115 points

I just had to deal with my new electric company telling me that I couldn’t log in because my email was not in their system, but I couldn’t create a new account with that email because it was already in use within their system.

permalink
report
reply
22 points

That happened to be with Uber. Never could resolve it, then fraud happened in another country.

Tried to reach out to Uber to fix, was told to sign in to dispute. Couldn’t. Called bank, bank said to settle with vendor. Still can’t. Couldn’t call them because they don’t have phones.

Ended up going to the drivers depot and demanded they fix it since no one else could. Finally got them to delete it.

I will never trust a company that doesn’t have a phone/call center. Online only? Get lost

permalink
report
parent
reply
4 points

Had that issue when trying to use the app of one of the major package delivery services. Can’t register email because it is in use. Can’t login because password is not correct. Can’t reset the password because I get a weird error message. My credentials worked for some other part of their services but not here. Tried to contact support about it twice but got no response so I ditched using it. I’ll survive getting email and SMS notifications, thank you. If I need to send something I’ll just use one of the other services instead. The old dinosaurs of delivery services are so far behind in technology and user experience it’s crazy but they rely on competing in b2b so it doesn’t matter to them.

permalink
report
parent
reply
64 points

But you forgot the rule where it couldn’t be more than 12 characters long, so you didn’t try the correct variation until the validation error for the password reset told you what the rules are.

permalink
report
reply
54 points

THIS is the one that makes me the angriest.

I’m happy to comply with your complexity requirements, but don’t tell me about each one only when I’ve failed to meet it. That’s really past the bar of shitty design into the realm of asshole design.

permalink
report
parent
reply
13 points

I had an account with a bank that got bought. Always used the app, which worked fine, but I needed some document I could only get from the website. Go to log in and it gives me all sorts of weird errors. Support made me reset my password, all that stuff. I figured it out. Old bank would let you log in with email or username. New bank only let you log in with username, except it had dropped old bank’s username and put the email in the username field in their database. The website scrubbed emails from that field, and so it submitted a null username. The app didn’t l, so it let me log in. Weirdest issue I’ve ever had with a service and actually figured it out.

permalink
report
parent
reply
8 points
*

Using android banking app, phone broke, new phone with same app flagged and froze my whole account. I had no access to my money and had to physically go to the bank to get it all unlocked, they couldn’t do it over the phone. Only had $20 in my wallet and thankfully my cab driver took me there even though the fare was more. Not a fun day.

permalink
report
parent
reply
5 points

Whew yeah that’s a shitty one too. Good job working it out!

permalink
report
parent
reply
10 points

I’m not a security expert, so I’m sure someone can correct me, but it is my understanding that all the nonsense of adding numbers and special characters does nothing to increase security. Longer passwords increase security, even if they are all lowercase letters.

So, “PaS$w3rD@” is a much less secure password than “sallyandbillywenttothestoreforsoda”

permalink
report
parent
reply
11 points

You are exactly right and here is a comic that explains it. But nearly 0 websites have caught on to this.

https://xkcd.com/936/?correct=horse&battery=staple

permalink
report
parent
reply
4 points

That’s 59 and 159 bits of entropy, respectively according to some random online password entropy calculator I found.

Even better, just type out the whole sentence fully. Why disallow spaces?

“Sally and Billy went to the store for soda”. 274 bits.

permalink
report
parent
reply
1 point

It’s not that it does NOTHING to improve security… An 8-character password with more options per character IS more complex (and in that sense, secure) than one with fewer.

It’s just that adding more characters (e.g. in a passphrase, as per your example) also increases complexity, and is more usable.

permalink
report
parent
reply
3 points

And it’s so weird that almost everyone seems to do it that way. I can’t think of a reason other than complacency of a non-golden path interaction.

permalink
report
parent
reply
13 points
*

the rule where it couldn’t be more than 12 characters long

This is the one I don’t get. Sure you don’t want people putting in an infinitely long password, but I like to have my passwords at around 15 characters. Why are you forcing me to make a less secure password?

Only reason I can think of is storage but even at a massive scale, this is text, paying for that storage would cost as much as a rounding error.

permalink
report
parent
reply
24 points

It’s even worse. If done correctly, the length of the password does not affect the size of the stored value. Because if you’re doing it right, you only save the hash of the password. And the length of the hash is fixed.

permalink
report
parent
reply
11 points

But they don’t (shouldn’t) store the actual password. They store a hash of the password, which is the same length regardless of length of the actual password.

permalink
report
parent
reply
9 points

There’s a type of attack where you put absurdly large inputs into fields that perform expensive calculations, like password hashing… So imagine 100 computers spamming the login form with the whole Bee Movie script 10x per second (which would be a pretty small attack)… Cheap to send, expensive to process. As others mention, the storage should be cheap, because the hashed version of the password is all the same length.

So it makes sense for apps to have SOME upper limit… But it should be like 64 or 100 or 128 or 500 or something. 12 or 16 or 20 is just obnoxious.

permalink
report
parent
reply
2 points

My password generator is set to 24 characters. 12 or 15 seems a bit short.

permalink
report
parent
reply
45 points

One of our systems at work won’t let you use the last thirteen passwords. And it makes you change it monthly.

permalink
report
reply
30 points

Yeah, I’m sitting there changing my password 13 times until I can go back to mine. I already do this with our 3 month expiry, but ours only checks against the current password, not a history of old passwords.

Password expiry doesn’t make systems more secure, it makes users lazily set insecure passwords to deal with your shitty mind games.

permalink
report
parent
reply
6 points

I see your “13 resets in a row” and raise you a “minimum password age”.

permalink
report
parent
reply
5 points

Hello, Tech Support? Yeah, I can’t remember my password… I know, this is the 13th time this week… I’ll try real hard to remember this time I promise.

permalink
report
parent
reply
28 points

Any organization still doing this is a decade behind best practices. NIST published new recommendations years ago that specified getting rid of the practice of regular forced password resets specifically because they encourage bad practices that make passwords weaker.

Of course it doesn’t help that there are some industry compliance standards that have refused to update their requirements, but I don’t know of any that would require monthly password changes.

permalink
report
parent
reply
11 points

Where specifically could I find this recommendation so i can forward it to my IT department?

permalink
report
parent
reply
9 points
*

What you want is NIST 800-63b https://pages.nist.gov/800-63-3/sp800-63b.html#memsecret

Specifically sections 5.1.1.1 and 5.1.1.2.

Excerpt from 5.1.1.2 pertaining to complexity and rotation requirements:

Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

Appendix A of the document contains their reasoning for changing from the previous common wisdom.

The tl;dr of their changes boil down to length is more important than any other factor when it comes to password security.

Edit to add:

In my personal opinion, organizations should be trying to move away from passwords as much as possible. If your IT team seems to think this system is so important that they need to rotate passwords every month, they should probably be transitioning to hardware security tokens, passkeys, or worst case, password with non-sms MFA.

Now I know nothing about the actual circumstances and I know there are plenty of reasons why that may not be possible in this specific case, but I’d feel remiss if I didn’t mention it.

permalink
report
parent
reply
22 points
*

WorkPassword1

WorkPassword2

WorkPassword3….

permalink
report
parent
reply
11 points
*

JanPass.01

AprPass.04

JulPass.07

permalink
report
parent
reply
8 points

I only have had one coworker that didn’t do this stupid incrementation thing (some salt with a bit more than a number based on some logic).

He was the guy that would take a minute or two every time he needed to unlock his computer to open his password manager on his phone and slowly type out a long and difficult to type random password that he could never memorize due to the frequency we had to change passwords.

So many delays during conversations / meetings with this guy.

permalink
report
parent
reply
1 point

I do that but I set up Windows Hello so it’s quick.

permalink
report
parent
reply
5 points

PassA, PassB, PassC, etc.

permalink
report
parent
reply
3 points

Use a password inspired from dice

permalink
report
parent
reply
33 points

It’s a bit of an infuriating story that I had not so long ago.

I have a Playstation account and I recently wanted to log into that account on the PlayStation website. The Password I had saved in my Bitwarden Password Manager was apparently wrong. Okay, then I will just reset it, that’s fine.

I went through the Password reset process and generated a new Password, pasted it into the Password field and sent it and everything was fine. I tried to log in with that password and was told that the username or password was wrong. Okay, that is weird, since I reset the password just now the login name couldn’t be wrong because, well, I just used that for the reset.

I tried that several times with the same result and gave up.

A few months later, I wanted to try again and had the same problem. I wanted to sort that out so I went through the same process with the Support bot yet again which then told me that I should come back in the “office hours”. A company making 84 billion in revenue should be able to employ 24/7 customer service or at least tell me that when I request support and not let me go through the bot again.

So, I waited for the customer service personnel to be available and told them my problem. There I was told that “everything was looking fine on their end” and they quickly ended the support. I mean, yes, I was angry but wasn’t abusive to that person because if you couldn’t help me what should I do with my account, it also definitely wasn’t their specific fault. But I would, at least, have expected more than “Well, works on our end, sucks for you, bye”.

The next time I tried again and got a more competent Support dude and we ran through the same troubleshooting steps as before. Reset password (even though I just did that, again, through the bot), logged in again and failed again. This time they suggested that I could use a “normal” password that I don’t generate. THAT worked for some reason.

All of my generated passwords in Bitwarden are up to 32 long with all possible characters, depending on what the website allows or expects. If a website, for example, doesn’t allow 32 characters, I adjust and shorten it to the maximum length they allow. That worked without issues so far.

Well, turns out that the field that you use to reset your password has a character limit of 30 characters. But, this would be fine if the dialogue tells you that your password is too long, but it doesn’t. It just cuts off at 30 characters and happily saves that.

However, the Password field that you use to log in doesn’t have that restriction.

This means that you reset your password with a 32-character long generated password, which is saved in your vault, PlayStation saves a 30-long password and then you use the 32-long password to log in, which fails because it isn’t the same.

And this isn’t even mentioned in the password guidelines. It only said “min 8 characters” but not the maximum.

permalink
report
reply
11 points

Sadly more common than one would expect.

permalink
report
parent
reply
8 points

I mean I wish you could sue them for that. This is just incompetence on their side.

permalink
report
parent
reply
2 points

The short version:

This means that you reset your password with a 32-character long generated password, which is saved in your vault, PlayStation saves a 30-long password and then you use the 32-long password to log in, which fails because it isn’t the same.

That password prompt should be scorched to earth.

permalink
report
parent
reply
24 points

Go back to try again, now that you have confirmation the old password was, in fact, correct:

Wrong password

permalink
report
reply

memes

!memes@lemmy.world

Create post

Community rules

1. Be civil

No trolling, bigotry or other insulting / annoying behaviour

2. No politics

This is non-politics community. For political memes please go to !politicalmemes@lemmy.world

3. No recent reposts

Check for reposts when posting a meme, you can only repost after 1 month

4. No bots

No bots without the express approval of the mods or the admins

5. No Spam/Ads

No advertisements or spam. This is an instance rule and the only way to live.

Sister communities

Community stats

  • 12K

    Monthly active users

  • 2.4K

    Posts

  • 42K

    Comments