• frezik@midwest.social
      link
      fedilink
      arrow-up
      28
      ·
      1 year ago

      I swear I’ve had this happen even with password managers, where there’s no way it’s being typed incorrectly. Some possibilities:

      • They’re truncating on one form but not the other
      • They’re being case insensitive on one but not the other
      • They’re otherwise filtering certain characters on one but not the other

      None of which bode well for that company’s password handling security.

      • psud@lemmy.world
        link
        fedilink
        arrow-up
        10
        ·
        1 year ago

        My electric and gas utility truncates passwords, but lets you type hundreds of chars when setting a new password

        To log in, you need to intuit how much of your password they’re using, if you enter too many chars it fails like in the op image

          • psud@lemmy.world
            link
            fedilink
            arrow-up
            9
            ·
            1 year ago

            Step 1: create a 20 character password, store it in your password manager

            Step 2: the account creation process keeps the first 16 characters

            Step 3: attempt to log in with the 20 character password, fail.

            I found the 16 character maximum in the password rules in their FAQ, so tried the first 16 chars of my password and it worked, so the above must be how it worked

            • Swarfega
              link
              fedilink
              English
              arrow-up
              4
              ·
              1 year ago

              The text boxes shouldn’t have a character limit on them for this very reason. If they need to configure a limit they should allow the form to be submitted but return an error telling it’s too many characters. Truncating the user’s input is really bad for the exact reason you mention.

              There’s a lot of sites with bad ways of handling credentials. I really hate sites that stop you from pasting in passwords.

              • psud@lemmy.world
                link
                fedilink
                arrow-up
                2
                ·
                1 year ago

                My bank used to block pasting, so I used a browser extension version of KeePass to auto type

                Luckily they changed that policy when password managers became the main recommended method of handling passwords

                So I no longer know my bank password, I saw it once when I accepted what KeePass generated

                • Swarfega
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  1 year ago

                  KeePass Auto-type is an amazing feature. One that many KeePass users also don’t seem to know about!

      • blind3rdeye
        link
        fedilink
        arrow-up
        6
        ·
        1 year ago

        I’ve had that happen a couple of times too. In the most striking example, I was able to log in by typing html escape tags instead of the special characters in the password. … … That’s a very bad sign for the website security for several obvious reasons.

      • dx1@lemmy.world
        link
        fedilink
        arrow-up
        5
        ·
        1 year ago

        I hit the truncation thing just yesterday. People seriously have a password input clipped at like 16 characters. A big company too.

      • Pika@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Walmart’s internal systems used to do this, if you used a special char in your password (such as an % or &) on newer devices you couldn’t log in anymore, only solution was having HR reset your login lol

      • shastaxc
        link
        fedilink
        arrow-up
        1
        arrow-down
        1
        ·
        1 year ago

        None of these possibilities have any effect on their password handling security since all of that is usually handled on the frontend (on your computer).

        • frezik@midwest.social
          link
          fedilink
          arrow-up
          1
          arrow-down
          1
          ·
          1 year ago

          What? No. No matter where it happens (and it could be on either side, depending on the whims of the programmers), passwords shouldn’t be fiddled with this way. They should be passed through to the password hashing algorithm unchanged. There is no reason to ever fuck with them, and doing so will reduce security.

    • TheGreenGolem
      link
      fedilink
      arrow-up
      22
      ·
      1 year ago

      My company forces me to change the password every 3 months AND I cannot use the last 10. I use a very strong password and this rule is ridiculous. So I just change it 11 times, iterating a number at the end until I can use my last one. Fuck you.

      Also correcthorsebatterystaple.

      • Texas_Hangover
        link
        fedilink
        arrow-up
        10
        arrow-down
        1
        ·
        1 year ago

        The more convoluted the Password rules are, the more sticky notes with the monthly password are found.

        • Bytemeister@lemmy.world
          link
          fedilink
          Ελληνικά
          arrow-up
          4
          ·
          1 year ago

          It also normalizes resetting passwords all the time for IT. Like, the help desk can get social engineered into resetting your password for someone else. Even if you use Self-Service Password management, you’ll still have callers every day who can’t figure out that system.

      • Zoidsberg@lemmy.ca
        link
        fedilink
        arrow-up
        7
        ·
        1 year ago

        You get three whole months? We have to change ours monthly. Everyone has passwords written on our laptops.

        • psud@lemmy.world
          link
          fedilink
          arrow-up
          3
          ·
          1 year ago

          Microsoft recommends 3 months. Places that follow MS advice will be on 3 months. A few years ago the above was to change every month

      • Faresh@lemmy.ml
        link
        fedilink
        English
        arrow-up
        3
        ·
        edit-2
        1 year ago

        Couldn’t a password manager generate and remember them for you?

        • greenskye
          link
          fedilink
          English
          arrow-up
          11
          ·
          1 year ago

          Typically you need your main company password reasonably typeable because you’ll be entering it constantly and often in places that don’t support password autofill.

          Which is also why forcing people to change passwords so often causes more issues than it solves. People just dumb it down until it meets the bare minimum requirements.

          • psud@lemmy.world
            link
            fedilink
            arrow-up
            2
            ·
            1 year ago

            Speaking of corporate passwords, a shitty system has the modern windows network support modern passwords, but some important system you need reads the windows network password, but enforces ancient windows password rules, including a length limit of 16 characters

      • GustavoM@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        14
        ·
        edit-2
        1 year ago

        I feel your pain. Then again, that is a good way to exercise your brain, getting you some new/fresh braincells.

        Your “future you” will definitely appreciate those “brain workouts”.