You want a good one? Silent password truncation on account creation without a required relogin so on return my saved password doesn’t work and I need to reset it.
Making a throwaway for this since my main is linked to my real identity.
I worked for the online investment banking arm of one of the big Canadian banks a few years ago. Their passwords could only be eight characters long. At one point, I was tasked to do some work on their IVR system and discovered that your phone password was entered by pressing the corresponding letter key on your phone keypad. But they didn't say "2 for A, 22 for B, etc." which really confused me. How did it know the passwords were correct?
And that's when I had a terrifying realization and tested it out on the website - they weren't magically converting your phone presses into ascii characters. No, they were converting your password into the corresponding numerics and saving that. Every single user password was a 6-8-digit number.
They upgraded their whole login system around the time I left that company, including implementing 2FA. Though their 2FA was SMS-based rather than using an known authenticator app system, so it still wasn't perfect.
I've absolutely had this happen with some US bank in the last 4 years. I can't remember which one, but they had me essentially type in my password over the phone in the same way, with * being the button for any non alphanumeric character.
I had a bank that did this and it took me months to figure out WTH every time I tried to logon it failed, but when you reset the password it accepted longer length passwords while silently truncating them and getting you back into the account. I finally figured out their max password length was 8 characters anything longer would result in failures past the initial logon after a reset.
My bank used to do this too, but they were nice enough to silently truncate the password input on the login form as well, so you wouldn’t ever notice unless you accidentally did something to reveal the truncation.
It annoyed the hell out of me though when I was trying to put the required special character on the end of my too-long password after a required password change, and the only error message I got was that the special character was missing.
I had something similar happen with an HP Ethernet switch years ago. I was looking at a factory reset (and had no backup of the config... ugh...). I started re-entering the password with 1 fewer character on each attempt and finally got in. Maddening.
Yep I ran into this with an Oracle OpenAir. Needed to reset my password so I fire up 1Password, generate a 50 char PW and set that. It works for the first login but when I logout and log back in it tells me I have an incorrect password. Go through a password reset a few more times before I finally realize that they are just taking the first 12 characters of my PW and using that, and not telling me that they are doing that.
ugh this one is by the worst and the only way to discover is knowing your password is 100% correct. I usually will drop the password length from 24 -> 12 to sort it out.
Oh yes, you're not alone! That secret battle between "must have" character classes and "can't have" character classes is the bane of all mental password algorithms. Where do the "can't have" rules come from, anyways? Smells like not using hashing (and even then, those rules would still be weird). But it can get even better, when the site refuses to accept third level domain email addresses. Bonus points when it did, but at some point stopped.
This is (part of) why we recommend password managers to people, not deterministic generation algorithms that still require keeping a list of logins with exceptions.
Except the password manager becomes a central point of failure. If someone gets your phone, opens your password manager, boom they have keys to the castle. Because let's be honest, the password manager is on the phone, and there's no way keyloggers or screenshot backdoors get on there, and there's no way someone isn't looking over your shoulder with the latest iPhone Pixel Galaxy supercamera across the room.
It is really hard to listen to any security recommendation from anyone in the industry when there are SO MANY bad password rules that restrict what actual good long passwords are. Length restrictions, restrictions on special characters or UTF-8, password rotation rules. These examples of bank logins at major banks absolutely blow my mind.
and is site-specific with some leetcode subs or a magic number suffix is about the strongest password for login and for long-term user security and usability.
Maybe in another 15 years the security people at corporations will get their act together?
Maybe sometime we'll get legislation with some actual teeth on login security?
> Except the password manager becomes a central point of failure. If someone gets your phone, opens your password manager, boom they have keys to the castle. Because let's be honest, the password manager is on the phone, and there's no way keyloggers or screenshot backdoors get on there, and there's no way someone isn't looking over your shoulder with the latest iPhone Pixel Galaxy supercamera across the room.
Password managers usually are either password-protected themselves or have biometrics, which suffice to deter random thieves. In fact, password managers are not going to show your password in the first place, they are going to silently fill in password prompts. The password cannot be clipboard-stolen, screen captured, or key logged. It is even more difficult to fish you (if the password manager doesn't detect the right program id/URL, it won't fill your password in -- unlike you).
If someone is looking over your shoulder with a supercamera he can get one password. If you are using a password manager, that's it. If you were using "an algorithm" to derive your passwords it is now possible he can now easily guess ALL your passwords. Most people aren't that good remembering good "algorithms" anyway. Maybe he needs to capture two passwords to do so?
Unless your algorithm is truly good, in which case you likely have to store it somewhere and that becomes your "password manager", which shares the same cons as a password manager itself. You are even at risk of your "algorithm" being guessed through a couple big password DB leaks, which are sadly ridiculous common, and this by itself puts you more at risk than worrying about supercameras.
I however don't have anything good to say re password managers that sync passwords over a centralized service, or worse, do so without proven E2EE.
This has bugged me a lot. Have I been gaslighted? Like, do sites lose my password? I can swear there have been like 10 occasions in the last 20 years where I had to reset my password where I am pretty sure I knew it.
I'd bet that some sites had their DB leaked/hacked, and just marked all the current passwords invalid to force a reset. Hopefully, it wast just the hashes that were leaked...
Just a few hours ago a pretty well-known site was telling me my password was wrong. The same one I'd copy pasted and logged in with for years from my password manager, including as recently as within the past 24h. I tried their app and it logged me in just fine. This wasn't the first time I'd had such issues with the site. Why do these happen? No idea, they must just hate me.
I had this with Duolingo. Their login fails if the browser can’t connect to recaptcha.net. But it just shows a generic “incorrect username/password” message.
In my case I'm pretty darn sure it's something on their backend. Some race condition or lock or something that prevents login while stuff is being updated. The most frustrating part is the gaslighting, not the failure.
Or it could be bad UX, displaying the same error message for two different errors.
(Not saying that simplifying several errors into one message is always bad. I think it's reasonable to just return a 500 without any info for everything that's caused by an unexpected exception on the backend.)
Well I am glad I am not alone. It is a strange feeling to know you are right and the computer saying no making you doubt yourself. Like, my first reaction is usually to write the password in clear text and copy pasting it to rule out keyboard issues ...
I swear to god I regularly have to change passwords I just set a few days ago, and/or saved to an external password manager. Yes, some incidents are probably me messing up somehow, but it seems to happen way too frequently even assuming I'm an idiot.
Most recent was setting a password for Rakuten Bank, saving it to my browser password manager, saving it to an offline password manager, and then two days later attempting to login and being told my password has too many characters. What.
well I am definitely to blame though it still makes me sour. When I created the account it was a time when the issue of corporations abusing your information was a hot topic. So when I created the account I was in the mindset that I should not give all my information to any company so I made up my details. So I did not have a real name it was obviously fake and I used a fake birthday. I had all this information but I strongly believe they realized my name was a fake and cut me off. I tried to do the reset link but it never worked. Still to this day I get the occasion email from that account as I did set it up to forward to my gmail. Just yesterday I got an email about verifying my insticart account and it was not me. I am still bothered years later that I was logged out and my password that I am sure i knew did not work. I feel like they forced me to try a reset and when I did it failed. That was my first email. I wish I could get back in. I screwed up with the fake info. I was young. I have given up and don't think there is a fix at this time, it has been years. I have grieved and moved on.
I’m on my sixth bank password at east because almost every time I go to reset it, I get the “can’t use current password” error despite trying all of my algorithmic passwords
>11. Sorry, can’t reset password to your current password
This sounds like an erronious error, ie the error message displayed is not the correct error message. There was definitely an error but the error was not that you tried the same password as your current.
I hate erronious errors with a vengance, because they not only break user workflow but they break helpdesk work flow as well then it gets escellated to an engineer who quite often cant fix the actual erronious error but knows what the actual issue is and fixes that anyway.. meaning the erronious error never gets fixed and will mow hang around to chew up everyones time all over again.
such a silly way to waste so much time, over and over.
> This sounds like an erronious error, ie the error message displayed is not the correct error message. There was definitely an error but the error was not that you tried the same password as your current.
What exactly is this based on?
I know I've seen that listed as a requirement (well, actually can't be one of the last 3) on some systems that have annoying password requirements.
I agree with you, but would phrase it differently.
You want some indication that any leak of your current password actually hasn't been mitigated. A failure message that your password hasn't actually changed (due to being identical) is functionally the same as allowing the password change and giving a warning that the passwords were identical (modulo some back-end details like if the password salt has changed and if the password change date has been updated).
My favorite is:
1. I go to a website I haven’t used in a while but know I have an account on
2. I sign in with my email and what I’m sure is the right password for that site (algorithmically generated from site URL)
3. Password not valid
4. Ok, maybe this was an older version my my algorithm from way back
5. Password not valid
6. Fine, hit password reset
7. Get reset email and click it
8. Enter algorithmically generated password as new password
9. Error, can’t have that special character
10. Fine, per my rules, replace that special character with next one
11. Sorry, can’t reset password to your current password
12. Aaaaaargh.