90

Infuriating Password Policies

posted
*
by
Avatar
techconsulnerd@programming.dev
in
Avatar
mildlyinfuriating@lemmy.world
28 comments
hidereport

This is a rant about dumb password policies enforced by some websites or apps. If you see these password rules forced to you, try to stay away if possible.

Can’t use special characters, or use a pre-defined special characters only

Are you storing the password in plaintext that your database will break when have special characters?

Password can’t be longer than X characters

Most probably storing the password in plaintext and their database column is limited to those characters limit.

Password expire every X months, without notice, suddenly can’t login. Reset it and can’t use the last 5 passwords

They store your previous passwords, either encrypted or plaintext.

Sort:
HotTopControversialNewOld
Avatar
sijt@lemmy.world
45 points

The biggest red flag is when they try and stop you from pasting your password (or anything else for that matter) breaking password managers.

There are years-long arguments on social media with companies who do this with actual security experts telling them they’re hurting security (including referencing organisations like the UK’s National Cyber Security Centre) and their only response is “we don’t allow pasting for security reasons” but they can never explain how it helps security - because it doesn’t. It drives me mad.

permalink
report
reply
Avatar
mrspaz@lemmy.world
10 points

I had one recently that (when changing / creating the password) would allow you paste into the “new password” field but not the “confirm password” field. Super annoying.

I just opened dev tools, pasted it into the “value” property for the control, and kept on truckin’. Just nuts that had to be done though.

permalink
report
parent
reply
Avatar
sijt@lemmy.world
5 points

Lots of sites do it on the email fields for some reason. I’m far more likely to miss type my email address, twice, than my password manager is likely to somehow complete it wrong.

permalink
report
parent
reply
Avatar
jcabral9@lemmy.world
23 points

It’s the worst when they make you solve a chess puzzle and today’s wordle

permalink
report
reply
Avatar
ReaderTunesOctopus@lemmy.world
13 points

All is fine until the eggs starts burning

permalink
report
parent
reply
Avatar
Ockenheimer@feddit.de
4 points

Paul starved two times….

permalink
report
parent
reply
Avatar
macarthur_park@lemmy.world
5 points

I overfed him :(

permalink
report
parent
reply
Avatar
dual_sport_dork 🐧🗡️@lemmy.world
21 points

“Cannot use a sequence of characters used in any previous password,” or “Cannot use a previous password backwards.” Those are sure fire indicators that they’re storing your passwords in plain text.

I used to have a bank that had the first rule. Emphasis: Used to.

And putting an upperbound length limit on passwords is pants-on-head loony, unless the length limit is very large, like 1024 characters or something. Especially if it’s going to be hashed anyway.

permalink
report
reply
Avatar
KHTangent@lemmy.world
7 points

Some password hashing functions have a maximum input length. That could be a reason for some of the requirements. E.g. if I remember correctly, bcrypt used a maximum of 60 characters, while still being an ok choice for a hashing function

permalink
report
parent
reply
Avatar
dual_sport_dork 🐧🗡️@lemmy.world
6 points

Well, sure. But in that case it should be the max length of whatever the hash method is. The full 60 characters, and not something dumb like 12.

permalink
report
parent
reply
Avatar
zockersanftmut@feddit.de
2 points
*

My bank has a rule that your password needs to be exactly 5 characters. It’s completely nonsensical. Thankfully, a few years ago they at least implemented two factor authentication so there’s some safety. Otherwise I would probably change to a different bank.

permalink
report
parent
reply
Avatar
andyli@lemmy.world
13 points

Have you played the password game yet?

https://neal.fun/password-game/

permalink
report
reply
Avatar
MilitantAtheist@lemmy.world
2 points

I have. The .fun domain is an insult.

permalink
report
parent
reply
Avatar
deejay4am@lemmy.world
13 points

I forgot my password to a local government site once and they emailed me my plaintext password. Wtf.

permalink
report
reply
Avatar
driving_crooner@lemmy.eco.br
4 points

There was a service in a company I worked for that also send you your password in plain text by email. I reported it to the infosec department and they were like yeah, we know, but the system is not important and we don’t care. Mf don’t know that people reuse their passwords everywhere??

permalink
report
parent
reply
Avatar
techconsulnerd@programming.devOP
3 points

Happened to me too. Who’s the dumb government vendor doing these applications?

permalink
report
parent
reply

Mildly Infuriating

!mildlyinfuriating@lemmy.world

Create post

Home to all things “Mildly Infuriating” Not infuriating, not enraging. Mildly Infuriating. All posts should reflect that.

I want my day mildly ruined, not completely ruined. Please remember to refrain from reposting old content. If you post a post from reddit it is good practice to include a link and credit the OP. I’m not about stealing content!

It’s just good to get something in this website for casual viewing whilst refreshing original content is added overtime.

Rules:

1. Be Respectful

Refrain from using harmful language pertaining to a protected characteristic: e.g. race, gender, sexuality, disability or religion.

Refrain from being argumentative when responding or commenting to posts/replies. Personal attacks are not welcome here.

2. No Illegal Content

Content that violates the law. Any post/comment found to be in breach of common law will be removed and given to the authorities if required.

That means: -No promoting violence/threats against any individuals

-No CSA content or Revenge Porn

-No sharing private/personal information (Doxxing)

3. No Spam

Posting the same post, no matter the intent is against the rules.

-If you have posted content, please refrain from re-posting said content within this community.

-Do not spam posts with intent to harass, annoy, bully, advertise, scam or harm this community.

-No posting Scams/Advertisements/Phishing Links/IP Grabbers

-No Bots, Bots will be banned from the community.

4. No Porn/Explicit

Content

-Do not post explicit content. Lemmy.World is not the instance for NSFW content.

-Do not post Gore or Shock Content.

5. No Enciting Harassment,

Brigading, Doxxing or Witch Hunts

-Do not Brigade other Communities

-No calls to action against other communities/users within Lemmy or outside of Lemmy.

-No Witch Hunts against users/communities.

-No content that harasses members within or outside of the community.

6. NSFW should be behind NSFW tags.

-Content that is NSFW should be behind NSFW tags.

-Content that might be distressing should be kept behind NSFW tags.

7. Content should match the theme of this community.

-Content should be Mildly infuriating.

-At this time we permit content that is infuriating until an infuriating community is made available.

8. Reposting of Reddit content is permitted, try to credit the OC.

-Please consider crediting the OC when reposting content. A name of the user or a link to the original post is sufficient.

Also check out:

Partnered Communities:

1.Lemmy Review

2.Lemmy Be Wholesome

3.Lemmy Shitpost

4.No Stupid Questions

5.You Should Know

6.Credible Defense

Reach out to LillianVS for inclusion on the sidebar.

All communities included on the sidebar are to be made in compliance with the instance rules.

Community stats

  • 6.9K

    Monthly active users

  • 899

    Posts

  • 54K

    Comments

Community moderators