[anal_reactor]

My insurance company has different frontend password regex on registration page and on login page. My password passed the registration regex but fails the login regex. In order to log in, I need to manually remove the frontend-side password regex check.

[abustamam]

This absolutely boggles my mind. My last insurance company let me create a 20 character PW but limited the password field on the login screen to 16 chars. I didn't think to futz around with the code so I just recreated a less secure password. I suspect many other less technical people either did that too or just called support.

There is zero excuse for that though. 16 chars is just way too short for a proper secure pass phrase, but at least make it consistent with password creation!

[encom]

Ever since I started using a password manager (a long time ago), I have encountered SO MANY password bugs. But one of the most frustrating issues, is when a website asks you to create a password, but does not tell you what length or characters are accepted. So you have to dumb down Keepass incrementally until it passes. A tedious game.

If your software doesn't accept this password, please change career immediately:

ú¨<¹7®fÍå0Á1n:1}Àº»ê:t]íw´¾ã\B²¸Æþ®M3_ø>$¼ÿa÷mH¦ñ%?6ñE$l#DhqI£«{'Ø"V^c4u

[ewoodrich]

Variant of this I've hit is the phone number validation rules at signup differs from the actual API call to send 2FA texts (or was changed between the time of original signup and login attempt) so I create an account successfully with a Google Voice number and then when I actually need to receive 2FA the message goes into the aether with no error surfaced at any point.

[codethief]

> Variant of this I've hit is the phone number validation rules at signup differs from the actual API call to send 2FA texts

Yeah, this is incredibly annoying, though to be fair, this can be a hard problem to solve. 3rd-party systems often don't tell you what their exact phone number validation rules are or silently update them, and then, to top it off, don't throw errors when validation fails. And more often than not, the 3rd-party system's developers also must have never heard of the Falsehoods programmers believe about phone numbers[0].

Source: I was responsible for adjusting phone number validation for a major ecommerce site in the past.

[0]: https://chromium.googlesource.com/external/libphonenumber/+/...