There's a special hell for sites which have password requirements that are like 16 letters, one or more numbers, upper case and lowercase, at least one special character, and we disabled pasting/password managers
@foone I was once locked out of a bank account because my middle-mouse X pasting looked like some MS Windows malware. To their credit, it was easy to talk to a person who was smart enough to understand me. (Good thing, too. The first person said I needed to clean off the MS malware—that I didn't have—before they could restore my access.)
@foone and oh how much I also love captchas on login pages (my ISP supplied router's LAN login for example ffs)... Way too popular this side of the earth. I guess I'd need to evangelize rate limiting...
@foone extra super bonus for apps that also disable the system keyboard and force you to use their own, randomised keyboard to enter your password (in addition to all the winning conditions that you described) 🤢 #banking#Chinatrust....
@foone “at least one special character”
“ok”
“no not that one, that one is illegal”
“but you said—“
“a special character is required but it can only be one of five we have randomly selected, the rest are prohibited”
“are you going to tell me which special characters are acceptable?”
“no”
@foone that's what right-click → Inspect (Q) is for. However that's not a solution that'd scale anywhere close to the meaningful fraction of the users. :/
@foone oh god, yes. Also a shoutout to the website that wouldn’t tell me the password requirements, but would tell me that I didn’t meet them, and also didn’t allow special characters.
It's a proclamation they know almost nothing of actual value about password security. If they can't get the public-facing systems right, what are the chances they're properly securing anything you can't see?
@foone ¿And what's with sites that limit the number of characters in your password to somewhere between 12 and 16? I hope they're not storing it somewhere. They're supposed to be storing a salted hash.
@foone a few years back NIST published a password guide that is admissible in court. If you can't use a password program to both generate and paste the password it is insecure. Just set an obvious password and the judge will be forced to rule it is their fault if your account is hacked.
@foone I still think sites like this should remind you when you type the wrong password, so you can remember which characters you tacked on to the end of your password.
"Wrong password. Remember, we require 3 special characters that can't be in a row, and your password can't start with a number"
Add comment