We’ve all been there.
I’ve seen this but with a final message of “Sorry, that password is already in use by user about2getOwned@gmail.com.”
- Login to their account
- Change their password to something else
- Set your password
But what if the password you want to set is already in use?
Refer to my above comment until that is no longer the case.
Fun fact: password controls like this have been obsolete since 2020. Standards that guide password management now focus on password length and external security features (like 2FA and robust password encryption for storage) rather than on individual characters in passwords.
Since 2017 at least; and IIRC years before that; that’s just the earliest NIST publication on the subject I could find with a trivial Web search.
https://pages.nist.gov/800-63-3/sp800-63b.html
Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
“Memorized secrets” means classic passwords, i.e. a one-factor authentication through a shared secret presumed to be known to only the right person.
For today’s 10,000 who have never seen it, https://xkcd.com/936/ succinctly explains why the whole mixed character types thing isn’t favoured.
Except you can run a dictionary attack on that and suddenly it’s only 4 variables that are cracked way faster than the first password.
Except you can run a dictionary attack on that and suddenly it’s only 4 variables that are cracked way faster than the first password.
People should be made aware of all the tools available to properly manage tons of passwords. Not even going too deep into “passkey” stuff or any modern shenanigans, but a password manager used to generate random passwords for each separate sites is such a simple step.
I wouldn’t say obsolete because that implies it’s not really used anymore. Most websites and apps still use validation not too dissimilar from the OP, even if it goes against the latest best practices.
Yeah, the most recent one for me was creating a password at lemmy.world
I too love the Password game! Please save Paul! ~I truly care about him!~ Truly!
(Sorry, I sometimes like to post really bad comments…)
For those wanting to play this as a game, there is this wonderfully fiendish website.
https://neal.fun/password-game/
Rule 13 Your password must include the current phase of the moon as an emoji.
I got stuck on the chess one. Used to think I was pretty decent at the game. After a few tries I gave up and tried a few websites that claim to be able to solve it and none found the “correct” move.
“Sorry, that password is already in use” ruins it for me. That’s not a realistic message to receive.
Maybe “Your password cannot be one you’ve used previously”.
Should be: “your password cannot be one of your last 24 passwords”
At my work they wanted better security, and made the rule of minimum 12 characters, must include all sorts of numbers, special characters, etc, no previously used password and it must be changed every month, 3 attempts then the account is locked and you have to call IT.
The result was that people wrote their passwords on post-its on the screen, so it led to worse security overall and they had ro relax the rules.
Fuck. I gave it a try for real this time and hit a permanent game over condition.
spoiler
Apparently you can overfeed Paul
Darn, I wanted to see what came next. Some of those rules were hilarious. But I’m not doing that all again.
That was my limit too!
Had to give up at rule 20 because I was using a phone.
Spoiler
As much
funpain as that was, highlighting with a touch screen is nowhere near fast enough to put out the fire.Would love to see a speedrun leaderboard for this, though.
I got to the “wordle” one before giving up. jesus lol, nice meme
It was crone btw.
wow, spoilers /jk
The worst one is when it only supports up to like 16 characters but doesn’t tell you so it will only use the first 16 characters and ignore the rest. The next time you need to enter it and get the 64 character password from your password manager it will just say it incorrect and you’re left with no idea on why it’s wrong.
I can do you one worse.
My banking app password was not case sensitive for many, many years. They finally fixed it a few years back though!
deleted by creator
Holy shit you might have just explained why I have to reset my password every time for a local fast food joints own website
This was me on a bank’s site till I clued in that I need to shorten my password.
Why do you have an account for your local fast food joint?!
To order through their site, I try to use the places own sites instead of justeat etc so they get more of the money. As you can imagine they aren’t the best websites though.
You can’t just order per telefon?
so he can get even faster food? idk
My absolute favourite is when your password is too long but they don’t tell you that, I guess because they weren’t expecting it. It only causes a hitch when you later try to login and it doesn’t let you …
Sorry, that password is already in use
BIG red flag. Abort. Abort.
Also I love when they only support certain special characters. So the psuedo random noise created by my password generator won’t work until I curate out the unsupported characters.
deleted by creator
Unfortunately a lot of jobs require passwords and they use outdated security processes, forcing people to have the old fashioned “must have uppercase, lowercase, number, and special character & you have to change it every 3 months for no reason” passwords instead of the stronger (and less annoying) alternatives.
i signed up at mba.com and it wouldn’t let me use a password because it contained a semicolon which wasn’t on the approved list of special characters, and then - get this - because I tried too many times to create a password - locked me out because I had “too many failed attempts”
Password can’t exceed 32 characters
Garbage
i wouldn’t even mind if it was 32. 32 is a damn strong password.
I’ve seen as low as 10 digits in the past
My Wells Fargo password used to be max 8 characters, and when you use the phone you you can basically use the keypad to log in.
So it’s basically 8 DIGITS
32 is a damn strong password
Not necessarily: only if it’s generated properly, and only for the moment - that will change in the next few years.
You do realize that length and symbol type are only 2 out of many other factors that go into a strong password?
Ok, fair, not all 32 digit passwords will be secure.
11111111111111111111111111111111 is not secure, but I was trying to imply, in a properly generated password, 32 digits long is very secure.
but I was trying to imply, in a properly generated password, 32 digits long is very secure.
I understand, and I think you make a valid point as far as the discussion is concerned.
It’s unfortunately still a little more complicated than that, though.
Like I said, there’s more to a password than length and symbol type.
Even something like cF*+@aXbIdFHje2vZiU-1 is less secure than if it were generated by a good PRNG.
D0@ndro!dsDr@3@m0f3l3ctr!cSh33p? is also insecure, though it might have been considered secure 4-5 years ago.
You see what I’m saying?
Then of course there’s hash algorithms and how those are used to authenticate the passwords themselves, etc.
You think that’s bad, a decade ago I had to use a government-run website that required passwords be exactly 8 characters
Fifty fucking cabbages, the 2023 version
My cabbages!
Here is an alternative Piped link(s): https://piped.video/zRFDr8Vgp_Q
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I’m open-source, check me out at GitHub.
Thanks for introducing me to Piped!
My favorite, though, is:
types in password “Password incorrect” goes to reset password “please enter a new password” types in password “your new password cannot be the same”
That just means you entered it wrong the first time.
Sometimes it means the page checking the password is following a different ruleset eg. the main page is case sensitive and the change password page isn’t. Sometimes it’s stuff like the entered password is silently truncated to a fixed number of characters and because of that won’t let you log in. Sometimes it’s wierd character expansions being passed directly to the password checking routine (& or similar).
Removed by mod
deleted by creator
Because it’s much more fun to come up with passphrases like Correct Battery Horse Staple.
It’s a lot easier to remember that than #@?Zk23!nPw
You are not supposed to have to remember anything but your master password. :)
I’d rather try and remember than have a single point of failure for all my accounts’ security.
If the passwords are stored offline then I can’t get at them if I’m away from where they’re stored. If they’re stored online they’re not secure.
Removed by mod
Encryption can be decrypted. A password manager encrypting your passwords is like saying your car has working brakes. It’s totally unsafe to even consider operating without but it doesn’t say much when it is there.
It’s not a matter of “why should I trust them” but “why should I trust them more than the system that already exists”. I get the appeal, but the hole is big.
If I forget a password I reset it. If I forget my manager’s password can it be reset? Is the reset option, if extent, susceptible to attack?
If an account gets compromised it could have moderate repercussions, but probably minimal depending on the account, with maybe a couple exceptions. If managed passwords get compromised that’s potentially everything. There has not, and likely never will be, an impenetrable system, so it is a possibility if not a concern.
Looks like someone’s been playing the password game https://neal.fun/password-game/
That game made me want to punch.
