Cybersecurity - Memes

My 'favorite' password rules are incorrect rules. Recently signed up to a service, which looked like it hasn't been updated since the 90s. They sent me my password via letter, but hey, I was allowed to change it digitally.

So, I did. I set it to a reasonably long password (probably something like 22 characters), with no problems.

Then I went to login and it refused my login. I copied my password out of my password manager, for both setting it and logging in, so there was no way that it was wrong. I quadruple checked the login name, but no luck.

Eventually, I manually typed the password from my password manager. Then I saw it, their password field stopped accepting inputs after about 20 characters.
Presumably, I was able to set my long password on the registration page, but the login page did not accept this long of a password. Fucking ace.
I had to order another password letter.

Perfect illustration of security compliance vs security.

Don't forget general filters for bad passwords. That means no part of your name, username, anything sequential, your birthday, your pets birthday, or any of the 1000 most common passwords

Wrote this in a different thread but the way PlayStation handles this...

Password reset is limited to 30 characters. Login isn't.

That would be fine if the password rules on reset would actually mention this and not just cut off the password at 30 characters without telling you that it is too long. So I generated the password used that on reset, saved it, login wrong...

I couldn't login to my PlayStation account because my 32 characters long password saved in my bitwarden vault wasn't correct.

Even worse, on the first support request I was basically told "looks fine on our side, bye".

Fucking macOS man. No 2 repetitive or 3 consecutive, so when using a random password generator you still can’t have loads of words and have to try multiple times to get it…

Go ahead. Make a password. Then be left to deal with the mental & emotional damage.

https://neal.fun/password-game/

Password requirements so secure, eventually you go full circle to remember them and do shit like this.

Your password must contain at least 62 characters, you may only use lowercase and uppercase characters and numbers. All characters and numbers must be unique and sorted alphabetically, numbers may only be ordered ascending.

Expires every X months.

I've never been super into the idea of using a password manager rather than just using complex but memorable passwords for everything, but policy like this basically necessitates using one.

My favourite: No uppercase. No numbers.

The good old NTLM rule of max 8 characters and all converted to uppercase. It was a simple rule and if you forgot your password you could easily bruteforce it with normal consumer hardware.

I just had to make a password for a hotel.

8 to 20 characters Uppercase Lowercase Digits OR special characters.

The capitalized OR is important. You can have either numbers in the password, or special characters, BUT NOT BOTH.

Took me 8 tries.

• First one was too long.
• Second and third used both numbers and characters, but I thought the characters were TOO special.
• 4 through 6 used both numbers and special characters.
• Seventh password used just letters and numbers, and it was accepted.
• Eighth try I used just letters and keyboard characters, and that was accepted too.

Obligatory

Requirement: Needs special characters

Not accepted: using ọ̵̑h̸̞̉ ̴̰͒g̴͛ͅõ̸̦ḓ̵͠ ̸̳͌w̵̡̛h̴̦͘ŷ̵̫