I’m actually surprised so many other people run into this. Happens to me all the time but I figure it’s because i use a VPN. A lot of sites will automatically lock your account if they consider a login attempt “suspicious”

It’s a bit of an infuriating story that I had not so long ago.

I have a Playstation account and I recently wanted to log into that account on the PlayStation website. The Password I had saved in my Bitwarden Password Manager was apparently wrong. Okay, then I will just reset it, that’s fine.

I went through the Password reset process and generated a new Password, pasted it into the Password field and sent it and everything was fine. I tried to log in with that password and was told that the username or password was wrong. Okay, that is weird, since I reset the password just now the login name couldn’t be wrong because, well, I just used that for the reset.

I tried that several times with the same result and gave up.

A few months later, I wanted to try again and had the same problem. I wanted to sort that out so I went through the same process with the Support bot yet again which then told me that I should come back in the “office hours”. A company making 84 billion in revenue should be able to employ 24/7 customer service or at least tell me that when I request support and not let me go through the bot again.

So, I waited for the customer service personnel to be available and told them my problem. There I was told that “everything was looking fine on their end” and they quickly ended the support. I mean, yes, I was angry but wasn’t abusive to that person because if you couldn’t help me what should I do with my account, it also definitely wasn’t their specific fault. But I would, at least, have expected more than “Well, works on our end, sucks for you, bye”.

The next time I tried again and got a more competent Support dude and we ran through the same troubleshooting steps as before. Reset password (even though I just did that, again, through the bot), logged in again and failed again. This time they suggested that I could use a “normal” password that I don’t generate. THAT worked for some reason.

All of my generated passwords in Bitwarden are up to 32 long with all possible characters, depending on what the website allows or expects. If a website, for example, doesn’t allow 32 characters, I adjust and shorten it to the maximum length they allow. That worked without issues so far.

Well, turns out that the field that you use to reset your password has a character limit of 30 characters. But, this would be fine if the dialogue tells you that your password is too long, but it doesn’t. It just cuts off at 30 characters and happily saves that.

However, the Password field that you use to log in doesn’t have that restriction.

This means that you reset your password with a 32-character long generated password, which is saved in your vault, PlayStation saves a 30-long password and then you use the 32-long password to log in, which fails because it isn’t the same.

And this isn’t even mentioned in the password guidelines. It only said “min 8 characters” but not the maximum.

I feel seen

I’ve had this happen on sites as a very shitty way to force users to change their passwords. Instead of simply telling you your PW has expired and you need to change it, the design is to invalidate your current password and leave you frustrated you can’t login, so you do a reset. Of course your password was correct, but you can’t re-use it. I’ve found this prevalent on government sites.