"Please set a new password for your account."
okay
"Your password does not meet your organization policy."
okay, you could have hinted that in the interface before I hit enter, but what's the policy
"It's a secret to everybody."
@0xabad1dea cheese shop sketch... Don't tell me, I'm keen to guess
@[email protected] My all time favourate in this genre are the websites that silently truncate passwords, so it looks like they've been accepted but to actually login you need to only type the first 8 characters...
@mavnn
There is a delightful variation where the truncation is inconsistent, so you can get the password wrong even with a password vault or other copy paste.
@0xabad1dea
@[email protected] Indeed - I found one where the web interface truncated but the mobile did not. Which would imply a certain lack of hashing and salting, but that's probably not the most pressing security concern by that point.
@mavnn @hypostase
I created an account for a school book once. I made a 20 character password with numbers letters and punctuation. It accepted my password but i could never log in with it.
After making several new passwords with no luck i tried entering all my letters as lowercase and truncated it at 16 characters. Even though that was not the password i made, it let me in.
I only know enough to know that nothing good happened there
@mavnn
Possibly. I'd put it down to different field lengths in different forms, or forms differently generated on different parts of the site.
In any case a lack of coherence in design. Security's been an after thought for a very long time.
@mavnn @0xabad1dea
Just wait until you run into one that hashes the entire password, but the login password field only accepts 8 characters.
@[email protected] Ah, the lovely "we'll email you in plain text the only string that will ever work" systems. Right up there with systems that silently turn any 'illegal' character into a '_' without notice. I see those two less often than the silent trancation in real life though.
@0xabad1dea see if we told everyone the policy then hackers would tune their brute force attacks!!!
Install bonfire.mavnn.eu
Get the full app experience
