My opinion: Some websites say your password is wrong when its not

It happened to me two days ago. My computer was rebooted overnight (presumably MS installing some bug fix). This happens frequently, every month or so. But when I reconnected to my email account it suddenly asked for my password. This has never happened before. There is a stored password and it is generally automatic. So I looked up the password and entered it. They asked three questions, one of which I apparently got wrong. Then they offered to call my phone, which they did and they called and had me push the # key on the phone. Then they asked me for my Authy code, so I loaded it, ran it, got the code and entered it. Finally, they asked for a new password. I entered the old one. They said it did not fit their requirements (which they didn’t divulge, leaving me guessing). My old pw had the form NCXxxxxxN where N was a numeral, C a non-alphanumeric char and the X’s upper and lower case characters. When I changed it to NCXxxxxxNC (just added a character, they were happy. Who knew what they wanted. I think they just wanted a new pw that fit their requirements.

For my PIN, I know this is bad practice, but what are you supposed to do. About 40 years ago I got my very first bancomat card and they assigned a PIN. It happened to be of the form abcd where my daughter’s mailbox number at college was cdab, which I had memorized. I have been using abcd ever since. Except for my garage door opener which was 1828, a string any mathematician will recognize.

Sorry I got pulled away on something yesterday and could not respond. I would have guessed this would be a more common experience due to all the memes.

Maybe it is just me being stupid and screwing it up.

I do remember having to create a password for a government account once and it stated explicitly that it must be EXACTLY 12 characters long. I thought that seemed stupid. That narrows down the possibilities for the hackers.

A string any base 10 mathematician would recognize.

Any password is going to have some maximum possible length, just because it’s a lot easier to deal with a fixed-length field than an arbitrary-length one. It seems that that one’s maximum length was 12 (though admittedly, a maximum that short isn’t best practices). Given that limitation (which the current crop of techies might not be able to easily fix), security is maximized by requiring all 12 of those characters be used.

I didn’t read the whole thread.

Sometimes if you accidentally put a space at the end of the password you enter, you’ll get the “wrong password” message. The space is considered a character for purposes of authentication. I encountered that problem just this morning.

Or could it be a spelling issue? :face_with_monocle:

I’m convinced that my computer sometimes has Mitch McConnell-like mini freeze-ups, and when it comes back to life, the letters I have been typing are all scrambled, particularly in Chrome. I type all day everyday and can’t possible get that many characters out of order that badly.

'im srue yure rghit; nbody cuold maek taht namy tpoys.

I came here to say this…

Yet another advantage to using a password vault app.

It will recognize that a lookalike site is the wrong url and not offer e.g. your bank’s password at what looks like, but is not really, your bank’s site.

You can still pull your password out of your vault manually & paste it into the form, but any time your vault isn’t offering the PW you think it should be, that is a big caution flag to stop and confirm that you’re not the confused one rather than it.

mes it’ll take big chunks of text and move them around wholesale. Definitely not just typos. Yeah, someti

You have to really go out of your way and/or do really stupid, insecure things to create a password length limit as short as 12 characters. Systems should only be storing password hashes, which are fixed-length values derived from the password using a one-way function that can’t be reversed. They’re perfectly suited for storing in fixed-size database fields, as the output length is always the same regardless of the input length.

At some point, though, you need to have a text field, before it gets fed into the hash function (even if the hashing happens fairly soon in the process, as it should), and that pre-hash text field will probably still have some maximum length.

I have been told that my password needs changed. I do it, aggravating as it is, if only bc I know that it is a good thing to change passwords. I have been just using the ones that the entity suggests, which is usually a complex compilation of all kinds of symbols, etc… My computers, etc, will save it for me. I keep a little book of passwords, and I can verify that what you say – that the password is correct, but they say it isn’t - is probably quite true. And of course they always want you to change it at the worst possible time, ugh.

True. But a lot of us fogeys are talking about passwords as done on mainframes in the 1980s. Not as done on websites in 2023. Short password length limits, no special characters, heck, often no lowercase characters, and the PW stored as plain text were 100% normal back in the day.

Of course those systems weren’t connected to the outside world,

I do it because I have to, but it’s as aggravating as it is because I know that it’s not a good thing to change passwords.

Some of them go perhaps a bit too far. I recently registered for a site that had a minimum length of 16 characters. And, weirdly, a maximum of 26. Not that my password manager had a problem with it, but I wonder about everyone not using one.

Yeah. Pretty much all password requirements are wack these days, and especially on e-commerce and similar sites. I can understand a business not wanting it’s employees having “password” as their password into compnay systems. But for customers? Who really cares or should care?

I can see a length upper limit just to avoid fuzzing attacks with 256KB password strings. But that upper limit ought to be ~100 chars, not 8 or 12 or even 26. Even then, since all client-side scripting can be easily defeated, your server-side firewalls and code still needs to deal with anything coming in from the outside world, even a multi-GB string purporting to be a password.

Because I use a password manager (1Password, which I highly recommend), my login procedure is to simply copy/paste from that app. There’s no typing involved, so when I get a password wrong, it’s because the website rejected it. And I have indeed seen cases where websites reject a previously good password with no reason given. Definitely it’s not routine, but I know I’ve seen it happen more than once.

Because no reason is given, we could infer pretty much anything. Perhaps they changed the hashing algorithm so that good passwords appear bad. Perhaps they had a security incident and simply blanked all the passwords without making public comment. Perhaps there was a glitch. In all those situations, there’s a cost to the company admitting “we screwed up”, and there’s a cost in preserving good passwords, but there’s no cost in blaming the customer for forgetting their password, so they go with the latter.

However for anyone whose habit is typing their passwords in, almost certainly you’re making unseen typos a lot more often than you think. Many websites now have a little “view password” or eye icon where you can reveal what you typed. Try that next time you’re sure the website got it wrong.

Even though the consequences of a stolen password fall mainly on the users, there is a greater burden on the owner of the website itself. A compromised customer will at least call tech support and yell at them for a while, or they may lose enough faith in the company to cancel service. Both of those outcomes have non-trivial costs, both in money and loss of trust. A password complexity policy is negligible compared to those outcomes.

There’s research that shows that overly-complex password rules can weaken security. People cope with that by coming up with common tricks like putting a birthdate in the middle of a common string, or using the site name with a commen set of special characters, or by writing the passwords down where they can be stolen.

Or they simply forget and request constant password resets, and the flood of password reset requests becomes a security risk.

I wanted to ask why changing passwords often was a hazard, and this comment answered it. I don’t really change passwords often, but I had heard keeping the same password forever is a problem. I try not to use personal info, like birthdates, etc. when creating a password. I do have a password generator, and will use it. My computer saves the info, but maybe that isn’t safe?

The problem with this, I suspect, is a lot of people who say, “I don’t care about password security for this website,” will, if their account is compromised, still complain to the company and expect a solution. A little enforced password security at the start likely prevents a lot of customer service headaches down the line.