this post was submitted on 23 Sep 2023
1241 points (98.1% liked)

Comic Strips

12616 readers
2848 users here now

Comic Strips is a community for those who love comic stories.

The rules are simple:

Web of links

founded 1 year ago
MODERATORS
top 50 comments
sorted by: hot top controversial new old
[–] thanks_shakey_snake@lemmy.ca 105 points 1 year ago (4 children)

If they just showed the password rules on the login page, this would happen 80% less often to me.

[–] sonnenzeit@feddit.de 25 points 1 year ago (2 children)

It's so annoying to have to discover the rules one rejected attempt at a time. Worse yet: sometimes you just get vague feedback a la "password contains illegal characters". I usually let KeePassXC generate a safe password for me but in that case I then have to manually permutate the different character classes (numbers, letters, spaces, punctuation, etc) until I find the offender. No good.

[–] stankmut@lemmy.world 28 points 1 year ago

Password must contain an uppercase letter.
Password must contain a special character.
Not that one.
Not that one either.
Nearly had it there! Too bad you only get 5 attempts. Account locked.

[–] joel_feila@lemmy.world 11 points 1 year ago

One time i hand to look up what "half width character" even was. Answer lower case

[–] bradmont@lemmy.ca 15 points 1 year ago (1 children)

If they just showed the password on the login page, this would happen 100% less often to me.

load more comments (1 replies)
[–] lugal@lemmy.ml 53 points 1 year ago (1 children)

"Password is already taken by user123"

[–] psud@lemmy.world 9 points 1 year ago* (last edited 1 year ago) (1 children)

That's number 1 in how to tell the organisation has really bad password management

Number 2 is getting an email:

Welcome to shittyTech

Your account is successfully created with name "psud", password "T<©"9_Pt#sbw«:r_R }$° Z-"

*Edited to have a password like a sensible modern user would let their password manager set, instead of the XKCD one

[–] lugal@lemmy.ml 9 points 1 year ago (2 children)

I don't minde the email when it continues with "please change the password when you first log in"

load more comments (2 replies)
[–] 2d@kbin.social 34 points 1 year ago (1 children)

that last panel is freaking hilarious

[–] bradmont@lemmy.ca 11 points 1 year ago (2 children)

I don't understand what it's communicating. Is he happy? Did he give up on technology, or society altogether?

[–] RudeOnTuesdays@lemmy.world 31 points 1 year ago

He's reexamining his life.

[–] SoonaPaana@lemmy.world 20 points 1 year ago (2 children)

Wait. This is starting to sound like it is no longer a user error.

[–] frezik@midwest.social 27 points 1 year ago (6 children)

I swear I've had this happen even with password managers, where there's no way it's being typed incorrectly. Some possibilities:

  • They're truncating on one form but not the other
  • They're being case insensitive on one but not the other
  • They're otherwise filtering certain characters on one but not the other

None of which bode well for that company's password handling security.

[–] psud@lemmy.world 10 points 1 year ago (2 children)

My electric and gas utility truncates passwords, but lets you type hundreds of chars when setting a new password

To log in, you need to intuit how much of your password they're using, if you enter too many chars it fails like in the op image

[–] Neon@lemmy.world 3 points 1 year ago (1 children)
[–] psud@lemmy.world 9 points 1 year ago (1 children)

Step 1: create a 20 character password, store it in your password manager

Step 2: the account creation process keeps the first 16 characters

Step 3: attempt to log in with the 20 character password, fail.

I found the 16 character maximum in the password rules in their FAQ, so tried the first 16 chars of my password and it worked, so the above must be how it worked

[–] Swarfega@lemm.ee 4 points 1 year ago (1 children)

The text boxes shouldn't have a character limit on them for this very reason. If they need to configure a limit they should allow the form to be submitted but return an error telling it's too many characters. Truncating the user's input is really bad for the exact reason you mention.

There's a lot of sites with bad ways of handling credentials. I really hate sites that stop you from pasting in passwords.

[–] psud@lemmy.world 2 points 1 year ago (1 children)

My bank used to block pasting, so I used a browser extension version of KeePass to auto type

Luckily they changed that policy when password managers became the main recommended method of handling passwords

So I no longer know my bank password, I saw it once when I accepted what KeePass generated

load more comments (1 replies)
load more comments (1 replies)
[–] blind3rdeye@lemm.ee 5 points 1 year ago

I've had that happen a couple of times too. In the most striking example, I was able to log in by typing html escape tags instead of the special characters in the password. ... ... That's a very bad sign for the website security for several obvious reasons.

[–] dx1@lemmy.world 5 points 1 year ago

I hit the truncation thing just yesterday. People seriously have a password input clipped at like 16 characters. A big company too.

[–] Pika@sh.itjust.works 2 points 1 year ago

Walmart's internal systems used to do this, if you used a special char in your password (such as an % or &) on newer devices you couldn't log in anymore, only solution was having HR reset your login lol

load more comments (2 replies)
[–] TheGreenGolem@lemm.ee 21 points 1 year ago (4 children)

My company forces me to change the password every 3 months AND I cannot use the last 10. I use a very strong password and this rule is ridiculous. So I just change it 11 times, iterating a number at the end until I can use my last one. Fuck you.

Also correcthorsebatterystaple.

[–] Texas_Hangover@lemm.ee 8 points 1 year ago (1 children)

The more convoluted the Password rules are, the more sticky notes with the monthly password are found.

[–] Bytemeister@lemmy.world 4 points 1 year ago

It also normalizes resetting passwords all the time for IT. Like, the help desk can get social engineered into resetting your password for someone else. Even if you use Self-Service Password management, you'll still have callers every day who can't figure out that system.

[–] Zoidsberg@lemmy.ca 7 points 1 year ago (1 children)

You get three whole months? We have to change ours monthly. Everyone has passwords written on our laptops.

[–] psud@lemmy.world 3 points 1 year ago

Microsoft recommends 3 months. Places that follow MS advice will be on 3 months. A few years ago the above was to change every month

[–] Faresh@lemmy.ml 3 points 1 year ago* (last edited 1 year ago) (1 children)

Couldn't a password manager generate and remember them for you?

[–] greenskye@lemm.ee 11 points 1 year ago (1 children)

Typically you need your main company password reasonably typeable because you'll be entering it constantly and often in places that don't support password autofill.

Which is also why forcing people to change passwords so often causes more issues than it solves. People just dumb it down until it meets the bare minimum requirements.

load more comments (1 replies)
load more comments (1 replies)
[–] Kolanaki@yiffit.net 19 points 1 year ago

"Your password is incorrect"

"Oooooh..."

Types "incorrect"

[–] MooseBoys@lemmy.world 16 points 1 year ago

Tell me you’ve had a data breach without telling me you’ve had a data breach.

[–] tillary@sh.itjust.works 8 points 1 year ago* (last edited 1 year ago) (4 children)

This'll happen if there's been a suspected data breach with poor password encryption or requirements. Gotta be safe and change the algorithm, breaking everyone's existing passwords. But yeah, it is annoying...

[–] TheLadyAugust@lemmy.world 20 points 1 year ago

I wouldn't have a problem with this if the website just told us there was a breach and we need to change our password. The problem is when they gaslight me about it.

[–] psud@lemmy.world 3 points 1 year ago

It also happens with the following process:

  1. create a new 20 char password
  2. system truncates your input to 16 chars
  3. try to log in with your 20 char password, fail since it doesn't match the hash for the 16 char version of it
  4. go to 1 (or follow the op image if you use the same pass)
[–] Psythik@lemm.ee 2 points 1 year ago (1 children)

Oh, I thought it had something to do with password hashes, where websites don't actually know your password, but if the hash is the same, then it assumes that you entered the right PW. At least that's how my non-technical brain understands how it works.

load more comments (1 replies)
load more comments (1 replies)
[–] workerONE@lemmy.world 7 points 1 year ago* (last edited 1 year ago) (2 children)
[–] psud@lemmy.world 13 points 1 year ago* (last edited 1 year ago)

Why did you just type stars?

load more comments (1 replies)
[–] thisbenzingring@lemmy.sdf.org 6 points 1 year ago

there has never been something so silly and so true

[–] dipshit@lemmy.world 5 points 1 year ago

Ouch! Right in the brain!

[–] Nobody@lemmy.world 2 points 1 year ago

Accidental capitalization. Your fingers lie to you sometimes.

load more comments
view more: next ›