• Jo Miran@lemmy.ml
    link
    fedilink
    arrow-up
    60
    ·
    5 months ago

    I use a password manager with a random password generator. It’s always disconcerting when I find a website that finds my passwords to be too complicated. Like “you can’t use more than eight characters and the only special characters you can use are @ and !”. What the shit?!?

      • Monument@lemmy.sdf.org
        link
        fedilink
        English
        arrow-up
        13
        ·
        5 months ago

        That means those suckers are either stored plaintext or stored with decryption key that is somewhere within the server. Yeesh.

        • Tja@programming.dev
          link
          fedilink
          arrow-up
          10
          ·
          5 months ago

          “if you change it”. It might send the email before storing it as a salted hash in the DB. Unlikely, but possible.

    • Reddfugee42@lemmy.world
      link
      fedilink
      arrow-up
      13
      ·
      5 months ago

      “you may only use characters that we can store in a plaintext SQL field”

      Oh man I fuckin hate that shit

    • Kissaki@programming.dev
      link
      fedilink
      English
      arrow-up
      11
      ·
      edit-2
      5 months ago

      generate 32-char-pw -> “Must not be longer than 20” 🤨

      generate 32-char-pw -> “you must include a specific special character” 🤨

      below 10 characters is truly atrocious - and thankfully rare

    • AnUnusualRelic@lemmy.world
      link
      fedilink
      arrow-up
      8
      ·
      5 months ago

      Typically, the account creation will fail without saying why.

      Is it because the site is broken? Because I already have an account? Because I used too weird a password? (10 minutes later) ok, it’s because it’s coded by idiots and it can’t handle a 24 character password but a 12 character one works.

      • Skyhighatrist@lemmy.ca
        link
        fedilink
        arrow-up
        9
        ·
        5 months ago

        I once experienced a site just silently truncating a password that was too long. Such a ridiculous thing to do. It was several years ago, gaming related. I think it might have been Ubisoft, but I’m not sure that I’m remembering that correctly.

    • drathvedro@lemm.ee
      link
      fedilink
      arrow-up
      2
      ·
      edit-2
      5 months ago

      Yeah! Why can’t I use a base64 representation of a pirated 4k TS copy of Jon Favreau’s “Chef” as my password? /s

      Jokes aside, I’ve heard some hashing algorithms have a high cap of like 20 characters, so developers are probably just too lazy to switch them out or to read the docs on how to properly use said algorithms. Either way it’s a very bad sign, maybe just a tad better than them emailing you the password in cleartext.

      • Jo Miran@lemmy.ml
        link
        fedilink
        arrow-up
        7
        arrow-down
        1
        ·
        5 months ago

        The worst I have seen recently is one with an eight character limit and support for only four specific special characters. I didn’t test if it was cap sensitive but it wouldn’t shock me if it was not. It is the invoicing portal for one of my clients. I wish that was the only technical atrocity committed by that abomination…it is not.

        • YerbaYerba@lemm.ee
          link
          fedilink
          arrow-up
          1
          ·
          5 months ago

          My work only recently did away with the requirement for passwords to be exactly 8 characters. This was due to the use of legacy mainframes afaik.

    • CatLikeLemming@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      2
      ·
      5 months ago

      I only remember that happening once, but it wasn’t some random super small site, it was Uplay. I think the limit was 14 characters, or maybe 16 I’m not quite sure, but either way it was utterly stupid.