This is a rant about dumb password policies enforced by some websites or apps. If you see these password rules forced to you, try to stay away if possible.

Can’t use special characters, or use a pre-defined special characters only

Are you storing the password in plaintext that your database will break when have special characters?

Password can’t be longer than X characters

Most probably storing the password in plaintext and their database column is limited to those characters limit.

Password expire every X months, without notice, suddenly can’t login. Reset it and can’t use the last 5 passwords

They store your previous passwords, either encrypted or plaintext.

  • sijt@lemmy.world
    link
    fedilink
    English
    arrow-up
    44
    ·
    1 year ago

    The biggest red flag is when they try and stop you from pasting your password (or anything else for that matter) breaking password managers.

    There are years-long arguments on social media with companies who do this with actual security experts telling them they’re hurting security (including referencing organisations like the UK’s National Cyber Security Centre) and their only response is “we don’t allow pasting for security reasons” but they can never explain how it helps security - because it doesn’t. It drives me mad.

    • mrspaz@lemmy.world
      link
      fedilink
      English
      arrow-up
      9
      ·
      1 year ago

      I had one recently that (when changing / creating the password) would allow you paste into the “new password” field but not the “confirm password” field. Super annoying.

      I just opened dev tools, pasted it into the “value” property for the control, and kept on truckin’. Just nuts that had to be done though.

      • sijt@lemmy.world
        link
        fedilink
        English
        arrow-up
        5
        ·
        1 year ago

        Lots of sites do it on the email fields for some reason. I’m far more likely to miss type my email address, twice, than my password manager is likely to somehow complete it wrong.

  • dual_sport_dork 🐧🗡️@lemmy.world
    link
    fedilink
    English
    arrow-up
    20
    ·
    1 year ago

    “Cannot use a sequence of characters used in any previous password,” or “Cannot use a previous password backwards.” Those are sure fire indicators that they’re storing your passwords in plain text.

    I used to have a bank that had the first rule. Emphasis: Used to.

    And putting an upperbound length limit on passwords is pants-on-head loony, unless the length limit is very large, like 1024 characters or something. Especially if it’s going to be hashed anyway.

    • KHTangent@lemmy.world
      link
      fedilink
      English
      arrow-up
      8
      arrow-down
      1
      ·
      1 year ago

      Some password hashing functions have a maximum input length. That could be a reason for some of the requirements. E.g. if I remember correctly, bcrypt used a maximum of 60 characters, while still being an ok choice for a hashing function

    • zockersanftmut@feddit.de
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      1 year ago

      My bank has a rule that your password needs to be exactly 5 characters. It’s completely nonsensical. Thankfully, a few years ago they at least implemented two factor authentication so there’s some safety. Otherwise I would probably change to a different bank.

  • root@lemmy.zip
    link
    fedilink
    English
    arrow-up
    13
    ·
    1 year ago

    Work for a hospital chain in IT and we have an application has a 1-10 character, no specials policy LOL

  • deejay4am@lemmy.world
    link
    fedilink
    English
    arrow-up
    14
    arrow-down
    1
    ·
    1 year ago

    I forgot my password to a local government site once and they emailed me my plaintext password. Wtf.

    • driving_crooner@lemmy.eco.br
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      There was a service in a company I worked for that also send you your password in plain text by email. I reported it to the infosec department and they were like yeah, we know, but the system is not important and we don’t care. Mf don’t know that people reuse their passwords everywhere??

  • surewhynotlem@lemmy.world
    link
    fedilink
    English
    arrow-up
    9
    ·
    1 year ago

    They don’t need to store previous passwords to prevent reuse, they just need to store the hashes. This is safe.

      • nogooduser@lemmy.world
        link
        fedilink
        English
        arrow-up
        12
        ·
        1 year ago

        You don’t know if they hash your current password either. Storing the last X passwords is not any reason to infer that they are plain text.

        Chances are very good that they’ll hash previous passwords if they hash the current one.

  • keeb420@kbin.social
    link
    fedilink
    arrow-up
    7
    ·
    1 year ago

    My works payroll bullshit, you mightve heard of the company, makes us change the password every so often and it can’t be one we used before. I work in a warehouse driving a forklift. There are people who can barely operate the computers they installed 5+ years ago still. It’s dumb af. But no one would listen to me on it so I don’t even bother.

  • BradleyUffner@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    My old bank would reject passwords that didn’t start with a letter. Numbers and symbols were required, but you couldn’t use them as the first character for some reason. Infuriating.

  • MrMobius @sh.itjust.works
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    Most places where I’ve seen those annoying rules are official websites of my country’s institutions… Hard to make do without them.

  • soulifix@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    6
    ·
    edit-2
    1 year ago

    Places like Flickr can go fuck themselves because they want 12-character password limits. 12! Some people can barely even remember a 6 string password much less one that’s 12.

    Why 12? “SECURITY!” they’d spam. I’ve found it more secure to have a mix of special characters, lowercase/uppercase and numbers than the longer string of a password. Just means you’re going to increase the volume of people having to reset their passwords now and then because you required them to make it 12 characters long.

    I don’t understand why people would like 12 characters…