Keepassxc Password generator.
"Sorry, this password is too long"
Literally gotten this error before. So annoying. It was like 18 characters.
I had one site limit my password to 8 characters long
My favorite is "can't be more than x% similar to the last 3 passwords". Of course, you shouldn't ever define what "similar" actually means.
And the only way to check that is by storing the previous passwords in a recoverable format.
It feeds your last three passwords into an LLM and it decides if your next password is similar or not. This rule brought to you by Nvidia. Nvidia: the next time your company wants to apply AI to things where AI doesn't belong, think Nvidia.
at what point do password requirements start making password easier to crack?
They invariably do. They always constrain the list of things that a fully random generator could possibly make. They never add to that list.
Even rules like "can't use the same character twice in a row" constrain the list at least a little. That one makes it harder for dumb people to do dumb things, but also makes it harder for smart people to do smart things.
"One of the characters of your chosen password was used in the same position 12 password-changes ago, but I won't tell you which"
I just wish these password requirements could be added as an attribute to the password field so password managers could generate a password that matches those rules.
nowadays we have passkeys anyways which is just making the good old "random max length password with all the character groups" explicit.
I just had to make a password for a hotel.
8 to 20 characters Uppercase Lowercase Digits OR special characters.
The capitalized OR is important. You can have either numbers in the password, or special characters, BUT NOT BOTH.
Took me 8 tries.
- First one was too long.
- Second and third used both numbers and characters, but I thought the characters were TOO special.
- 4 through 6 used both numbers and special characters.
- Seventh password used just letters and numbers, and it was accepted.
- Eighth try I used just letters and keyboard characters, and that was accepted too.
The best part to me is that they include all of these rules to increase the security, but then set a maximum length of the password, which from my understanding is the easiest way to add complexity/security to a password.
Maximum length is the biggest red flag to me and was the catalyst for me making the effort to switch to unique passwords per-account years ago. There's just so, so many shitty homerolled security systems out there... and data breaches seem to be a perennial problem these days.
There's just no excuse for limiting the length if you're doing security correctly (other than perhaps a large upper limit just to protect against someone DOSing the backend with a bunch of 100MB strings; 512 characters seems reasonable).
By setting an upper limit, you're basically saying one or more of these things:
- We store your password in plaintext
- We store a hash but our hashing function has an unnecessarily arbitrarily limited input size
- The person/team implementing the backend has no idea what they're doing and/or just copy pasted login code from stack overflow
- We tried to get away with minimal password requirements but some middle manager wouldn't rubber stamp it without
arbitrary_list_of_bs
My 'favorite' password rules are incorrect rules. Recently signed up to a service, which looked like it hasn't been updated since the 90s. They sent me my password via letter, but hey, I was allowed to change it digitally.
So, I did. I set it to a reasonably long password (probably something like 22 characters), with no problems.
Then I went to login and it refused my login. I copied my password out of my password manager, for both setting it and logging in, so there was no way that it was wrong. I quadruple checked the login name, but no luck.
Eventually, I manually typed the password from my password manager. Then I saw it, their password field stopped accepting inputs after about 20 characters.
Presumably, I was able to set my long password on the registration page, but the login page did not accept this long of a password. Fucking ace.
I had to order another password letter.As a website developer, it’s easy to just use the 'maxlength' attribute on fields you don’t want to exceed a certain length (for valid reasons or not). But then exactly this happens: A user pastes something in there, doesn’t notice that their input got truncated, and something, somewhere breaks.
'maxlength' is terrible user experience.
