Laberpferd, 6 months ago

@foone
Also i have a few times seen another UI failure of hell

You type

-yourusername
<TAB>
-yourpassword
<ENTER>

and it opens the "i lost my password" site as default action, the actual login is not a Form-post but a seperate button below

foone, 6 months ago

I don't have my bent-pipe keyboard here and I'm too lazy to recode it, so I just did:
$ sleep 5 && xdotool type "Ez>PzCN,[Q@k}ktFfO3A"

foone, 6 months ago

nevermind. I'm not giving them my home address to get a datasheet

Possessedkid, 6 months ago

@foone give them your real address
Remember lying isn't cool

MenhirMike, 6 months ago

@foone Doesn’t everyone just put in 1600 Pennsylvania Ave in Washington DC anyway?

techokami, 6 months ago

@foone nothing wrong with good ol' 123 Fake Street

bruce, 6 months ago

@foone
Use this address:

1060 West Addison Street
Chicago, Illinois 60613

reconbot, 6 months ago

@foone just lie

whvholst, 6 months ago

@foone Their own address usually is sufficient...

wryl, 6 months ago

@foone hunter2

womble, 6 months ago

@foone $DEITY bless xdotool.

kentborg, 6 months ago

@foone I was once locked out of a bank account because my middle-mouse X pasting looked like some MS Windows malware. To their credit, it was easy to talk to a person who was smart enough to understand me. (Good thing, too. The first person said I needed to clean off the MS malware—that I didn't have—before they could restore my access.)

wollman, 6 months ago

@foone At least one special character but not any of THOSE special characters (and we won't tell you which are which).

imrehg, 6 months ago

@foone and oh how much I also love captchas on login pages (my ISP supplied router's LAN login for example ffs)... Way too popular this side of the earth. I guess I'd need to evangelize rate limiting...

imrehg, 6 months ago

@foone extra super bonus for apps that also disable the system keyboard and force you to use their own, randomised keyboard to enter your password (in addition to all the winning conditions that you described) 🤢 #banking #Chinatrust....

trexplex, 6 months ago

@foone https://neal.fun/password-game/

cshentrup, 6 months ago

@foone websites should just create your password for you and you copy it. it seems insane to me that websites let you pick your own password.

kat, 6 months ago

@foone “at least one special character”
“ok”
“no not that one, that one is illegal”
“but you said—“
“a special character is required but it can only be one of five we have randomly selected, the rest are prohibited”
“are you going to tell me which special characters are acceptable?”
“no”

djasa, 6 months ago

@foone that's what right-click → Inspect (Q) is for. However that's not a solution that'd scale anywhere close to the meaningful fraction of the users. :/

linnefaulk, 6 months ago

@foone @jgamet Even worse are the ones who don’t tell you the requirements up front.

yosasocial, 6 months ago

@foone then you move away from it and if possible tell them why

jimgon, 6 months ago

@foone @briankrebs

I find the best approach is to reset my password every time I need to access such sites.

brandon, 6 months ago

@foone oh god, yes. Also a shoutout to the website that wouldn’t tell me the password requirements, but would tell me that I didn’t meet them, and also didn’t allow special characters.

WhyNotZoidberg, 6 months ago

@foone blocking copy-paste does not improve security at all.

digitalstefan, 6 months ago

@foone Royal Mail's "business" login was like this. 8 attempts it took me to create a new, valid password.

gabriele, 6 months ago

@foone and you're forced to change it every 3 months

stonebear, 6 months ago

@foone NOPETOPUS...

targetdrone, 6 months ago

@foone It's a bright red flag, and time to leave.

It's a proclamation they know almost nothing of actual value about password security. If they can't get the public-facing systems right, what are the chances they're properly securing anything you can't see?

ChasMusic, 6 months ago

@foone ¿And what's with sites that limit the number of characters in your password to somewhere between 12 and 16? I hope they're not storing it somewhere. They're supposed to be storing a salted hash.

ChasMusic, 6 months ago

@foone I hate the ones that require a special character but only allow you to use certain special characters

bluGill, 6 months ago

@foone a few years back NIST published a password guide that is admissible in court. If you can't use a password program to both generate and paste the password it is insecure. Just set an obvious password and the judge will be forced to rule it is their fault if your account is hacked.

rotopenguin, 6 months ago

@foone what's way cooler is when the site enforces a limit in Javascript, but not everywhere. And definitely not enforced on the server.

You can set a password that it will not let you type in again.

audiodude, 6 months ago

@foone I still think sites like this should remind you when you type the wrong password, so you can remember which characters you tacked on to the end of your password.

"Wrong password. Remember, we require 3 special characters that can't be in a row, and your password can't start with a number"

dpendolino, 6 months ago

@foone

video/mp4