Not really a requirement, but my WiFi router has the admin password written on it as usual, but when you enter it and click ok, the password field fills up with characters and login doesn't work. What has to be done instead, is you have to click forgot password, enter the same password you just got denied with, and after changing it (to the same password) it just boots you into admin mode. You don't even have to confirm tour identity.
this post was submitted on 09 Jan 2025
64 points (97.1% liked)
Ask Lemmy
27391 readers
1289 users here now
A Fediverse community for open-ended, thought provoking questions
Rules: (interactive)
1) Be nice and; have fun
Doxxing, trolling, sealioning, racism, and toxicity are not welcomed in AskLemmy. Remember what your mother said: if you can't say something nice, don't say anything at all. In addition, the site-wide Lemmy.world terms of service also apply here. Please familiarize yourself with them
2) All posts must end with a '?'
This is sort of like Jeopardy. Please phrase all post titles in the form of a proper question ending with ?
3) No spam
Please do not flood the community with nonsense. Actual suspected spammers will be banned on site. No astroturfing.
4) NSFW is okay, within reason
Just remember to tag posts with either a content warning or a [NSFW] tag. Overtly sexual posts are not allowed, please direct them to either [email protected] or [email protected].
NSFW comments should be restricted to posts tagged [NSFW].
5) This is not a support community.
It is not a place for 'how do I?', type questions.
If you have any questions regarding the site itself or would like to report a community, please direct them to Lemmy.world Support or email [email protected]. For other questions check our partnered communities list, or use the search function.
6) No US Politics.
Please don't post about current US Politics. If you need to do this, try [email protected] or [email protected]
Reminder: The terms of service apply here too.
Partnered Communities:
Logo design credit goes to: tubbadu
founded 2 years ago
MODERATORS
My community colleges:
Passwords must be 12 characters long, contain at least one uppercase letter, one lowercase letter, a number, and a special character; it must also be changed every 30 days. There was also some sort of alogarithm that checked if your new password is too similar to any previous password you had used, and rejected it if it was too close.
Hilariously, if you had a link to the page the password was supposed to limit access to, you could bypass the password page entirely. As such, I never changed my password.
A company I used to work for is big enough that everyone reading this has heard of it. They had this wonderful security nightmare going on:
When you were hired, the company would issue your user credential with a standard password that was "CompanyName1" and require you to immediately change it at first logon. Everyone knew this password because everyone got it when they were hired.
Password policy required everyone to reset their password every 60 days. Not the worst ever but still pretty aggressive. And with the rise of all the mobile devices connecting with your corp account it was getting to be a worse and worse experience.
Can you guess yet how these two policies are linked in my story?
Well, some of the C-Suite executives didn't have time for any of these security shenanigans. So they would have their executive support person log into an administrative console and reset the exec's password every 59 days to the same value that it currently had, thereby bypassing the password re-use filter.
That value they were continuously setting was... "CompanyName1"
I know of at least two executives that were doing this while I worked there.
When I was in middle and high school the school district would always do this at the beginning of the school year.
One year my best friend moved away so in the following years I discovered his account still existed. If I was in the mood to hack (dumb stuff like forging email with their horrible SMTP server for example) I’d just find another computer I wasn’t just using and log in using the default password.
Extremely limited password length. I think it was around 6 or 8 characters. Exactly! So every password was the same length.
No other requirements. The best part? It was a bank. But not a customer facing service.
My bank had a limit of six characters, for the customer facing login. Oops.
Westpac?
Yes 🤭
Haha knew it. Redic parameters
Not sure but I think Schwab did it too.
load more comments
(1 replies)
12 characters, upper/lower/special requirement, and no more than two occurrences of the same character together. That's FedEx.
Two other thoughts on the topic:
- Websites/apps/etc should always list their password requirements on the login page to make it easier to determine what password you used for the site in question.
- There are plenty of websites where I literally log in only by using the "forgot password" flow because their password requirements are so ridiculous.
Any service that says I must have a 12 or 14 string password, combined with symbols, numbers and letters.
Do you know why, I have to keep resetting my password, services that have this dumb requirement? Because your fucking requirements are absurd and unnecessary. I don't have the mental capacity to care to remember that long of a password. I have to have a document now of all of the passwords I have so it's not forgotten. I have to have browsers autofill for me because of this shit.
In a perfect world, 6 - 8 string passwords would suffice and lots of emphasis on symbols and numbers at the very least. The longer you try making the characters of a password, the chances of forgetting increases.
Flickr does this. Some of the portals to my apartment portal does this. Portals to some of my medical information does this. It's fucking bullshit. StateFarm does this too.
load more comments
(4 replies)
"Password must contain letters numbers, and at least one of these special characters."
Turns out, half of those special characters weren't allowed 🫠
Facebook got caught having a flat text file being send around between employees to make accessing data easier. That text file contained tens of thousands of peoples username and password.
Why? Facebook being facebook I guess
Most absurd was from a job I had in college. This was the password to log into an ancient dumb terminal (literally a monochrome black and green display) on a local-only network that only handled our time clock.
Requirements:
- 8 characters exactly
- You supply the first 4, the system generated the last 4
- I can't remember if it allowed numbers, but there were definitely no special characters and I think it was also case-insensitive
Required to change password every 30 days.
It happens a bit too often that I make an account somewhere with a long, generated password and then when I log in it throws errors at me.
But a few times a website didn't just show me an error, I got the whole crash dump including their encryption approach and versioning
[offtopic?]
Debbie's password is "PlutoGoofyMickeyMinnieDaffyBugsThorLosAngles"
She was told that the password needed seven characters and a capital.
Except Sacramento is the capital of California, Debbie gonna struggle
Los Angeles is considered the Movie Capital of the World.
Checkmate, liberal!
Nope, that's Hollywood! Checkmate, sovcit!
Well, they certainly managed to get her to make a strong password.
What a strange choice to have 6 cartoon characters and a Norse god.
/c/dadjokes is over there ->
The most funny one was a professional and rather costly password checking tool.
Besides the usual other rules, it had a rule that the new pw must not be similar to the old one. For similarity, this thing checked each character in it's place.
So you could have the old one:
"MyAssMy$1" and the new one:
"$1MyAssMy" and it was not similar at all :)
thats a fun example and and all, but what situation does "MyAssMy$1" arise from? 😳
From the situation where you suddenly need to make up an example for a lemmy post.
Anything that requires regular password resets. It's fine if it's changed on the site and in the user's vault automatically, but if a user has to type in their password with any sort of regularity, it's a recipe for disaster to require regular changes.
People write predictable or formulaic passwords, or just end up resetting their password more often than necessary because they forgot it (making them more susceptible to phishing).
There was an episode of Elementary where they were able to find the victims password on a post-it note, because the company requires a new password every month and he didn't want to remember a new one that often.
Very common
It's the worst when they do that and have difficult restrictions on passwords.
One place I worked at had limits like "no more than two letters back-to-back", "no more than two numbers back-to-back and no sequential numbers".
The rules were available on the password reset screen.
The minimum was only something like 8 characters, so I have to wonder how many people had a1b2c3d? for a password.
Feed those rules to a password cracker and it'd be able to get in easily.
To their credit, I think they did support passwords that were maybe 64 characters long. But after they introduced those weird requirements (probably because some VIPs had stupid passwords like their names + birth year?), I just started hitting the character minimum because I'd have to manually type it in at least once.
I memorized a handful of randomly generated passwords in high school (around 2005) and never looked back.
These days I use a password manager, but for semi-low security stuff (on my LAN) I use one, for my Apple account a long combination of three. And that’s it! The password manager is where it’s at.
Just one of my passwords was leaked in data breach (from back when I was younger and recycled passwords) so that one’s out, but otherwise I’m doing pretty well with the memorized randomly generated passwords.
I've encountered a few sites that restricted repeating or sequential characters. Of course told after failing the first creation attempt. Makes things like randomly generated passphrases fun to figure out. Particularly when their idea of "sequential" involves both in alpha/numerical order, but also adjacent spacing on the (assumed?) qwerty keyboard!
Anyone remember the Password Game?
I personally hate character limits. I understand minimum character count, but I can't have more than 15 characters? Bruh
I needed to get a certificate for digitally submitting my taxes. This, of course, requires me to set a password for it. The tax office' web site lists a number of requirements and rejects any password that does not match those (so it said). So far, so good, the usual stuff, lower and upper case, numbers, special characters, minimum lenght. No surprises there.
For one of the "special characters" I used "ö" (umlaut o), which is a normal character in my language (which is the same as the tax offices, so they should be aware of those). The web site filter happily accepted this password containing the "ö". But the back engine got a severe case of digital diarrhea from it. I had to clear my caches and cookies to completely re-starting the application process.
Another password SNAFU I had many years ago in a place using TN3270 terminals. To those who have never seen such a thing, it is a so-called "smart terminal". It does not send and receive single characters like a telnet or SSH session, but the host sends a mask to the terminal, defining fields that can be filled out, and with a "send" or "function" key (IIRC) you could send the data back. Those fields had fixed lengths, of course. You might guess the problem...
So the login screen had two fields of eight characters each: "Username" and "Password". I entered the credentials I have been given and sent them. The first thing I did was to select "change password". It opened a form with three fields: "old password", "new password", and "repeat new password". Nothing odd about that, but the fields had twelve characters. So, not knowing the particulars of that system (I was used to UNIX style terminals back then), I entered a new password that was longer than eight characters. Guess what? I logged out, I tried to log in, I was stuck. I had to ask my admin to reset my password. And had found the first of many, many bugs in that system.
There is such a thing as good unhinged?
I'm going to need an example here...
The most basic rules commonly required everywhere. When you have such specific rules, it ironically actually makes finding the password through brute force easier because you can eliminate a bunch of variables that could have existed without all the rules. I can eliminate any permutation under 8 characters, doesn't contain a number, and doesn't contain a special character.
It will still possibly take a billion years to guess, but it could have been two billion without the rules.
Of course, I also find it wild that the metric for how good an encryption or password system is, is just how long it would take to guess every possible combination of input it could be, sequentially. It doesn't account for a brute force attempt that just selects random inputs. It could take until the heat death of the universe... It could take 3 seconds. It's up to chance at that point. Not to mention all the easier ways of getting a password. Like gaslighting the person who knows it into giving it up.
It's something like the second law of Thermodynamics. It's probability, not absolute. It's possible all the gas molecules in the room arrange themselves one corner, but it's fantastically unlikely. It's possible to choose the right encryption key to a 256-bit cipher at random the first time, but it's fantastically unlikely.