The ultimate sin is when a websites app doesn't support a password that the website does. Another favorite is when the change password requirements are higher than whats supported.
It's a bit counterintuitive but restricting search space like this when typing a password actually increases password entropy for most people, because people are dumb "123secret"
Their 2FA TOTP gets concatenated to the end of your password. Got a >26 char password? You’ll be locked out after enabling 2FA. No worries, though, you just call support, provide your email, and they disable 2FA for you..
Wait so are they splitting the password and 2FA code again server-side or are they storing the password unhashed so that they can do the same concatenation there?
Twilio for example is shamed for not allowing 3 x consecutive same character or the inclusion of the world ‘twilio’ in the password. That kinda just seems like reasonable password advice?
Well, neither of those things means a password is weak. Maybe they should check total entropy and if the password is already compromised and leave it at that.
In case you haven’t seen it - the TreasuryDirect password policy is almost comical. There’s a screenshot in the repo.
The website disables the password input field (and password managers with it). To “type” your password, you have to use some on screen button-based keyboard monstrosity.
If someone wanted to make fun of password rules, this would have been great satire. But no - this is actually how you buy bonds from the US treasury.
Twitter just changed their flow that breaks autofill from iOS password manager apps and also breaks with autofill of the username and password and TOTP authenticator code on the web browser with browser extensions. This is a big company with massive resources.
By far the most frustrating password-handling sin I've encountered is when a website silently truncates the password field to some fixed length.
This is especially bad when you use a password-manager, as the password-manager will remember the full length password, which will be different than the truncated password the website is using. This wouldn't even be much of an issue if each website was at least consistent about truncating passwords, but often the account creation page and login page have different behavior (e.g. the account creation page truncates your password, but the login page doesn't, allowing your password manager to happily enter the full length password on the login page, thus resulting in a login failure).
The first couple times this happened I was perplexed, but I've been burnt by this so many times now that I've resorted to opening up my web browser's devtools on any account creation page to check the password <input> for the maxlength attribute (because yes, many websites don't even mention the maximum length).
> but often the account creation page and login page have different behavior
It's bad enough when that only applies to the length, but at least you could theoretically still log in once you knew what length it was truncated to. I've seen at least one banking site which had a narrower set of permitted symbols on the login page than the new account page. (Specifically, the login page didn't allow parentheses, but the new account page did.) Entering the correct password resulted in a form validation error, and of course if those symbols were removed then you still couldn't log in because it wasn't the right password.
Fortunately the login page's validation rules were all client-side, and thus easily bypassed via devtools with basic JS debugging techniques. Once logged in you could change your password to something the login page would accept without messing with the scripts.
23 comments
[ 24.6 ms ] story [ 995 ms ] threadTheir 2FA TOTP gets concatenated to the end of your password. Got a >26 char password? You’ll be locked out after enabling 2FA. No worries, though, you just call support, provide your email, and they disable 2FA for you..
Twilio for example is shamed for not allowing 3 x consecutive same character or the inclusion of the world ‘twilio’ in the password. That kinda just seems like reasonable password advice?
Day 27, I'm still trying to type a password and it keeps telling me my password has low entropy and no apparent way to fix it.
The website disables the password input field (and password managers with it). To “type” your password, you have to use some on screen button-based keyboard monstrosity.
If someone wanted to make fun of password rules, this would have been great satire. But no - this is actually how you buy bonds from the US treasury.
This is especially bad when you use a password-manager, as the password-manager will remember the full length password, which will be different than the truncated password the website is using. This wouldn't even be much of an issue if each website was at least consistent about truncating passwords, but often the account creation page and login page have different behavior (e.g. the account creation page truncates your password, but the login page doesn't, allowing your password manager to happily enter the full length password on the login page, thus resulting in a login failure).
The first couple times this happened I was perplexed, but I've been burnt by this so many times now that I've resorted to opening up my web browser's devtools on any account creation page to check the password <input> for the maxlength attribute (because yes, many websites don't even mention the maximum length).
It's bad enough when that only applies to the length, but at least you could theoretically still log in once you knew what length it was truncated to. I've seen at least one banking site which had a narrower set of permitted symbols on the login page than the new account page. (Specifically, the login page didn't allow parentheses, but the new account page did.) Entering the correct password resulted in a form validation error, and of course if those symbols were removed then you still couldn't log in because it wasn't the right password.
Fortunately the login page's validation rules were all client-side, and thus easily bypassed via devtools with basic JS debugging techniques. Once logged in you could change your password to something the login page would accept without messing with the scripts.
Tried to log in using my old password (that I had saved in password manager):
ERROR: "Your password is too short, please try again".
What had happened is they'd changed the password length requirement some time over the years, meaning I couldn't log in using my old password.
So I thought I'd try and out smart it doing a password reset.
ERROR: "Your old password is too short, please try again"