Brute force protection
this post was submitted on 13 Mar 2024
994 points (96.9% liked)
Memes
44907 readers
2774 users here now
Rules:
- Be civil and nice.
- Try not to excessively repost, as a rule of thumb, wait at least 2 months to do it if you have to.
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
It's not quite complete without code on the password reset page to tell you that you can't reuse your password.
And label the text box "username" when it only accepts email address.
Don't forget to have hidden password requirements and secretly truncate any password longer than 12 characters.
Well yeah, if you don’t truncate the password to 12 chars how will you fit the plaintext in a memory efficient fixed latin1 CHAR column that only accepts letters, numbers, and underscores
/s
Battle.net used to not be case-sensitive for passwords, back in like the pre-wow era.
Intresting. At least they got their act together, even making a physical totp authenticator in the 2000s.
And then validate the email with a custom regex that definitely doesn’t account for all the valid syntax permutations defined by the several email-oriented RFCs
Only on mobile though, on desktop have different criteria. Perhaps give the text box an arbitrary max length of like 30 characters on sign-in but not on account creation.
You guys are evil - who shat on your pillow??
Hearsay
**Allegedly
I've had that before and I'm very confident the password was correct - my theory is that they'd changed how non-ASCII characters like £ were handled and their code only half recognised my password.
I never got that rule. Surely it is less secure to keep records of historical passwords than to let someone rotate between !!!! And #### etc
Hopefully they're not sitting the old passwords in plain text and just have the hashes.