- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Fr!5tm3n0w
Admin
So apparently !!!!!!!! is complex enough for them. But make sure you don't accidentally press Caps Lock before entering it, because the site passwords are case sensitive.
Admin
If this is in the UK or EU, they are breaching the GDPR (articles 5 and 32). Please report them to the ICO. We desperately need a few high-profile, painful fines to stop this shit (not that that will happen).
Admin
I notice they - and a surprisingly high number of other place - don't allow single or double quotes in their passwords. That smells to me like they're not escaping their quotes properly, had problems with SQL injection-style attacks (either real or flagged up as a vulnerability) and just decided to bodge it by not allowing them.
Admin
The only max length rules I have seen in a decade+ were from US banks we had to use for company CCs. Some would block pasting in forms, so "KqPSRQn0!" would have to replace "➸⟎⻐⽝⟹⇸⍶⭁⇿". And SQL injection protection was banning some chars. I still encounter sites that insist on UpperLowerNumberSpecial resulting in "┬∟⋀⩵⍿✫✠⢢⠸ⓧ⦬᭷꒟⾝﷽⚧≈≬꒢⭨⬠┛⣹꒽˻Ab1!"
Admin
I know the first rule of TDWTF is to to not talk about the comment or forum SW, but WTH do my newlines go?
Admin
I have seen password forms which seem to be flummoxed by password managers. My password manager will choose a password, fill it in (I can even see it by pressing the eye-con next to the field) but the form validation acts as if I typed nothing. So, when changing the password, I have to then cut/paste it from the password manager into the form. Perhaps that is what happened & IT support was clueless.
Admin
I rage when I encounter this, since clearly it is more accurate for me to paste in the copied password. Someone please enlighten me with the Really Good Reasons for blocking password-pasting, since I cannot see them.
Admin
There's not a good reason. But the claimed reasons for blocking pasting are
Admin
I can maybe think of one reason for blocking pasting: A user got the password from a HTML formatted page, fex email (yes it is rare, but I sometimes see onetime- or reset-codes); very often there will be an extra space trailing the PW when copying.
The solution is to .Trim the PW field, not block pasting.
Admin
So I can't have password like "Louvre"
Admin
I've run into that. I've discovered that manually deleting the last character and manually typing it back in will make it take the password.
Admin
Interesting, I'll have to give that a try next time. I wonder if these forms would let me type an extra character and then delete it....
Admin
If systems are blocking characters in passwords to prevent SQL injection, then TRWFT is storing passwords directly and not a secure hash.
Admin
That requires knowing what the last character is. Adding an extra character and deleting that will probably work as well, and doesn't require you to actually see the password (which usually requires extra steps).
Admin
Looks like no other one appreciated your brilliant annotation.
I can't understand whether all the people lost their sense of humor, or they just didn't realize...
Admin
One day, humanity will rise above the murky tide of its own ignorance. In that dawn, we shall see the construction of a trebuchet (the superior siege weapon) so large that it can hurl even the greatest of mountains into the Sun. We shall use this pinnacle of a weapon to jettison every computer that hosts code that checks for password length.
Admin
Don't you mean "checks for maximum password length" ? Personally, I want them to check for a (reasonable) minimum length.
Admin
Always appreciate the "strong password checks" that won't allow some special characters, but won't tell you what special characters they won't allow. I've gone rounds with a couple of those in the past.
Related - I know one time we eliminated some crazy percentage of our helpdesk calls (to reset passwords) just by changing the policy to allow longer times between resets and a shorter time for notifications before expiration/change. Most of our users would change the password as soon as that "gonna expire" notice popped, which was always on a Friday and every two weeks, because PW age was 4 weeks and notice was at 2 weeks.
Admin
"Ex. GHott*01"
Did the email come from someone named George Hott? Was "GHott*01" George's password? Gearhead should definitely tried to login and see. I really doubt there was intrusion detection installed.
Admin
Add a space and then backspace it out to username. Of the three sites I've encountered that do this. It will enable the button.
Admin
4 weeks?! You devil
Admin
Oh, yes. I meant maximum. Computers that don't check for a minimum length should also get hurled into orbit.
Admin
One reason for blocking I heard was: a trojan could infect your computer and observe the clipboard. Hence, fishing of the passwords.
Admin
A trojan might observe the clipboard but not the key event stream? Hmm...
Admin
Correct. "Louvre" won't be allowed, for for all French websites, "LOUVRE" (all uppercase) is a special case and will always be accepted.
Admin
"The site rejects password generators as hacking attempts." - Your friendly government rejects door locks as break-in attempts. Please remove the lock. However, make sure your door handle consists of at least two different materials (wood, metal) and is painted in three different colors. That will stop the evil burglars!
Admin
Or a Word document. I was once sent a randomly generated password in an MS Word document which had a
'in it but Word had silently turned the'into a smart quote.