this post was submitted on 26 May 2025
565 points (96.2% liked)

Cybersecurity - Memes

2856 readers
2 users here now

Only the hottest memes in Cybersecurity

founded 2 years ago
MODERATORS
Sam1232188@lemmy.world
neurohost@lemmy.world
Sam1232188@lemmy.fmhy.ml
Alphadef@programming.dev
CannaVet@lemmy.world
565
Uh oh, somebody's not following best practices, that's a paddlin (lemmy.world)
submitted 2 weeks ago by cm0002@lemmy.world to c/cybersecuritymemes@lemmy.world
103 comments fedilink hide all child comments
 
you are viewing a single comment's thread
view the rest of the comments
[โ€“] Kolanaki@pawb.social 64 points 2 weeks ago* (last edited 2 weeks ago) (3 children)

I don't even know how the fuck this happens.

Enter password

Incorrect

Enter password again, carefully to make sure no typos

Incorrect

Change password to the one you remember it to be

"New password can't be the same as old password"

๐Ÿ˜ฌ

Shit sometimes gives me this while using a password manager! The saved password is correct. Even the change password thing says it should be correct. Still tells me it's wrong trying to use it.

[โ€“] skulblaka@sh.itjust.works 64 points 2 weeks ago (2 children)

That just means they're forcing everyone to change their passwords but they don't want to come out and tell you about it.

If you're lucky, some overzealous sysadmin is just trying to enforce regular password updates on his users, and makes them expire every once in a while.

More likely, there was a breach of some sort that they want to keep on the hush.

[โ€“] MicrowavedTea@infosec.pub 34 points 2 weeks ago (2 children)

It's also possible there's a hidden max password size somewhere, like some fields only counting the first x characters of the password but it's inconsistent across different forms.

[โ€“] wreckedcarzz@lemmy.world 11 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

USAA is guilty of this shit. Let's you set a huge password. Truncates it. Doesn't tell you about it. Error when logging in.

I want to beat the motherfucker behind this strategy.

E: Kagi too. I bitched out the support and I got a 'meh, it should have told you' response. Fix your shit.

[โ€“] MicrowavedTea@infosec.pub 6 points 2 weeks ago (1 children)

Not sure what is worse, not telling you and giving an error or not telling you and letting you log in (ie truncating the password both times, letting you think your password is longer than it is)

[โ€“] JcbAzPx@lemmy.world 3 points 2 weeks ago

The first is more annoying, the second is scummier.

[โ€“] Serinus@lemmy.world 4 points 2 weeks ago

but they don't want to come out and tell you about it.

It also doesn't require a code change to continue blaming the user when you invalidate all current passwords.

It's a couple database queries to move all current passwords to old passwords, and change current (hashed) password for everyone to "deadbeef". Nobody can guess a value that adds to their salt and hashes to "deadbeef", and you get this behavior.

[โ€“] ExtantHuman@lemm.ee 4 points 2 weeks ago

One time, I was trying to recover an old email address from a local ISP domain. They had changed the pw length requirements a few years earlier.

Well, my current password was not long enough, but some idiot designer put the password requirements on the Old Password field as well. I was not allowed to update my password to meet the new requirement because the old password did not meet the new requirements. Morons.

[โ€“] stebo02@sopuli.xyz 3 points 2 weeks ago

Shit sometimes gives me this while using a password manager! The saved password is correct. Even the change password thing says it should be correct. Still tells me it's wrong trying to use it.

I had this exact issue with an Instagram account. You'd expect a social media site with 2 billion monthly active users to do better but nope