Hacker News new | ask | show | jobs
by BenjiWiebe 635 days ago
I had one today that said my password must be between 6 and 20 characters. I had entered a generated 16 character password.

Generated another 16 character password, alphanumeric-only this time, and it worked.

If you're going to have forbidden characters, MAKE SURE YOU TELL ME WHAT THEY ARE!!!
4 comments
PhilipRoman 635 days ago
The funniest password requirement I've seen was "must include a special character" but the special character selection was limited to #!$& and of course attackers know this requirement too. Combined with most people putting it at the end, that gives a little over 2 bits of entropy...
link
Elfener 635 days ago
When I was creating a password for online banking, it required me to include at least one special char - but apparently they didn't consider the dollar sign ($) a valid character...
link
ericbarrett 634 days ago
The good ol’ “Tell me you store passwords as plaintext without telling me you store passwords as plaintext”

The other message I get from sites like this is, “Our developers have no idea how to escape SQL parameters even though this has been standard since the 90s [80s? 70s?!] so we just do “‘“ + password + “‘“ “

link
zelphirkalt 635 days ago
Wait till you meet websites that simply truncate your password at 32 characters or 16 character without telling you and leaving you to figure out, why you cannot log in with your just a minute ago set password ... and what that says about how they store passwords. Either they are complete idiots and do not understand what hashing will do, or they are even more idiots and store passwords in plain text in their database, so that the length matters this much.
link
Semaphor 635 days ago
My default PW gen rule is only alphanumerics, far too many websites have issues with special characters. It’s also 24 in length because that tends to fit most, while 32 gives me frequent errors.
link
GoblinSlayer 633 days ago
I also encountered discrepancy between different input methods: AIU the browser can encode the password in html or something like that, so punctuation characters can be mangled.
link
M95D 635 days ago
Do you know how long is the UNICODE? That's going to be a very looong list (on some sites)!

https://symbl.cc/en/unicode-table/

Just scrooooool...

link