That means they’ve updated their password requirements and your new one is now rejected, or they reject passwords of a certain age or with a lack of account activity.
The inner fire of my hatred COULD melt steam beams
Submitted 1 day ago by Stamets@lemmy.dbzer0.com to memes@sopuli.xyz
https://lemmy.dbzer0.com/pictrs/image/511c3ff9-321e-4680-978e-71a2de0103e0.webp
Comments
candyman337@lemmy.world 1 day ago
coffee_tacos@mander.xyz 16 hours ago
They better not know whether the old password matches their new password requirements, as all they should have is the salted hash of the password, which reveals no information about the password on its own.
candyman337@lemmy.world 16 hours ago
Well, that’s best practices but that’s definitely not always implemented lmao
pelespirit@sh.itjust.works 1 day ago
I’m pretty sure it was because the password was compromised. That’s what I’ve heard for a decade now.
lvxferre@mander.xyz 1 day ago
I hate poorly made security/identity systems in general, but by far the worst is poorly made 2FA.
No, I’m not giving you my number; and if this is obligatory to use your site, I’m not using your site. Ask my email and I’ll provide my burner account.
bathing_in_bismuth@sh.itjust.works 18 hours ago
And why keep hashes (I fucking hope so) of old passwords?
BlueMagma@sh.itjust.works 16 hours ago
To be able to display this error message and force you to use a different password, that way you won’t remember it.
Thorry@feddit.org 1 day ago
That’s because you’ve been rate limited trying passwords for an hour. When an attacker is randomly trying incorrect passwords, even the correct password will be rejected. Otherwise the protection wouldn’t be very useful.
kibiz0r@midwest.social 19 hours ago
Had a convo with someone a while back:
Bug report: “The ‘reset password’ form doesn’t show an error if you try to reset an account that doesn’t exist.”
Me: “That would be a security risk. Closed.”
Them: “What? How? You have to click the link in the email before it does anything.”
Me: “Try putting in a bogus email on the login screen. See how it says ‘wrong email/password combination’, and not ‘no such account’? If we tell the user whether we recognize a given email, we’re basically providing attackers a list of users they can try passwords for.”
SoaringDE@feddit.org 11 hours ago
But then there would be no harm in just stating the rate limit :(
purplemonkeymad@programming.dev 1 day ago
They keep multiple old passwords. You’ve done this whole stick before and you tried to use that same password last time. You use it for everything, and every time your new account gets “hacked.” You keep using that password even when we show you that it’s been in multiple leeks and is associated with your email.
“But I like the password, it’s my favourite football team!”
explodicle@sh.itjust.works 13 hours ago
Bruh I never wanted to log in just to use your system. Just let me use “password”.
maus@sh.itjust.works 17 hours ago
Not so fun, fun fact. Google does not let you re-use the last 100 passwords.
diptchip@lemmy.world 1 day ago
I’m more pissed that they are keeping all my old passwords… So when they get leaked, they all get leaked.
chicken@lemmy.dbzer0.com 23 hours ago
In theory they could be only storing the hash and using that to determine if you reused an old one
TheRealKuni@piefed.social 20 hours ago
This is what’s happening, if they’re even a little bit good at their jobs.
Chingzilla@lemmy.world 1 day ago
Relevant Tom Carty
TheInfamousOne@lemmy.world 18 hours ago
Also, Relevant CalebCity
Rhaedas@fedia.io 1 day ago
I've always thought that the best password security possible would be to always have the real password fail a few times. People who know their password will keep trying it, someone else will try a different one. It's a variation of not giving an error that tells what failed.
JeeBaiChow@lemmy.world 1 day ago
I used to spoof the login page of my campus freenet, fail the first login, store the password and then jump to the actual page. End of the day I just go around the lab harvesting.
TheRealKuni@piefed.social 20 hours ago
To what end? What benefit was there in having people’s campus logins?
tekeous@beehaw.org 1 day ago
This is delightfully evil
GreenShimada@lemmy.world 1 day ago
Your hatred is steaming beans?
My hatred usually corns beef.
magic_lobster_party@fedia.io 1 day ago
One way this happened to me was because the ” choose password” page silently truncated too long passwords. The login page didn’t truncate.
helpImTrappedOnline@lemmy.world 23 hours ago
That’s been the most frustrating thing about using a password manager. I set the random generator pretty high and have to reset and decrease it randomly until the login works.
Sabata11792@ani.social 18 hours ago
When the shitty site dose not allow half the special characters in the generated password…