How on earth can you both not accept the password I copied from my password safe and tell me that I cannot use the same pasaword again?

  • villainy@lemmy.world
    2·
    6 minutes ago

    I had this happen once where input validation on login and password change were different. I was allowed to set my password to a string containing a special character not accepted by the login form. Top men.

  • GrabtharsHammer@lemmy.world
    5·
    58 minutes ago

    This often happens when you entered the right password but have a typo in the user name. Everyone tries the password again, but nobody spell checks their email or username.

  • Cid Vicious@sh.itjust.worksEnglish
    3·
    3 hours ago

    As someone who regularly uses a vpn, I’ve noticed that there’s a surprising number of sites that will just lock your account if they decide they don’t like your ip address.

  • RustyNova@lemmy.world
    91·
    4 hours ago

    I once had to reset my password as the new one got truncated without telling me.

    Yes. It was deemed too long.

    It was for an company that got plenty of my personal data

    • cron@feddit.orgOP
      2·
      3 hours ago

      Why on earth would someone truncate a password? I could make at least 10 more memea about bad handling of passwords

      • marcos@lemmy.world
        3·
        20 minutes ago

        There’s no good reason. Whoever did it, did it for a bad reason. (Oh, well, there’s no good reason until you reach several thousand characters.)

        That said, it could be worse. Some sites do not truncate your password at the creation form, and only truncate it on the login screen. (Yeah, that happened to me, in 2 different sites.)

      • kautau@lemmy.world
        4·
        3 hours ago

        Why? Probably some wild row length limit being hit where a table storing user data was storing an asinine amount of data, just terrible DB organization in an org where someone said “who even needs a DBA.”

        How? If you can truncate user passwords, you should never handle user passwords again, unless you’re a student or hobbyist learning a valuable lesson.

        • MajorHavoc@programming.dev
          2·
          3 hours ago

          How? If you can truncate user passwords, you should never handle user passwords again, unless you’re a student or hobbyist learning a valuable lesson.

          Yeah. The real reason to be alarmed is worse than the obvious one.

          If a partial version of what was originally set actually works later, it implies a scary chance they’re not even hashing the password before storing it.

          • sloppy_diffuser@sh.itjust.worksEnglish
            2·
            2 hours ago

            Also suggests the user may be reusing the same prefix if only the changed bits are getting truncated.

            Should use different random passwords every time. Completely random or a random string of words. While it doesn’t solve the cleartext password storage issue, a data breach won’t compromise all your other accounts to same degree.

            Doesn’t hurt to also randomize usernames, emails, and even security question answers.

            edit: or my new favorite passkeys, just make sure you trust whatever tool is managing your private keys.

  • Willem@kutsuya.dev
    13·
    5 hours ago

    If there has been a data leak, they might block your current password because the hash has been leaked

    • MajorHavoc@programming.dev
      2·
      3 hours ago

      If there has been a data leak, they might block your current password because the hash has been leaked

      I’m sure that makes them feel much better, lol.

      • Willem@kutsuya.dev
        2·
        3 hours ago

        The leak doesn’t even need to happen on their site, they could check the password hash against known leaked hashes (from have I been pwned for example) and block it

    • cron@feddit.orgOP
      9·
      5 hours ago

      Yes, that might be a plausible theory. Basically a bad yersion of you must change your password.

      • kitnaht@lemmy.world
        24·
        5 hours ago

        How would that be considered bad? Is this some meme I’m too stupid to understand or something?

        • cron@feddit.orgOP
          17·
          5 hours ago

          It would be better if the login flow said something like

          For security reasons, we ask you to set a new password, please use the “password forgotten” function to gain access again.

          instead of me being puzzled why my password doesn’t work.

          • kewjo@lemmy.world
            4·
            4 hours ago

            except now anyone guessing your password knows when they guess your password right? while that site is safe most users use the same password and any site they use with the same email is now vulnerable.

  • chuckleslord@lemmy.world
    11·
    2 hours ago

    They’re lying about the issue and don’t trust that you’re who you say you are. It’s security systems 101. If you give informative error messages, they can be used to reverse engineer the password of accounts. So every error is going to be “incorrect password”

    • marcos@lemmy.world
      1·
      17 minutes ago

      That part is possible:

      They’re lying about the issue and don’t trust that you’re who you say you are.

      The rest of your comment is just bad. I doubt you even manage to keep that information secret, much less get a positive value out of the entire machination.

    • cron@feddit.orgOPEnglish
      2·
      1 hour ago

      Sounds like security by obscurity to me. Works, but rarely the best solution.

  • cm0002@lemmy.world
    5·
    5 hours ago

    Lol I usually abort the password reset flow and try to login with the same password lmao

  • Majorllama@lemmy.world
    2·
    5 hours ago

    It’s like when you are trying to blindly install a USB type A . First orientation is wrong so you flip it. Second orientation is wrong so you get confused and flip it again only for it work easily lol.