1281
Passwords
(lemmy.world)
We've all been there.
In what world are passwords unique.
I did once encounter a site in the early 2000s that wouldn't let me use a password because it was already in use by someone else. I was too young at the time to realize how bad that was, but I remember thinking it didn't make sense.
It MIGHT not be as bad as you think. If the UI was just terrible at communicating and what it actually meant was, "that password is in our database of known compromised passwords," then that would be reasonable. Google does this now too, but I think they only do it after the fact (e.g. you get a warning that your password is in a database of compromised passwords).
load more comments
(1 replies)
load more comments
(2 replies)
I hate that most places don't remind you what the rules of their passwords are if you've forgotten yours. Odds are I'd be able to correctly guess it if I knew.
As a sysadmin, can I just say: BAD PASSWORD: more than 3 consecutive characters of the same class
If a password input form asks any of these questions, consider the website or service compromised right from the beginning. The reason for this, is that it means they are not storing salted/hashed passwords and your password will be stored as plain text on their servers. There's no reason for any limitations on a password. In the event of a breach, your password will be visible in any database dumped by a hack. Always makes me wince when a password form complains about password length, as it really should not matter. When you hash a password, it will be stored in the database at a specific string length;
Eg; using sha-1 hashing:
pass123 = 5f1e04b7fc8d7067346b77bdbb6a4d4f9f4abace28f15c2b265c710b120393b2
password321 = 8852ab05d5b32f9efd3dcbf69edcfd65464e64c8e5e8310239871e02380e81b3
That’s just not true, all of these things can be achieved without saving the password as plain text
load more comments
(2 replies)
load more comments
(4 replies)
The number of times I've gone through that only to have it fail without explanation when I exceed the length limit - forcing me to guess if that must be the issue - is FAR higher than it should be.
And fuck any system that doesn't provide the criteria up front.
Also fun is when the field to initially set the password is also character limited and you choose a password that’s longer than the field but don’t notice until you’ve set it and get repeated login failures afterward
Yeah that nearly makes me want to smash something when it happens. Anyone that silently truncates passwords should NOT do it, or at least truncate the creation AND login forms. Just say the limit and give a error, or handle extra input the way you're supposed to in the enceyption algorithm and hash it to to the correct length. A length limit of say, the amount of bits the encryption key has, like 32/64/128 chracters for 256/512/1024 bit, is reasonable, any other limit is stupid.
load more comments
(1 replies)
This is why one of my passwords is something like forFUCKSAKE123$#!
That password is already in use by user 'gigachad'.
this post was submitted on 14 Jul 2023
1281 points (100.0% liked)
Technology
76950 readers
2985 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS