this post was submitted on 24 Apr 2025
636 points (98.8% liked)

Comic Strips

16109 readers
2197 users here now

Comic Strips is a community for those who love comic stories.

The rules are simple:

Web of links

founded 2 years ago
MODERATORS
[email protected]
636
Credit to Pervis Comics by Zach M. Stafford (lemmy.ca)
submitted 9 hours ago by [email protected] to c/[email protected]
28 comments fedilink hide all child comments
 

https://www.instagram.com/perviscomics

all 30 comments
sorted by: hot top controversial new old
[–] [email protected] 6 points 1 hour ago (1 children)

Here’s my recent favorite:

  • Try to log into site
  • Tells me my password is wrong… uhh okay
  • Try to reset password by auto-filling a new one from my password manager
  • New password set successfully! Yay!
  • Try to login again… fail. Wrong password… fucking what…?
  • Realize that their password field was clipping the password length off at some max length not fucking mentioned anywhere, so I have no clue what the actual password is without trial-and-erroring, which then results in an account lockout again

I’m a programmer and this kind of blatant stupidity from massive companies pisses me off to no end. MAKE YOUR PASSWORD REQUIREMENTS CLEAR. MAKE YOUR UX CLEAR.

[–] [email protected] 3 points 1 hour ago
  • Doesn't show password requirements until after first attempt is rejected
  • Password expiration w/o any alert
  • Arbitrary password length requirements (specifically max length)
  • Arbitrary character requirements (particularly disallowing or only allowing a certain subset of special characters)
  • Only offering SMS as "2FA"
  • Using email "2FA" on every. Login. Attempt. And offering no real 2FA alternative.

All of these are reasons I will look to move my business to a competitor.

[–] [email protected] 1 points 4 hours ago

/me glares at ADP

I use a password manager, which auto-types the password, and I still have this happen to me.

[–] [email protected] -1 points 5 hours ago

hash collision

[–] [email protected] 21 points 6 hours ago

I hate how too real this has been...lol

[–] [email protected] 56 points 8 hours ago (5 children)

Never have this problem anymore with a password keeper. All new passwords are unique.

What REALLY pisses me off is when:

  • register for account
  • cannot register, account already exists
  • password reset
  • account not found
[–] [email protected] 8 points 5 hours ago (2 children)

We require our users use a password that is in between 8 and 14 characters, contains more than 2, but not exceeding 4 special characters, and at least 3 uppercase letters, 3 numbers with 0 repeating digits.

Generator: ".....fuck you?"

[–] [email protected] 9 points 4 hours ago (1 children)

And while requiring special characters, they only allow some special characters. So you just turn off special characters in the generator and then add an exclamation mark at the end

[–] [email protected] 5 points 4 hours ago

i just want to use ☭ and so few websites let you

[–] [email protected] 26 points 6 hours ago* (last edited 6 hours ago)

I absolutely do. It's not that the password was wrong. It's that they wanted to invalidate all existing passwords and make you change it.

The easiest way to do that is for them to force everyone through the "forgot password" workflow. Zero or minimal code changes. They don't want to make a new, but very similar , "we had a security breach and are requiring you to change your password" workflow. They just don't care that they're blaming you for their problem.

[–] [email protected] 12 points 6 hours ago (1 children)

I have a password manager and had this happen with a password I saved, so I'm 100% certain it wasn't me making a typo but crappy software instead. Yes it was Meta, it's always Meta when shit like this happens.

[–] [email protected] 7 points 6 hours ago

I've had it happen with:

  • company payroll site
  • health provider portal
  • utility company

Each time I get on the phone with the company for them to manually fix the issue.

[–] [email protected] 2 points 8 hours ago

Basicly every terrible website/service that "irreversibly deletes" an account

[–] [email protected] 9 points 8 hours ago

This is more of a work computer issue than an personal computer one.

[–] [email protected] 1 points 8 hours ago

I've often encountered this when a website forces you to change/update passwords too.

[–] [email protected] 7 points 8 hours ago

Every single time

[–] [email protected] 2 points 8 hours ago* (last edited 8 hours ago) (2 children)

This happens because you're trying to re-use a previous password, which is not necessarily the current password.

The new password can't be same as any of your previous ones.

[–] [email protected] 1 points 6 hours ago* (last edited 6 hours ago) (1 children)

usually it gives a different error, something like "can't be a password that was used previously"

[–] [email protected] 1 points 5 hours ago* (last edited 5 hours ago) (2 children)

Sometimes.

In my experience though, services will use language along the lines "the password can't be the same as your last password" but if you set a random password temporarily, you then still can't set the password to the one you wanted. Meaning they are checking earlier passwords too.

In fact I have yet to come across one where you can re-use password by first setting it to something else. Have you?

I think most developers just assume people aren't going to even try old passwords, only the most recent one.

[–] [email protected] 3 points 5 hours ago

I have. My former bank disallowed reusing any of your previous passwords, and also did "clever" things like flagging you for using sequences of characters from your old passwords as well.

All provisos that revealed that they were storing passwords (including old passwords) in plain text, because there's no way they'd be able to make those determinations if they were irreversibly hashing passwords correctly.

TL;DR: They're no longer my bank.

[–] [email protected] 1 points 5 hours ago

I have yet to come across one where you can re-use password by first setting it to something else. Have you?

no, that was not my point

[–] [email protected] 16 points 8 hours ago (1 children)

More likely it's happening because the password change field silently truncates your input and the login field doesn't, or vise-versa, because whoever designed the web page or system is stupid.

[–] [email protected] 1 points 8 hours ago* (last edited 7 hours ago)

That is a possibility. But then actually setting a completely new password shouldn't work, yes? Because when you go to use it, it won't work.

I doubt that's the "more likely" scenario.

Tons of people have reset a login more than once, and then forget, which is what leads to this scenario.

When they forget the new password, but re-remember a previous one, they try to use it to log in. When that fails, they go to reset it again, and they try to set it back to the password they remember. Which doesn't work, because it is a previous password. But at the same time it is also not the current one.

The supposed catch 22 is that if it can't be their new password, it should work to log in. And if it can't be used to log in, then they should be able to set it as their password.

In reality the password has already been used, but before a previous reset. So it is neither a valid new password, nor the current password. This does not occur to people.

This can happen in any correctly configured service that prevents password re-use, and is therefore the far more likely scenario.

[–] [email protected] 12 points 9 hours ago (1 children)

That's why you didn't remember. You did this before and made some 1 off password and you will never remember those 1 off passwords.

[–] [email protected] 6 points 7 hours ago

As a vpn user and a password manager user, for me it's often because a website decided to lock the account of anyone coming from a blacklisted IP.