"Please set a new password for your account."
okay
"Your password does not meet your organization policy."
okay, you could have hinted that in the interface before I hit enter, but what's the policy
"It's a secret to everybody."
@0xabad1dea
"Error: your password must be unique. Please choose a password not already in use"
YouTube
@0xabad1dea doubly hateful when your password manager has just saved the new invalid password and you're cheap so there's no history to go back to get the still valid one
@0xabad1dea I had one site that rejected all the passwords generated by my password manager. I eventually tried "Password123" (without quotes) which was accepted.
@0xabad1dea
+ Your password must embody all three corporate values.
+ Your password must increase revenue over last year by at least 3.5% .
+ Your password must comply with both US and EU privacy laws.
+ Your password cannot rhyme with "orange".
+ Your password must be a riddle that has two distinct solutions.
+ If I roll a 1 on this d20, you have to choose a different password anyway.
@0xabad1dea try this pass
Y3Ll0wM@NL0V3SA1D@t@C3nter$
@wizmax I think this is meant to be a joke and not malicious. Respectfully, please don’t send me gifs of the man actively trying to destroy my life and my homeland as a joke, it’s not as funny as you may have hoped
@0xabad1dea I'm sorry lad! (Ik and tbh he's messing up with everyone's life)
@0xabad1dea also a fan of the combination of "must contain special characters" and "no, not that one!" without saying which.
oof, feeling this pain acutely since I just played exactly this game the other day.
Me: Why yes, my new password has 20 characters, a mix of upper, lower, digits, and punctuation, and isn't one of the last 5 I've used.
Windows: No
Me: why?
Windows: 🙊
@0xabad1dea Been there. Whaddya want? Do I need a special character?
@0xabad1dea Agh! The stupid! It burns!
Password(month)(year)!
PasswordMay2026!
Yeahhhh, that works mostly everywhere, easily updates, and is a totes terrible password.
But most orgs cant even be arsed to follow NIST's 2017 password directive, let alone 2025's.
Organisation policy: All passwords must be "different".
@0xabad1dea you should only store your password policy as a salted hash
@0xabad1dea When I see this, all I think is "Grumble, grumble".
@0xabad1dea @catsalad “not only is the complexity a secret the input truncates before hashing. We won’t tell you but your password fields when logging in later do not, nor will we tell you how many characters it truncates to.
Have as much fun with this as we did when we designed it.”
@0xabad1dea cheese shop sketch... Don't tell me, I'm keen to guess
@[email protected] My all time favourate in this genre are the websites that silently truncate passwords, so it looks like they've been accepted but to actually login you need to only type the first 8 characters...
@mavnn
There is a delightful variation where the truncation is inconsistent, so you can get the password wrong even with a password vault or other copy paste.
@0xabad1dea
@[email protected] Indeed - I found one where the web interface truncated but the mobile did not. Which would imply a certain lack of hashing and salting, but that's probably not the most pressing security concern by that point.
@mavnn @hypostase
I created an account for a school book once. I made a 20 character password with numbers letters and punctuation. It accepted my password but i could never log in with it.
After making several new passwords with no luck i tried entering all my letters as lowercase and truncated it at 16 characters. Even though that was not the password i made, it let me in.
I only know enough to know that nothing good happened there
@mavnn
Possibly. I'd put it down to different field lengths in different forms, or forms differently generated on different parts of the site.
In any case a lack of coherence in design. Security's been an after thought for a very long time.
@mavnn @0xabad1dea
Just wait until you run into one that hashes the entire password, but the login password field only accepts 8 characters.
@[email protected] Ah, the lovely "we'll email you in plain text the only string that will ever work" systems. Right up there with systems that silently turn any 'illegal' character into a '_' without notice. I see those two less often than the silent trancation in real life though.
@0xabad1dea see if we told everyone the policy then hackers would tune their brute force attacks!!!
Install bonfire.mavnn.eu
Get the full app experience
