My opinion: Some websites say your password is wrong when its not

I am CONVIENCED that some websites say you have the wrong password when you enter the correct password.

My browser has saved the password for this website and entered it automatically for the past year. And now suddenly that password is incorrect? That seems unlikely.

I think some companies want their users to change their password periodically, but they don’t want to directly say that. So they just say “you must have forgotten it” and make the user create a new one.

So you go through the process to create a “new” password (which for me is the same as the old one) and they say “Sorry, you can’t use the same password as one of your previous passwords…”

They are just liars.

ETA: Yes I know I should change up passwords periodically, etc. If I want to be reckless with my logins, that is my problem. I have been online for ~27 years and I have never had an account be hacked (that I know of). Besides, if the bad guys want to log in and pay my cable bill, more power to them.

I’ve not encountered a site that I thought was doing as you suggested.

I’ve certainly encountered websites that say words to the effect of

You need to replace your existing password with a new one because we demand you not keep the same one longer than X months/years. So we’ll send you to our password replacement page now and won’t let you log on until you do.

Neener neener, we’re in charge here, not you!

My bank’s website tells me EVERY TIME that my user name and password are not in the system. And I click the “Log In” button again and it takes me to my account.

I’d mention it to the teller at the bank, but they seem to have no connection to what’s done online.

Why would they not want to say “it’s time to change your password”? What’s the advantage to the company in making you think you got your password wrong? It’s an easier process for the user to get a password change prompt than to make them click “Forgot password”, hope the user remembers the email account they used, and have to open a verification email to change it. I have a metric crap-ton of sites I need to enter passwords for, and several of them make me change the password on a regular basis, and walk me through a relatively easy password change process.

I’ve encountered situations where a previously working password was rejected for whatever reason. Following a prompt to enter a new password and recycling the old one doesn’t necessarily lead to a message saying it was used before.

I favor it being a mildly annoying software glitch, rather than a stealth campaign to get you to change your password.

As someone who uses a password manager, so I never “forget” my password, I have never seen this happen.

The ones that force a change (which are very rare) do so explicitly.

My gf was with me last week when I used my bank debit card to withdraw some cash. She was shocked that my password was 1111 (I was shocked that she noticed me inputting it). I explained to her that my debit card never leaves my possession, has never been lost, etc. Plus, I’ve never forgotten my password. IMO, my 4 digit password is as good as any other 4 digit password.

I’ve run into two similar situations.

On one, the actual password length was, say, 12 characters - but when you change the password, it lets you input more than that. I’d input a 15 character password, re-input it, the page would say they matched, and all was fine - until I needed to re-enter it. I think it was saving the hashed version of the first 12 characters. I don’t recall how I figured that one out.

On another, the password works on a computer browser, but not on my phone’s browser. No clue WTF the problem is.

I’ve never encountered the behavior the OP describes, as far as I can tell.

I have never encountered this situation, either. If my password is wrong, it’s because I have changed it on another device and forgot to update it. Or my account has been hacked (which has happened, as well.) But to randomly stop working one day? Can’t think of a time that’s ever happened.

I had a site where my password worked on my laptop, but not my phone. I figured out the problem was the mobile site was placing a space before my cursor’s location. So, I could enter my password and it worked as long as I entered a backspace first.

I disagree. If I were trying to guess a 4-digit password, I would guess, in order: 1234, 0000, 1111, 2222, 3333, 4444, 5555, 6666, 7777, 8888, and 9999.

Since your PIN would be my third guess, I don’t think your PIN is providing much protection if you do ever happen to lose your debit card, or if it were to be stolen.

And yet it is easy to remember and quick to enter.

Same here. It tells me every time that my password or user name are incorrect when they are not. I just hit the log in button again and it goes to the next step which is when it texts me a number to enter.

It’s been a few years, but in the early days of ecommerce I had something sorta similar occur with several sites on several occasions.

Company X had an e-commerce site. I set up a username and password, log in and buy something. Fast forward 2 or 3 years. I go to log in again to buy something and lo and behold they have a completely new e-commerce website at the same url. Maybe I remember what the old one looked like and maybe I don’t. Need to re-establish my login & PW.

To them, the fact they’d changed their website 18 or 24 months ago was old news, so no mention of that on their public home page nor on their login process pages. To me, who hadn’t been back there since my last purchase, this was new news.

As someone else who uses a password manager, I have seen it. I don’t remember the site, but when LastPass populated the previously-working password, it said it was wrong.

I have a hypothesis on why that might be; if they had a data breach in which password information was stolen*, assigning new, random-string passwords to all accounts would be a sensible way to contain the issue and prevent someone using the stolen data to impersonate customers.
*A well-designed system does not store the actual plain text passwords in the database, only their hashed/encrypted version, so they wouldn’t be there to be stolen, but not all systems are well-designed.

Be careful. Look at the URL carefully. A common type of attack is to put up a fake login form that looks like the real site, and when you enter your name/password it will tell yountye password is wrong, then forward you to the real site so the next attempt works, and you have no idea your password was just harvested by a 3rd party.

I use a password manager. Last year, I was unable to log in to a credit card website. It turned out to be a glitch at the site that seems to have affected only me, and they had to reset my entire account, including all of my security questions and answers. A one off event, I suppose.

Most of my accounts do not require periodic password resets, but a couple do. Just today I reset one of these passwords, and at this site when you enter a new password it tells you if you have any errors in meeting the password requirements. In this case, it kept giving me an error on an invalid character, and I couldn’t determine which one it was. The requirement, as stated on the site, was to use at least one special character (@#$_&*:!?). And it looked like I did. Turns out that the website was using the round brackets ( ) as parentheses, and not as an example of a special character. Which is frustrating, as most sites consider ( and ) to be perfectly cromulent special characters.

Some websites? Sure, I can buy that. For any given damnfool thing you can think of, there’s probably some site or another out there somewhere that’s doing it.

But if it does happen, by far the more likely explanation is that some idiot screwed up something on the site, not that they’re doing it deliberately.

@Dag_Otto , I can top that. There was a system I was creating an account on, and it kept on telling me “Your password does not meet our length and/or complexity requirements”. And so I kept on making it longer and more complex, and kept getting the same message. Finally I gave up and hit the button for it to generate a password automatically. It turns out that the “length and complexity requirements” consisted of “Must be exactly seven lower-case letters and one numeral”.

Ah, the old “password must be ‘p@$$w0rd’” error.

And easy to guess. :astonished: