How on earth can you both not accept the password I copied from my password safe and tell me that I cannot use the same pasaword again?
You must log in or register to comment.
If there has been a data leak, they might block your current password because the hash has been leaked
Yes, that might be a plausible theory. Basically a bad yersion of you must change your password.
How would that be considered bad? Is this some meme I’m too stupid to understand or something?
It would be better if the login flow said something like
For security reasons, we ask you to set a new password, please use the “password forgotten” function to gain access again.
instead of me being puzzled why my password doesn’t work.
except now anyone guessing your password knows when they guess your password right? while that site is safe most users use the same password and any site they use with the same email is now vulnerable.
Yes… but your credentials are already for sale in the darknet
Only the hash, not the password
I’ve never really understood why most systems are set up to reject a password reset if it’s the same password. Is there a security issue there that I’m not picking up on?
It seems like they should just let you reset your password anyway if you’ve reached that screen (usually using some kind of authorisation, like using a link with a token in it that gets emailed to you or something).
this is probably some half of the site is silently truncating the password, while the other half isn’t
Or adding a space because pasting. That happens a lot too
Get a password manager.
I have some weird mental block regarding starting to use them. I really should stop procrastinating.
Yes, please get a password manager. This improves both security and ease of use.
This often happens when you entered the right password but have a typo in the user name. Everyone tries the password again, but nobody spell checks their email or username.
You’re right, this is plausible
I once had to reset my password as the new one got truncated without telling me.
Yes. It was deemed too long.
It was for an company that got plenty of my personal data
Why on earth would someone truncate a password? I could make at least 10 more memea about bad handling of passwords
Why? Probably some wild row length limit being hit where a table storing user data was storing an asinine amount of data, just terrible DB organization in an org where someone said “who even needs a DBA.”
How? If you can truncate user passwords, you should never handle user passwords again, unless you’re a student or hobbyist learning a valuable lesson.
How? If you can truncate user passwords, you should never handle user passwords again, unless you’re a student or hobbyist learning a valuable lesson.
Yeah. The real reason to be alarmed is worse than the obvious one.
If a partial version of what was originally set actually works later, it implies a scary chance they’re not even hashing the password before storing it.
Also suggests the user may be reusing the same prefix if only the changed bits are getting truncated.
Should use different random passwords every time. Completely random or a random string of words. While it doesn’t solve the cleartext password storage issue, a data breach won’t compromise all your other accounts to same degree.
Doesn’t hurt to also randomize usernames, emails, and even security question answers.
edit: or my new favorite passkeys, just make sure you trust whatever tool is managing your private keys.
Not how password hashing works. Demonstrated with sha256:
hunter2butitsreallylong:
a9953dfbfec699349341edc857dcfe5c7a617c81f312cf57297d5b852881bab3hunter2:
f52fbd32b2b3b86ff88ef6c490628285f482af15ddcb29541f94bcf526a3f6c7a hash algorithm encompasses all provided data and returns a single fixed length data response
https://en.wikipedia.org/wiki/Cryptographic_hash_function
Any changes, even just removing a few characters, drastically changes the output of the hash function (https://en.wikipedia.org/wiki/Avalanche_effect)
You have no way of knowing a user password when you are storing hashes, you can’t truncate them, and the user password length doesn’t matter (up to a certain point where it’s technologically dumb to hash user input over a certain amount of data)
I do agree however that changing / randomizing your password is important, as someone brute forcing or running rainbow tables etc on a hash dump can quickly attack a common password across different dumps
