Largest Study of its Kind Shows Outdated Password Practices are Widespread::undefined

  • Dem Bosain@midwest.social
    link
    fedilink
    English
    arrow-up
    24
    ·
    11 months ago

    I am tired of websites imposing limitations on passwords, but not sharing what those are. I use a password generator, and rarely know if Unicode characters are allowed, if there’s a limit on the number of characters, etc.

    I’ve come across websites where dashes “-” are forbidden. My banking website only allows a maximum of 16 characters. Sometimes there’s a note below the password box, sometimes they don’t tell you until your password fails, and sometimes they don’t ever tell you. If I don’t know what the restrictions are, I’ll end up throwing a cheap password at it until I can find out what’s acceptable.

    • Altima NEO@lemmy.zip
      link
      fedilink
      English
      arrow-up
      4
      ·
      11 months ago

      Sometimes they change the requirements, so a password that once had symbols no longer works, and you can’t log in anymore.

      • Nommer@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        2
        ·
        11 months ago

        Even better! They’ll sometimes tell you the wrong error message like my bank used to before they redesigned the front end and backend. I couldn’t change my password there for the longest time because it kept telling me my password was not between 5-8 characters long (yes it was). Turns out I couldn’t use a - in my password. I’m glad they finally updated to to a longer password but I still can’t use a - in my password.

    • numanair@lemmy.ml
      link
      fedilink
      English
      arrow-up
      4
      ·
      11 months ago

      Sometimes the limits they tell you are wrong. Sometimes they truncate your password without telling you. Sometimes the app has different requirements than the website.

    • GrunerAffe@lemmynsfw.com
      link
      fedilink
      English
      arrow-up
      3
      ·
      11 months ago

      Banking having the incredibly low character max is insane. I made a new account recently and I wanted to use the Bitwarden passphrase generation, but even 2 words could make it too long. Plus the push for 2 factor auth with everything including crap like streaming, except they just want to email me after I’ve given my very strong passwords already…