We’ve all been there.
For those wanting to play this as a game, there is this wonderfully fiendish website.
https://neal.fun/password-game/
Rule 13 Your password must include the current phase of the moon as an emoji.
Sorry, you must have a special character. Oh... Not THAT special character, it has to be a special special character, that one isn't valid. Ah, no, that one's too long. It should be shorter. It needs to be between 11 and 11.5 characters.Half the time I now just enter random nonsense until it lets me create an account. Then, when I want to access a website/app again, I just ‘forget’ my password and reset it to some other random nonsense.
That password is already in use by user ‘gigachad’.
I’ve seen this but with a final message of “Sorry, that password is already in use by user [email protected].”
Sorry, that password is already in use
BIG red flag. Abort. Abort.
Also I love when they only support certain special characters. So the psuedo random noise created by my password generator won’t work until I curate out the unsupported characters.
I too love the Password game! Please save Paul! ~I truly care about him!~ Truly!
(Sorry, I sometimes like to post really bad comments…)
My absolute favourite is when your password is too long but they don’t tell you that, I guess because they weren’t expecting it. It only causes a hitch when you later try to login and it doesn’t let you …
Fun fact: password controls like this have been obsolete since 2020. Standards that guide password management now focus on password length and external security features (like 2FA and robust password encryption for storage) rather than on individual characters in passwords.
For today’s 10,000 who have never seen it, https://xkcd.com/936/ succinctly explains why the whole mixed character types thing isn’t favoured.
I’m still waiting on an XKCD that references #936 with the fact that we soon as we have reliable, functional quantum computing, all of the passwords from before that point in time will be completely and utterly broken. That the only way to make a password that a quantum computer would have a tough time breaking is if it was made by another quantum computer. Unless of course the comic has already been made and I just missed it, which is a complete possibility because this year for me has been utterly crap.
soon as we have reliable, functional quantum computing
Which we’ve been told is right around the corner for decades. The issue is that QC doesn’t scale up. If you try you get vastly more noise than signal. Current work in QC is all aimed at reducing that noise, but even for only 70 qbits, the current state of the art can’t eliminate enough of the noise for QC to be useful in most applications.
The only places it’s currently bearing any fruit is where all of the extra work to reduce noise and the delays that incurs are irrelevant because there is no classical approach at all. But even then, the costs are enormous and the benefits are miniscule.
I wouldn’t say obsolete because that implies it’s not really used anymore. Most websites and apps still use validation not too dissimilar from the OP, even if it goes against the latest best practices.
Yeah, the most recent one for me was creating a password at lemmy.world
I wouldn’t say obsolete because that implies it’s not really used anymore.
I’m not sure where you heard someone use the word “obsolete” that way, but I assure you that there are thousands if not millions of examples of obsolete technologies in constant and everyday use.
Yeah i agree. The best example of this is Linux. To anyone who disagrees, why does a modern operating system require you to use a terminal, or edit config files instead of changing settings in a gui?
Its THE example of ancient software being pushed on to niave techies that would rather have an insecure open source project than a safe, walled garden like Microsoft Windows 11.
Although Windows 11 does have its problems. The chief of which is bogging down the streamlined simplicity with things a normal user wont need like a package manager.
The best example of this is Linux.
Ouch… so, you might want to learn more about technology before commenting in a Technology community…
why does a modern operating system require you to use a terminal
Because a terminal is one of the most powerful modes of interaction ever invented. It can serve as a relatively low-tech UI, but it is also simple enough to be used as a machine interface. It is lightweight, works even when other protocols and interfaces are thwarted by infrastructure issues, because it is simple text, but also meant to be read by a human, it can make for a great interface for logging, you don’t have to guess at which obscure standard (if any) to use to talk to it, compliance with relevant standards is baked into nearly every language ever written, etc.
Try building a system like Kubernetes on graphical UIs… I dare you.
Its THE example of ancient software being pushed on to niave techies
What industry are you working in?! AWS is nearly all Linux. Google Cloud is nearly all Linux. Android is Linux. Hell, even Microsoft finally relented and is now strongly supporting their Windows Subsystem for Linux (WSL) because it’s necessary for supporting modern cloud applications.
that would rather have an insecure open source project than a safe, walled garden like Microsoft Windows 11.
Okay, this has to be a troll… right? This is a troll? Please tell me you can’t be serious.
I know it can be hard to have your ideas quedtioned, but at least try to be civil. I never questioned your intentions, yet youre acting like im crazy. A walled garden is obviously more secure than an open source project because nobody can even see the code to find vulnerabilities in it. There is a reason why Android is moving further and further away from open sores code.
What industry are you working in?! AWS is nearly all Linux. Google Cloud is nearly all Linux. Android is Linux. Hell, even Microsoft finally relented and is now strongly supporting their Windows Subsystem for Linux (WSL) because it’s necessary for supporting modern cloud applications.
I understand that you like horses. You ride one every day, and you might have evwn named your horse. The fact is that its time to buy a car. Notice i said buy. Quality software costs money, and always will. Its time to move into the future with the rest of us.
the terminal is simple
Yes i agree. Throwing rocks is also simpler than firing a gun, yet modern militaries arent training slingers anymore. Ive developed games using Windows exclusivley (for a lot of money i asure you) and ive never once had to use a terminal ever. I literally just have to email my source code to my boss, and he compiles it. I have no need to know how, because its not my problem. Theres no need to use a terminal when i have Visual Studio and Outlook. If you want to be a cool hackerman you can, but id rather use something thats intuitive and works.
I think anyone who uses Linux is stuck in the past. Communism doesnt work either, bucko.
I know it can be hard to have your ideas quedtioned, but at least try to be civil. I never questioned your intentions, yet youre acting like im crazy.
I think that’s all you. I have never suggested that you are crazy. I suggested that calling Microsoft software “safe” as opposed to Linux which is, “insecure,” sounds like trolling. But that’s because it sounds like trolling. No crazy stated or implied.
A walled garden is obviously more secure than an open source project because nobody can even see the code to find vulnerabilities in it.
You should learn more about the world of software. Seriously. Security experts have been reasonably unanimous in their support of the “Many Eyes Make All Bugs Shallow” approach to software security for decades, even while they have criticized it as a mantra that ignores the flaws in a presumption of open source software security.
But just to put it in a simple logically sealed box: Microsoft’s source code has been leaked several times, and of course, bad actors probably have gained access to it throughout the years without such public knowledge. This means that the fundamental difference between Microsoft’s proprietary codebase and open source codebases is not, cannot be the availability of source code. Rather, it is the ability for independent groups to review the code on an ongoing basis.
When the only difference is independent review, the only possible result is higher security.
I understand that you like horses. You ride one every day, and you might have evwn named your horse. The fact is that its time to buy a car.
None of this constitutes a logical refutation to the examples I provided, which are critical components of modern software development and deployment.
Source: I’m a professional software release engineer who has worked with many of the world’s largest corporations.
Quality software costs money
For starters, this is unfounded cargo culting. There is no evidence for this at all. I can point to dozens of very expensive piles of crufty old software that no one should ever go near, and also to some free software that is literally foundational to the modern software world.
Money has nothing to do with the quality of software, but you’re also mistaken if you think open source software is free. You can pay IBM millions of dollars for a suite of enterprise-ready open source software. Most of the cost in such software is rarely the software itself. It’s services, support, training and customization.
Throwing rocks is also simpler than firing a gun, yet modern militaries arent training slingers anymore
But they are succeeding wildly by using largely open source software running on open hardware for drones, networking, battlefield analysis, logistics, etc.
Since 2017 at least; and IIRC years before that; that’s just the earliest NIST publication on the subject I could find with a trivial Web search.
https://pages.nist.gov/800-63-3/sp800-63b.html
Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
“Memorized secrets” means classic passwords, i.e. a one-factor authentication through a shared secret presumed to be known to only the right person.
“Sorry, that password is already in use” ruins it for me. That’s not a realistic message to receive.
Maybe “Your password cannot be one you’ve used previously”.
Should be: “your password cannot be one of your last 24 passwords”
Especially for those places that want your password changed every two weeks.
It follows the vein of some of the password rules and feedback reducing security itself. Like why disallow any characters or set a maximum password length in double digits? If you’re storing a hash of the password, the hash function can handle arbitrary length strings filled with arbitrary characters. They run on files, so even null characters need to work. If you do one hash on the client’s side and another one on the server, then all the extra computational power needed for a ridiculously long password will be done by the client’s computer.
And I bet at least one site has used the error message “that password is already in use by <account>” before someone else in the dev team said, “hang on, what?”.
Should say by who. :)
Now we are talking :)
Password can’t exceed 32 characters
Garbage
You think that’s bad, a decade ago I had to use a government-run website that required passwords be exactly 8 characters
The worst part is that if they know that password is already in use… then they aren’t storing their passwords appropriately.
You could store the passwords as hashes and just compare the hashed value.
that password is already in use
lmao, “security” moment
Brute force user names instead of password. Big Brian moment
Large Brian Moment, for real
My favorite, though, is:
types in password “Password incorrect” goes to reset password “please enter a new password” types in password “your new password cannot be the same”
That just means you entered it wrong the first time.
It often means that one could have derived the correct password from the set of rules - but those rules are not shown when asking for the old password
Exactly this. I want to normalize showing the password requirements when you don’t immediately get the password - if you made me jump through hoops the first time, at least remind me what they were!
Looks like someone’s been playing the password game https://neal.fun/password-game/
That game made me want to punch.
The worst one is when it only supports up to like 16 characters but doesn’t tell you so it will only use the first 16 characters and ignore the rest. The next time you need to enter it and get the 64 character password from your password manager it will just say it incorrect and you’re left with no idea on why it’s wrong.
Holy shit you might have just explained why I have to reset my password every time for a local fast food joints own website
So secure even you don’t know the password. It’s like built in MFA.
