We’ve all been there.

      • TWeaK@lemm.ee
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Have you been given the egg yet? Don’t forget to feed him!

    • Sylver@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 year ago

      My Roman numerals should multiple to equal 35, but then the county I got starts with a C… how do you multiply by fractions in Roman numerals?!

    • nieceandtows@programming.dev
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      It was great until that step 20 where some ‘fire’ deleted everything I made. It’s one thing to make you think, it’s a completely different thing to just delete everything and make you start over. Fuck that noise.

    • rustydrd@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Man, when I played, poor Paul got burnt to a crisp. I’m still having flashbacks from that shock.

    • Rozz@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      I got stuck on rule 14 where I had to guess the country in Google maps.

      Au2WonderfullyshellnIcepigsXXXV!85mayy4n6mfiend🌘

      I guess it’s kind of secure. Does the password change daily with the current wordle word?

      • Reamen@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        if you walk down the path like 20m there’s a sign that tells you where you are

        I stopped playing when my whole password caught fire lmao

        • Rozz@lemmy.sdf.org
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Thanks. I was only on my phone and didn’t feel like zooming in for that much.

  • zeppo@lemmy.world
    link
    fedilink
    English
    arrow-up
    43
    arrow-down
    2
    ·
    1 year ago

    “Sorry, that password is already in use” ruins it for me. That’s not a realistic message to receive.

    Maybe “Your password cannot be one you’ve used previously”.

      • Tyler_Zoro@ttrpg.network
        link
        fedilink
        English
        arrow-up
        6
        ·
        1 year ago

        Yeah, this is important. Make it a really big number too so that I have to change my password lots of times in a row in order to put it back to what it was. ;)

        • 5too@lemmy.world
          link
          fedilink
          English
          arrow-up
          4
          ·
          1 year ago

          If they want to play that game - the calendar date becomes part of the password. It’s never the same, but you can always work it out!

          • UncleRummy@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            Or just append a letter that increments every time you change your password, and keep a note of what the current letter is.

            Passworda
            Passwordb
            Passwordc

            When your z password expires, just wrap back around to a.

    • Buddahriffic@lemmy.world
      link
      fedilink
      English
      arrow-up
      9
      ·
      1 year ago

      It follows the vein of some of the password rules and feedback reducing security itself. Like why disallow any characters or set a maximum password length in double digits? If you’re storing a hash of the password, the hash function can handle arbitrary length strings filled with arbitrary characters. They run on files, so even null characters need to work. If you do one hash on the client’s side and another one on the server, then all the extra computational power needed for a ridiculously long password will be done by the client’s computer.

      And I bet at least one site has used the error message “that password is already in use by <account>” before someone else in the dev team said, “hang on, what?”.

      • zeppo@lemmy.world
        link
        fedilink
        English
        arrow-up
        5
        ·
        1 year ago

        It’s true, most of these rules are harmful, but also most are in common use and accepted, for some reason. I have heard of a password system that had that warning, perhaps even the account, but it was in a softwaregore screenshot context.

  • Tyler_Zoro@ttrpg.network
    link
    fedilink
    English
    arrow-up
    36
    ·
    1 year ago

    Fun fact: password controls like this have been obsolete since 2020. Standards that guide password management now focus on password length and external security features (like 2FA and robust password encryption for storage) rather than on individual characters in passwords.

    • fubo@lemmy.world
      link
      fedilink
      English
      arrow-up
      18
      ·
      edit-2
      1 year ago

      Since 2017 at least; and IIRC years before that; that’s just the earliest NIST publication on the subject I could find with a trivial Web search.

      https://pages.nist.gov/800-63-3/sp800-63b.html

      Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

      “Memorized secrets” means classic passwords, i.e. a one-factor authentication through a shared secret presumed to be known to only the right person.

    • Rufio@lemm.ee
      link
      fedilink
      English
      arrow-up
      10
      ·
      1 year ago

      I wouldn’t say obsolete because that implies it’s not really used anymore. Most websites and apps still use validation not too dissimilar from the OP, even if it goes against the latest best practices.

      • EmpatheticTeddyBear@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        I’m still waiting on an XKCD that references #936 with the fact that we soon as we have reliable, functional quantum computing, all of the passwords from before that point in time will be completely and utterly broken. That the only way to make a password that a quantum computer would have a tough time breaking is if it was made by another quantum computer. Unless of course the comic has already been made and I just missed it, which is a complete possibility because this year for me has been utterly crap.

        • Archpawn@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          Some of them are broken by quantum computers, but not all of them. For example, SHA256. You can use Grover’s algorithm to take sqrt(n) steps to check n possible passwords, which on the one hand means it can be billions of times faster, but on the other hand, you just need to double the length of the password to get the same security vs quantum computers. Also, this is the first I’ve heard of a hash that uses a quantum computer. Do you have a source? Hashes need to be deterministic, and quantum computers aren’t, so that doesn’t seem like it would work very well.

          Maybe you’re getting mixed up with using quantum encryption to get around quantum computers breaking common encryption algorithms?

    • cley_faye@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      1 year ago

      People should be made aware of all the tools available to properly manage tons of passwords. Not even going too deep into “passkey” stuff or any modern shenanigans, but a password manager used to generate random passwords for each separate sites is such a simple step.

    • Meowing Thing@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Yeah! And nowadays the industry is pushing towards password less authentication. Github just started rolling it out to beta users

  • SevenDigitCode@lemmy.world
    link
    fedilink
    English
    arrow-up
    32
    ·
    1 year ago

    My favorite, though, is:

    types in password “Password incorrect” goes to reset password “please enter a new password” types in password “your new password cannot be the same”

      • stepone@lemmy.world
        link
        fedilink
        English
        arrow-up
        11
        ·
        1 year ago

        It often means that one could have derived the correct password from the set of rules - but those rules are not shown when asking for the old password

        • 5too@lemmy.world
          link
          fedilink
          English
          arrow-up
          5
          ·
          1 year ago

          Exactly this. I want to normalize showing the password requirements when you don’t immediately get the password - if you made me jump through hoops the first time, at least remind me what they were!

      • bh11235@infosec.pub
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        “Chessify” on Android worked for me (also has the advantage that you just take a picture, instead of setting up the position by hand). Unfortunately 1 minute later the game gave me a chicken that I had to keep fed with worm emojis, so I created a stockpile of worms for the chicken and it died of overfeeding. I rage quit the game on the spot.

  • average650@lemmy.world
    link
    fedilink
    English
    arrow-up
    21
    arrow-down
    1
    ·
    1 year ago

    The worst part is that if they know that password is already in use… then they aren’t storing their passwords appropriately.

    • teft@lemmy.world
      link
      fedilink
      English
      arrow-up
      13
      arrow-down
      1
      ·
      1 year ago

      You could store the passwords as hashes and just compare the hashed value.

        • pewter@lemmy.world
          link
          fedilink
          English
          arrow-up
          6
          ·
          1 year ago

          True, but for the same big O they can salt the password for each user and compare it to what they have stored. My big pet peeve (that I’ve actually seen) is when they say your password is too similar to an old one. I have no idea how that could be reasonably done if they’re storing your password correctly.

      • d3Xt3r@lemmy.world
        link
        fedilink
        English
        arrow-up
        17
        ·
        edit-2
        1 year ago

        Because it’s much more fun to come up with passphrases like Correct Battery Horse Staple.

      • TurboDiesel@lemmy.world
        link
        fedilink
        English
        arrow-up
        5
        ·
        edit-2
        1 year ago

        Yeah, I switched from LastPass (after one of their many data breaches) to 1Password. I don’t know any of my passwords anymore because they’re all just generated and saved automatically. And that’s a good thing.

          • ozymandias117@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            That’s inherently blocking pseudo random password generators.

            Max length doesn’t bother me if it’s at least 128 characters, but only allowing specific special characters is a sin.

            As of last year, Wells Fargo’s passwords were even cause insensitive. Dunno if they’ve fixed it since then, but probably not

      • ultimate_question@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        1 year ago

        Because I want control of my passwords in my head not some software, it’s not like a string of random characters is any more secure than one that can actually be remembered

    • SSTF@lemmy.world
      link
      fedilink
      English
      arrow-up
      10
      ·
      edit-2
      1 year ago

      Unfortunately a lot of jobs require passwords and they use outdated security processes, forcing people to have the old fashioned “must have uppercase, lowercase, number, and special character & you have to change it every 3 months for no reason” passwords instead of the stronger (and less annoying) alternatives.

      • funkless@lemmy.world
        link
        fedilink
        English
        arrow-up
        9
        ·
        1 year ago

        i signed up at mba.com and it wouldn’t let me use a password because it contained a semicolon which wasn’t on the approved list of special characters, and then - get this - because I tried too many times to create a password - locked me out because I had “too many failed attempts”

      • CoderKat@lemm.ee
        link
        fedilink
        English
        arrow-up
        7
        ·
        1 year ago

        Those requirements drive me crazy, especially because they’re all against NIST recommendations. Someone thinks they make passwords more secure but they have the opposite effect.

        At any rate, password managers still help in those cases. If nothing else, for providing a safe place to record what your password is for when you forget it because of the dumb requirements.

        • SSTF@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 year ago

          I always wonder if such choices come from incompetent IT, or if IT wants to do things better but is banging their heads against corporate owners who think “more hassle = more secure”.

          • peto (he/him)@lemm.ee
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            It’s almost certainly that writing security standards for an organization takes time and needs approval from high up. And someone high up complaining that they only just revised them to include special characters.

      • mikiao@lemmy.world
        link
        fedilink
        English
        arrow-up
        5
        ·
        1 year ago

        Must be changed every month, can’t use a previous password, AND, for some fucking reason, can only contain 8 characters.

        And if you forgot your password, you can call IT and they’ll just read it to you because they have them all saved somewhere.

        That was a great place to work at.

      • darkkite@lemmy.ml
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        1
        ·
        1 year ago

        that’s exactly why a password manager works. there’s a generator that you can configure to meet requirements

    • Archpawn@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      1 year ago

      Still frustrating. I generally try to make my passwords all lowercase in case I need to type them (especially on a phone). But a lot of places don’t allow that.

      • Confetti@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        1 year ago

        No offense but I’m kinda happy they dont allow that. Its horrible entropy a better approach for manual entry is using a randomly generated passphrase (6+ words should be enough with a special character as a seperator if needed) or again using the autofill of a password manager, there are many available for mobile devices. I recommend checking out bitwarden for anyone new to password managers

        • Archpawn@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          If I’m typing on a computer keyboard, typing words is easier than random letters, but on a phone it doesn’t make much of a difference. What I end up doing is typing my passphrase into my password manager on the computer, and then typing the password on there into my phone.

          I do have a password manager app for my phone, but then I have to type the whole passphrase into it so I don’t use it unless necessary.

  • FluffyPotato@lemmy.world
    link
    fedilink
    English
    arrow-up
    18
    ·
    1 year ago

    The worst one is when it only supports up to like 16 characters but doesn’t tell you so it will only use the first 16 characters and ignore the rest. The next time you need to enter it and get the 64 character password from your password manager it will just say it incorrect and you’re left with no idea on why it’s wrong.

    • dlok@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      ·
      1 year ago

      Holy shit you might have just explained why I have to reset my password every time for a local fast food joints own website

    • KairuByte@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      I can do you one worse.

      My banking app password was not case sensitive for many, many years. They finally fixed it a few years back though!

    • Alien Surfer@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      This has happened to me so many times. Frustrating and stupid being belief. Are they hiring 10 year olds to write the html/script? Sheesh.

  • Saneless@lemmy.world
    link
    fedilink
    English
    arrow-up
    15
    ·
    1 year ago

    My favorite is when you forget your password and try to reset it but it cries that you can’t use passwords you already used

    Mother fucker if I remembered what I used I wouldn’t be doing this

  • LaggyKar@programming.dev
    link
    fedilink
    English
    arrow-up
    10
    ·
    1 year ago

    And that’s when they tell you what you did wrong. Sometimes they’ll reject the password without telling you why, because of some rule they didn’t list. For example, I set a password in a parking app (Flowbird) which had an unmentioned restriction against spaces and Swedish letters (dispite targeting the Swedish market). Also, it lets you set a fairly long password, but when you try to log in on their webpage they’ve set maxlength=“32” on the password field. So if you have a longer password you have to edit the DOM and remove that attribute to log in.

    • lawrence@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      This already happened to me in a big service provider (electricity) website. It’s infuriating.