- cross-posted to:
- privacy
- hackernews@derp.foo
- cross-posted to:
- privacy
- hackernews@derp.foo
Largest Study of its Kind Shows Outdated Password Practices are Widespread::undefined
Largest Study of its Kind Shows Outdated Password Practices are Widespread::undefined
I am tired of websites imposing limitations on passwords, but not sharing what those are. I use a password generator, and rarely know if Unicode characters are allowed, if there’s a limit on the number of characters, etc.
I’ve come across websites where dashes “-” are forbidden. My banking website only allows a maximum of 16 characters. Sometimes there’s a note below the password box, sometimes they don’t tell you until your password fails, and sometimes they don’t ever tell you. If I don’t know what the restrictions are, I’ll end up throwing a cheap password at it until I can find out what’s acceptable.
Sometimes they change the requirements, so a password that once had symbols no longer works, and you can’t log in anymore.
Even better! They’ll sometimes tell you the wrong error message like my bank used to before they redesigned the front end and backend. I couldn’t change my password there for the longest time because it kept telling me my password was not between 5-8 characters long (yes it was). Turns out I couldn’t use a - in my password. I’m glad they finally updated to to a longer password but I still can’t use a - in my password.
Sometimes the limits they tell you are wrong. Sometimes they truncate your password without telling you. Sometimes the app has different requirements than the website.