bucko.

              • Tyler_Zoro@ttrpg.network
                link
                fedilink
                English
                arrow-up
                2
                ·
                1 year ago

                I know it can be hard to have your ideas quedtioned, but at least try to be civil. I never questioned your intentions, yet youre acting like im crazy.

                I think that’s all you. I have never suggested that you are crazy. I suggested that calling Microsoft software “safe” as opposed to Linux which is, “insecure,” sounds like trolling. But that’s because it sounds like trolling. No crazy stated or implied.

                A walled garden is obviously more secure than an open source project because nobody can even see the code to find vulnerabilities in it.

                You should learn more about the world of software. Seriously. Security experts have been reasonably unanimous in their support of the “Many Eyes Make All Bugs Shallow” approach to software security for decades, even while they have criticized it as a mantra that ignores the flaws in a presumption of open source software security.

                But just to put it in a simple logically sealed box: Microsoft’s source code has been leaked several times, and of course, bad actors probably have gained access to it throughout the years without such public knowledge. This means that the fundamental difference between Microsoft’s proprietary codebase and open source codebases is not, cannot be the availability of source code. Rather, it is the ability for independent groups to review the code on an ongoing basis.

                When the only difference is independent review, the only possible result is higher security.

                I understand that you like horses. You ride one every day, and you might have evwn named your horse. The fact is that its time to buy a car.

                None of this constitutes a logical refutation to the examples I provided, which are critical components of modern software development and deployment.

                Source: I’m a professional software release engineer who has worked with many of the world’s largest corporations.

                Quality software costs money

                For starters, this is unfounded cargo culting. There is no evidence for this at all. I can point to dozens of very expensive piles of crufty old software that no one should ever go near, and also to some free software that is literally foundational to the modern software world.

                Money has nothing to do with the quality of software, but you’re also mistaken if you think open source software is free. You can pay IBM millions of dollars for a suite of enterprise-ready open source software. Most of the cost in such software is rarely the software itself. It’s services, support, training and customization.

                Throwing rocks is also simpler than firing a gun, yet modern militaries arent training slingers anymore

                But they are succeeding wildly by using largely open source software running on open hardware for drones, networking, battlefield analysis, logistics, etc.

    • Corhen@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      i wouldn’t even mind if it was 32. 32 is a damn strong password.

      I’ve seen as low as 10 digits in the past

      • iopq@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        My Wells Fargo password used to be max 8 characters, and when you use the phone you you can basically use the keypad to log in.

        So it’s basically 8 DIGITS

      • graphite@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        arrow-down
        1
        ·
        edit-2
        1 year ago

        32 is a damn strong password

        Not necessarily: only if it’s generated properly, and only for the moment - that will change in the next few years.

        You do realize that length and symbol type are only 2 out of many other factors that go into a strong password?

        • Corhen@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Ok, fair, not all 32 digit passwords will be secure.

          11111111111111111111111111111111 is not secure, but I was trying to imply, in a properly generated password, 32 digits long is very secure.

          • graphite@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            1
            ·
            edit-2
            1 year ago

            but I was trying to imply, in a properly generated password, 32 digits long is very secure.

            I understand, and I think you make a valid point as far as the discussion is concerned.

            It’s unfortunately still a little more complicated than that, though.

            Like I said, there’s more to a password than length and symbol type.

            Even something like cF*+@aXbIdFHje2vZiU-1 is less secure than if it were generated by a good PRNG.

            D0@ndro!dsDr@3@m0f3l3ctr!cSh33p? is also insecure, though it might have been considered secure 4-5 years ago.

            You see what I’m saying?

            Then of course there’s hash algorithms and how those are used to authenticate the passwords themselves, etc.

    • Revan343@lemmy.ca
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      You think that’s bad, a decade ago I had to use a government-run website that required passwords be exactly 8 characters

  • FluffyPotato@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    The worst one is when it only supports up to like 16 characters but doesn’t tell you so it will only use the first 16 characters and ignore the rest. The next time you need to enter it and get the 64 character password from your password manager it will just say it incorrect and you’re left with no idea on why it’s wrong.

    • KairuByte@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      I can do you one worse.

      My banking app password was not case sensitive for many, many years. They finally fixed it a few years back though!

    • dlok@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      Holy shit you might have just explained why I have to reset my password every time for a local fast food joints own website

      • d3Xt3r@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        1 year ago

        Because it’s much more fun to come up with passphrases like Correct Battery Horse Staple.

            • Doug [he/him]@midwest.social
              link
              fedilink
              English
              arrow-up
              0
              ·
              1 year ago

              I’d rather try and remember than have a single point of failure for all my accounts’ security.

              If the passwords are stored offline then I can’t get at them if I’m away from where they’re stored. If they’re stored online they’re not secure.

              • 001100 010010@lemmy.dbzer0.com
                link
                fedilink
                English
                arrow-up
                0
                ·
                edit-2
                1 year ago

                Some are online, but encrypted, with options to export the passwords in case the service goes down.

                “Why should I trust them?”

                Well, the software is open source, and regularly audited by people using it. Many password managers, such as Bitwarden (not sponsored, although I’d like to get a sponsorship) uses end-to-end encryption to secure the passwords so someone hacking the servers or a rogue employee can’t access anything, It would just look like random noise. You don’t have to know coding, you just have to trust that someone in the world will have the knowledge to inspect the code and report any suspicious code. Just regularly back up the passwords to a local file so you still have them in case they shut down.

                Trying to remember passwords made me constantly stressed trying to remember them. A password made life much easier. Better than a single point of failure like your brain. One password is much easier to remember, and that one password can be as complex as you want, because that’s the only one you’d have to worry about.

                Sincerely,

                Someone who’s depressed af and constantly forget passwords

                • Doug [he/him]@midwest.social
                  link
                  fedilink
                  English
                  arrow-up
                  0
                  ·
                  1 year ago

                  Encryption can be decrypted. A password manager encrypting your passwords is like saying your car has working brakes. It’s totally unsafe to even consider operating without but it doesn’t say much when it is there.

                  It’s not a matter of “why should I trust them” but “why should I trust them more than the system that already exists”. I get the appeal, but the hole is big.

                  If I forget a password I reset it. If I forget my manager’s password can it be reset? Is the reset option, if extent, susceptible to attack?

                  If an account gets compromised it could have moderate repercussions, but probably minimal depending on the account, with maybe a couple exceptions. If managed passwords get compromised that’s potentially everything. There has not, and likely never will be, an impenetrable system, so it is a possibility if not a concern.

    • SSTF@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      1 year ago

      Unfortunately a lot of jobs require passwords and they use outdated security processes, forcing people to have the old fashioned “must have uppercase, lowercase, number, and special character & you have to change it every 3 months for no reason” passwords instead of the stronger (and less annoying) alternatives.

      • funkless@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        i signed up at mba.com and it wouldn’t let me use a password because it contained a semicolon which wasn’t on the approved list of special characters, and then - get this - because I tried too many times to create a password - locked me out because I had “too many failed attempts”