1) Be nice and; have fun
Doxxing, trolling, sealioning, racism, and toxicity are not welcomed in AskLemmy. Remember what your mother said: if you can't say something nice, don't say anything at all. In addition, the site-wide Lemmy.world terms of service also apply here. Please familiarize yourself with them
2) All posts must end with a '?'
This is sort of like Jeopardy. Please phrase all post titles in the form of a proper question ending with ?
3) No spam
Please do not flood the community with nonsense. Actual suspected spammers will be banned on site. No astroturfing.
4) NSFW is okay, within reason
Just remember to tag posts with either a content warning or a [NSFW] tag. Overtly sexual posts are not allowed, please direct them to either !asklemmyafterdark@lemmy.world or !asklemmynsfw@lemmynsfw.com.
NSFW comments should be restricted to posts tagged [NSFW].
5) This is not a support community.
It is not a place for 'how do I?', type questions.
If you have any questions regarding the site itself or would like to report a community, please direct them to Lemmy.world Support or email info@lemmy.world. For other questions check our partnered communities list, or use the search function.
6) No US Politics.
Please don't post about current US Politics. If you need to do this, try !politicaldiscussion@lemmy.world or !askusa@discuss.online
Reminder: The terms of service apply here too.
Logo design credit goes to: tubbadu
By far the worst is the costa rican national bank:
I was reading along like, that's dumb but at least I could craft something in my password man-... Oh.. oh no..
My favorite is a major credit card company with case-insensitive passwords. They also only allow a small handful of special characters, so the total possible character space is roughly 42 characters. Needless to say, I chose to use a password that was the maximum allowed length (which was sadly also only 32 characters).
If it was a fully random password that’s still plenty of entropy.
Except that's not the issue. This clearly reeks of the passwords not being hashed
I had to log back into an account for an app (I think Taco Bell) that decided to remove passwords entirely without any notice. You typed in your email address, had to open your email account and click a link they sent you, it would open a webpage, which would then have a button to open the app again. If I remember correctly too, it would only work on Chrome, so I had to copy and paste the link since Chrome isn't my default browser that automatically opens from my mobile email.
Besides that, I remember some website required a special character from an extremely small list and wouldn't allow two of the same letter back-to-back.
Six numbers only.
Not sure if it falls under the same category, but the way Activision handles (handled? I haven't used them since) passwords was atrocious! I had to reset my password to get back into my account, I used a random diceware password, it accepted it. However! The client on both Windows and Xbox wouldn't let you input a password longer than I believe 20 characters. So while you can set a 25 character password, you can go fuck yourself if you actually wanna log in...
My work was using some MS-based account system, but I don't know if this was stock or something they modified. When you had to change your password, it would tell you if your new password didn't meet the password requirements, as usual. What it wouldn't tell you was what those requirements were...
So yeah, the requirements the system won't tell you about would have to be the worst one i came across...
Stupid bank app doesn't allow password managers... and if you hit the enter button to login you get an error message informing you that you need to mouse click on the button.
you get an error message
The person responsible for that specific behavior is a psychopath.
Here's how to improve it:
Make you have to mouse click the button. However, it has to be a right click. Specifically, a right double-click.
DOUBLE RIGHT-CLICK THE BUTTON?!? ARE YOU MAD?!?
There are more things in Heaven and Hell then are dreamt of in your philosophy. This one specifically is from Hell.
I had a wi-fi device a few years ago that would require a password up to 12 characters, but that requirement wasn’t explicitly written anywhere. The device would gladly accept a 13-character password, for example, but you would never be able to log in again (factory-resetting was the only way to undo).
More recently I purchased a Lennox HVAC system that came with their proprietary thermostat (an Android tablet with a wall mount). During the Christmas break I got myself a new wi-fi router and had to reconfigure all my wireless devices. After 2 days, the Lennox thermostat was the last device to join the new wi-fi network… and it failed because their password could have any character EXCEPT the asterisk — and my new password had an asterisk. I didn’t like the idea of redoing all my other devices AGAIN just because of this idiotic password rule, so I ended up creating a new SSID just for the thermostat. I named it LENNOXSUCKS.
One special character.
Seems logic right? Until you get that it is one and one only. Took me some time.
Probably the silliest thing I have run into was some game. It asked you to set two passwords. You needed both to login. The second password couldn't be changed. This is why it was secure, see. (...What.)
When I created my account and set the second password, I couldn't log on the second time. Because I had entered a 20 character second password. It was accepted and verified during the account creation just fine. On the second login, it only accepted 16 characters. (It let you enter 20 characters but said it was too long.) Trying to enter first 16 characters of the second password didn't work, of course.
I then contacted the support, and they did manage to reset the second password anyway. (What is this even)
The Catholic Church is doing great with its two popes.
Not so much password requirements as just a completely removed implementation:
To access payment stubs in a data center (not us) that I worked at, the user account was our public email address and the password was a personal code, sorta like SSN, but that code could be easily looked up as it was public info.
I showed the director of HR, who authorized this her own payment stub as evidence that this was baaaaadddd
So she asked me to check that system for more issues
Turns out it stored passwords in blank (wtf) and would authenticate with two queries. First query would check if the username (email) exists. Second query would check if the password exists. If both exists, you're in! So i could login to any account with MY password...
This is a tip of a very big iceberg there
This has to be the best one here. The sheer lack of understanding of how to authenticate an account by the dev.
Sounds like the initial part of password testing, and then they either forgot to complete it, or someone came along to fix the later parts, commented them out for testing and never got around to fixing/uncommenting. Surprising how often things that 'work' are set aside and no one is in charge of reviewing.
My old bank required you to have a password 12 characters long exactly, and to login you have to give the characters in specific places.
I would ask you what are the 4th, 7th, and 11th letters of your password.
Anyone want to guess why that aren't my bank anymore?
So like a 3 letter password but with extra steps?
E and U and 2
Oh yeah, mine has that as one of the options, but they've beefed it up a little. You also have to enter your date of birth and then they send a text to a pre-arranged number with a further 6-digit PIN that also has to be used.
I add to make a password last fall that had the requirement "numerals or special characters". A password with both numerals and special characters wouldn't work.
I volunteer at a local high school and the students password is their birthday, because they are given their account at age 5, in kindergarten, and it's something you can reasonably expect a 5 year old to remember. Also, the students are not allowed to change their password unless they get "hacked", which is usually just another student logging into their account and deleting their assignments.
A school I used to work at had a folder with student passwords for various services at the front of the computer lab. If a student forgot their password for a service, they just went and looked in the folder. Maybe they’d even get their mates’ passwords for them while they were at it!
I did try to get the policy changed, and offered to teach staff and students how to use a password manager, but apparently remembering a single password was far too complicated, and it would make it much harder if you needed to log in to someone else’s account.
lmao
Password needs one special character.
Not at least one. Exactly one.
Max length of something under 18 …
Irks my gears
The worst I've ever seen was a site that required passwords to be 4 digits.
The oddest I've ever encountered: EXACTLY 15 characters long. No more, no fewer. 15.
Honorable mention: Various online accounts where I used my password manager to generate a long, secure password, which the website accepted without warning or error. I was then locked out because their user management system could not handle such long passwords (had to create a second account with a much shorter password to find that out) 🤣
Worked somewhere that required security clearance that used your national insurance number (UK equivalent to SSN) as your login id. Most people in the UK do not memorise their NI number.
Password had to be uppercase and lowercase letters, numbers, and special characters, I think at least 12? Couldn't have back to back special characters or start or end with numbers. No whole words, either.
So now you have to remember two strings of letters and numbers. Sackable offensive to write either down. I once got a phone call from security because I would miss enter my password after lunch first time around, just once a day, but they rang me up still to see what going on.
Security there was a nightmare, worked with an obviously disabled guy, who forgot to put his disabled badge on his car dashboard and they threatened to ban him from site (which would result in the sack as you couldn't work remotely). The kicker was that they said we know you forgot to put the badge out, so they knew he was disabled as all car registrations are preregistered only way onsite.
Most people in the UK do not memorise their NI number.
Spend enough time talking to HMRC or DWP, and it just happens.
That password is already used by johnp. Please choose another password.
was not uncommon.
Passwords that must contain a special character, but only from a list of three special characters.
Passwords that must be changed every 3 months.
Absurdly narrow length requirements, im 80% sure I saw one that required 8-16 characters.
All dictionary words were banned from being in a password regardless of length, so passphrases weren't allowed.
I hate any password requirement that says "special characters" but has a list of exceptions, like no . , ! ; or empty spaces. Just tell the user to make a passphrase, enforce at least one empty space and, dunno, 25 characters minimum, and bam. It's not like hackers try brute force anymore, they just hack insecure DBs full of user data and use that everywhere.
What's the difference between a password and a passphrase?
Pass phrase is made up of many words. A password can be anything
Not allowing you to paste a password, so you have to type it manually every time.
I’ve noticed this with ACH routing forms on many financial websites. You can’t copy the routing number nor account number—no—thou shalt key in by hand instead.
Never understood the logic here, do the developers want you to make a mistake?
The'logic' behind it is that if you copy/paste, then the confirmation box is basically useless. If you copied the wrong account of just part of it, your for sure going to paste in the exact same thing without really checking. Not that it's a good reason, but at least there's some logic
Well if you’re going to hijack my paste command just hide the confirmation box ¯_(ツ)_/¯
My community colleges:
Passwords must be 12 characters long, contain at least one uppercase letter, one lowercase letter, a number, and a special character; it must also be changed every 30 days. There was also some sort of alogarithm that checked if your new password is too similar to any previous password you had used, and rejected it if it was too close.
Hilariously, if you had a link to the page the password was supposed to limit access to, you could bypass the password page entirely. As such, I never changed my password.
