Context is that I had to register for a lot of accounts recently and some of the rules really make no sense.

Not name-and-shaming, but the best one I’ve seen recently is I might have accidentally performed an XSS attack on a career portal using a 40-digit randomly generated password…

  • Dhar@lemmy.ca
    link
    fedilink
    arrow-up
    0
    ·
    6 months ago

    The worst I’ve ever seen was a site that required passwords to be 4 digits.

  • Rose@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    6 months ago

    Probably the silliest thing I have run into was some game. It asked you to set two passwords. You needed both to login. The second password couldn’t be changed. This is why it was secure, see. (…What.)

    When I created my account and set the second password, I couldn’t log on the second time. Because I had entered a 20 character second password. It was accepted and verified during the account creation just fine. On the second login, it only accepted 16 characters. (It let you enter 20 characters but said it was too long.) Trying to enter first 16 characters of the second password didn’t work, of course.

    I then contacted the support, and they did manage to reset the second password anyway. (What is this even)

  • otp@sh.itjust.works
    link
    fedilink
    arrow-up
    0
    ·
    6 months ago

    Anything that requires regular password resets. It’s fine if it’s changed on the site and in the user’s vault automatically, but if a user has to type in their password with any sort of regularity, it’s a recipe for disaster to require regular changes.

    People write predictable or formulaic passwords, or just end up resetting their password more often than necessary because they forgot it (making them more susceptible to phishing).

    • Susaga@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      0
      ·
      6 months ago

      There was an episode of Elementary where they were able to find the victims password on a post-it note, because the company requires a new password every month and he didn’t want to remember a new one that often.

    • Cousin Mose@lemmy.hogru.ch
      link
      fedilink
      arrow-up
      0
      ·
      6 months ago

      I memorized a handful of randomly generated passwords in high school (around 2005) and never looked back.

      These days I use a password manager, but for semi-low security stuff (on my LAN) I use one, for my Apple account a long combination of three. And that’s it! The password manager is where it’s at.

      Just one of my passwords was leaked in data breach (from back when I was younger and recycled passwords) so that one’s out, but otherwise I’m doing pretty well with the memorized randomly generated passwords.

  • Dagwood222@lemm.ee
    link
    fedilink
    arrow-up
    0
    ·
    6 months ago

    [offtopic?]

    Debbie’s password is “PlutoGoofyMickeyMinnieDaffyBugsThorLosAngles”

    She was told that the password needed seven characters and a capital.

  • TootSweet@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    6 months ago

    12 characters, upper/lower/special requirement, and no more than two occurrences of the same character together. That’s FedEx.

    Two other thoughts on the topic:

    • Websites/apps/etc should always list their password requirements on the login page to make it easier to determine what password you used for the site in question.
    • There are plenty of websites where I literally log in only by using the “forgot password” flow because their password requirements are so ridiculous.
    • slazer2au@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      6 months ago

      Most password managers will have an auto type (not auto fill, that is different) so you can still automate your login.

    • Cousin Mose@lemmy.hogru.ch
      link
      fedilink
      arrow-up
      0
      ·
      6 months ago

      I’ve noticed this with ACH routing forms on many financial websites. You can’t copy the routing number nor account number—no—thou shalt key in by hand instead.

      Never understood the logic here, do the developers want you to make a mistake?

      • dnick@sh.itjust.works
        link
        fedilink
        arrow-up
        0
        ·
        6 months ago

        The’logic’ behind it is that if you copy/paste, then the confirmation box is basically useless. If you copied the wrong account of just part of it, your for sure going to paste in the exact same thing without really checking. Not that it’s a good reason, but at least there’s some logic

  • Wugmeister@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    0
    ·
    6 months ago

    My community colleges:

    Passwords must be 12 characters long, contain at least one uppercase letter, one lowercase letter, a number, and a special character; it must also be changed every 30 days. There was also some sort of alogarithm that checked if your new password is too similar to any previous password you had used, and rejected it if it was too close.

    Hilariously, if you had a link to the page the password was supposed to limit access to, you could bypass the password page entirely. As such, I never changed my password.

  • lama@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    6 months ago

    By far the worst is the costa rican national bank:

    • Must be between 8 and 16 characters long
    • Must have at least 4 letters and 4 numbers
    • Can’t have consecutively repeated characters (can’t do “aa” but can do “aba”)
    • Can’t have vowels or Ñ
    • Must not be one of your last 6 passwords
    • Must be changed every 90 days
    • Also forgot that their website and app try to block password managers and copy and paste
  • 🇰 🌀 🇱 🇦 🇳 🇦 🇰 🇮 🏆@yiffit.net
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    6 months ago

    The most basic rules commonly required everywhere. When you have such specific rules, it ironically actually makes finding the password through brute force easier because you can eliminate a bunch of variables that could have existed without all the rules. I can eliminate any permutation under 8 characters, doesn’t contain a number, and doesn’t contain a special character.

    It will still possibly take a billion years to guess, but it could have been two billion without the rules.

    Of course, I also find it wild that the metric for how good an encryption or password system is, is just how long it would take to guess every possible combination of input it could be, sequentially. It doesn’t account for a brute force attempt that just selects random inputs. It could take until the heat death of the universe… It could take 3 seconds. It’s up to chance at that point. Not to mention all the easier ways of getting a password. Like gaslighting the person who knows it into giving it up.

    • frezik@midwest.social
      link
      fedilink
      arrow-up
      0
      ·
      6 months ago

      It’s something like the second law of Thermodynamics. It’s probability, not absolute. It’s possible all the gas molecules in the room arrange themselves one corner, but it’s fantastically unlikely. It’s possible to choose the right encryption key to a 256-bit cipher at random the first time, but it’s fantastically unlikely.

  • tankplanker@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    6 months ago

    Worked somewhere that required security clearance that used your national insurance number (UK equivalent to SSN) as your login id. Most people in the UK do not memorise their NI number.

    Password had to be uppercase and lowercase letters, numbers, and special characters, I think at least 12? Couldn’t have back to back special characters or start or end with numbers. No whole words, either.

    So now you have to remember two strings of letters and numbers. Sackable offensive to write either down. I once got a phone call from security because I would miss enter my password after lunch first time around, just once a day, but they rang me up still to see what going on.

    Security there was a nightmare, worked with an obviously disabled guy, who forgot to put his disabled badge on his car dashboard and they threatened to ban him from site (which would result in the sack as you couldn’t work remotely). The kicker was that they said we know you forgot to put the badge out, so they knew he was disabled as all car registrations are preregistered only way onsite.

  • lemmyng@lemmy.ca
    link
    fedilink
    English
    arrow-up
    0
    ·
    6 months ago

    “Password must contain letters numbers, and at least one of these special characters.”

    Turns out, half of those special characters weren’t allowed 🫠

  • weker01@sh.itjust.works
    link
    fedilink
    arrow-up
    0
    ·
    6 months ago

    Extremely limited password length. I think it was around 6 or 8 characters. Exactly! So every password was the same length.

    No other requirements. The best part? It was a bank. But not a customer facing service.

    • Treczoks@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      6 months ago

      Banks are amazingly bad at digital security. I once was in a bank (where my wife had an account) where they used first generation wireless keyboards. The ones that did not encrypt anything and could be received to a distance of up to 10m, more if you had a better antenna. I told them about the security issues, but they did not understand. I went to the newspaper agent and bought the newest edition of a computer magazine that had detailed descriptions of how to eavesdrop on those keyboards, returned to the bank, and handed them the article. Which featured exactly their keyboard model as the title photo. I told them “If you don’t understand this, it’s fine, but then give it to the person responsible for your IT and security, they should know how to deal with this.”

      Next time we were there, they still had the insecure keyboards. Yes, the IT department had told them that they should replace them with wired ones, but they rejected it, because the wireless ones were sooo convenient. Our next move was to close my wifes’ account there.