I too love the Password game! Please save Paul! ~I truly care about him!~ ^Truly!^
(Sorry, I sometimes like to post really bad comments...)
This is a most excellent place for technology news and articles.
I too love the Password game! Please save Paul! ~I truly care about him!~ ^Truly!^
(Sorry, I sometimes like to post really bad comments...)
Haha this is great, got to the chess part before giving in
Same. My country was Jordan. Took way too long to figure out, because it dropped me in the middle of an empty amphitheater with no visible road signs, license plates, etc…
I just pasted all the countries and ditched the ones that were wrong.
Bruh, it just made me google dork to find out where a random street view was. 10/10 would recommend
“Sorry, that password is already in use” ruins it for me. That’s not a realistic message to receive.
Maybe “Your password cannot be one you’ve used previously”.
It follows the vein of some of the password rules and feedback reducing security itself. Like why disallow any characters or set a maximum password length in double digits? If you're storing a hash of the password, the hash function can handle arbitrary length strings filled with arbitrary characters. They run on files, so even null characters need to work. If you do one hash on the client's side and another one on the server, then all the extra computational power needed for a ridiculously long password will be done by the client's computer.
And I bet at least one site has used the error message "that password is already in use by " before someone else in the dev team said, "hang on, what?".
Fun fact: password controls like this have been obsolete since 2020. Standards that guide password management now focus on password length and external security features (like 2FA and robust password encryption for storage) rather than on individual characters in passwords.
Since 2017 at least; and IIRC years before that; that's just the earliest NIST publication on the subject I could find with a trivial Web search.
https://pages.nist.gov/800-63-3/sp800-63b.html
Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
"Memorized secrets" means classic passwords, i.e. a one-factor authentication through a shared secret presumed to be known to only the right person.
I wouldn’t say obsolete because that implies it’s not really used anymore. Most websites and apps still use validation not too dissimilar from the OP, even if it goes against the latest best practices.
Sorry, that password is already in use
BIG red flag. Abort. Abort.
Also I love when they only support certain special characters. So the psuedo random noise created by my password generator won't work until I curate out the unsupported characters.
I was changing my password on a pretty big company website the other day.
The password generated by my password manager kept giving me a http error (500 I think)
I generated a new password and deleted all the special characters other than the obvious ones. Boom, worked first time.
So looks like someone is not sanitising their inputs properly.
I sent them an email so hopefully they will fix.
I sent them an email so hopefully they will fix.
One can only hope. But based on my experience, they usually do not. I once sent an email to Microsoft telling them that their Microsoft account app had a vulnerability, and I even sent them the XML line they needed to add to their Android Manifest to fix it, and they wouldn't do it because it required physical access to the device to exploit. I mean, that's fair enough, but it was literally one line of code to plug the hole.
They eventually did add that line about 6 years later.
For those wanting to play this as a game, there is this wonderfully fiendish website.
https://neal.fun/password-game/
Rule 13 Your password must include the current phase of the moon as an emoji.
My favorite, though, is:
types in password "Password incorrect" goes to reset password "please enter a new password" types in password "your new password cannot be the same"
The worst part is that if they know that password is already in use.... then they aren't storing their passwords appropriately.
You could store the passwords as hashes and just compare the hashed value.
yes, but then they are not salted, which is what they should be doing.
True, but for the same big O they can salt the password for each user and compare it to what they have stored. My big pet peeve (that I've actually seen) is when they say your password is too similar to an old one. I have no idea how that could be reasonably done if they're storing your password correctly.
But are they peppered?
My favorite is when you forget your password and try to reset it but it cries that you can't use passwords you already used
Mother fucker if I remembered what I used I wouldn't be doing this
Lol, at this point just generate a password for me to save in my bitwarden.
The worst one is when it only supports up to like 16 characters but doesn't tell you so it will only use the first 16 characters and ignore the rest. The next time you need to enter it and get the 64 character password from your password manager it will just say it incorrect and you're left with no idea on why it's wrong.
Looks like someone's been playing the password game https://neal.fun/password-game/
That game made me want to punch.
This is one of the reasons why I am totally dependent on my password manager now.
60 character alphanumeric randomly generated password: sorry, that password is not secure enough, please include a special character
Type "Letmein69!" : perfect, very secure password
Me: 🤨
Yeah that really bugs me.
Like come one, "Ma5terp!ece" is more secure than "Regain Refinance Clarify Cuddle9"
Maybe in bizaro world.
I've seen this but with a final message of "Sorry, that password is already in use by user about2getOwned@gmail.com."
A password prompt should include all criteria upfront so that you can setup your password manager to generate a fitting password.
Getting the criteria or even just partial after you entered one is fucking atrocious.
Sorry, you must have a special character. Oh... Not THAT special character, it has to be a special special character, that one isn't valid. Ah, no, that one's too long. It should be shorter. It needs to be between 11 and 11.5 characters.
Half the time I now just enter random nonsense until it lets me create an account. Then, when I want to access a website/app again, I just 'forget' my password and reset it to some other random nonsense.
My new favorite is the minimum time between password changes. My last 2 jobs set it to 24 hours, so IT guy gives you the temp password and you can't change it for 24 hours. But wait, when you try to change it the error you get is "doesn't meet your organization's minimum complexity requirements" which does not help AT ALL and the IT guy thinks you're an idiot because you can't figure out the complexity requirements. What a great feature!
And that's when they tell you what you did wrong. Sometimes they'll reject the password without telling you why, because of some rule they didn't list. For example, I set a password in a parking app (Flowbird) which had an unmentioned restriction against spaces and Swedish letters (dispite targeting the Swedish market). Also, it lets you set a fairly long password, but when you try to log in on their webpage they've set maxlength="32" on the password field. So if you have a longer password you have to edit the DOM and remove that attribute to log in.
I hate that most places don't remind you what the rules of their passwords are if you've forgotten yours. Odds are I'd be able to correctly guess it if I knew.