Howard MullinackNov 3, 2023
Alice Averlong🏳️‍⚧️
There's a special hell for sites which have password requirements that are like 16 letters, one or more numbers, upper case and lowercase, at least one special character, and we disabled pasting/password managers
Nov 2, 2023 at 11:53pmWeb
Show threadAlice Averlong🏳️‍⚧️Nov 2, 2023
I don't have my bent-pipe keyboard here and I'm too lazy to recode it, so I just did:
$ sleep 5 && xdotool type "Ez>PzCN,[Q@k}ktFfO3A"
Show threadAlice Averlong🏳️‍⚧️Nov 3, 2023
nevermind. I'm not giving them my home address to get a datasheet
Show threadTechokamiNov 3, 2023
@foone nothing wrong with good ol' 123 Fake Street
Show threadGindyDrawsNov 3, 2023
@techokami @foone Be careful of Knifey Wifey who lives there, however.
Show threadBruce Heerssen Nov 3, 2023

@foone
Use this address:

1060 West Addison Street
Chicago, Illinois 60613

Show threadDaniele Pantaleo 🦥Nov 3, 2023
@bruce @foone C|N>K
Show threadSome Kind Of AnhedoniaNov 3, 2023
@bruce @foone Haha, you stole my reference 🤣
Show threadat0mNov 3, 2023
@bruce is that matt walsh's address or am i horribly mistaken
Show threadBruce Heerssen Nov 3, 2023
@at0mkitsune4 It's Wrigley Field
Show threadFrancis 🏴‍☠️ GulottaNov 3, 2023
@foone just lie
Show threadMenhirMikeNov 3, 2023
@foone Doesn’t everyone just put in 1600 Pennsylvania Ave in Washington DC anyway?
Show threadWalter van HolstNov 3, 2023
@foone Their own address usually is sufficient...
Show thread(wryl)Nov 3, 2023
@foone hunter2
Show threadMatt PalmerNov 3, 2023
@foone $DEITY bless xdotool.
Show threadacrypthash👨🏻‍💻Nov 2, 2023
@foone wow that's a special kind of evil.
Show threadrobert daniel pickardNov 2, 2023
@foone
Show thread4censord Nov 2, 2023
@foone there is this extension for solving the password manager issue at least: "don't fuck with paste"
Show threadBiggles 20X6!Nov 2, 2023
@foone I like that some pwd managers have an auto type function to remove this issue
Show threadMax HarmonyNov 3, 2023
@foone "There's a special hell for sites" correct
Show threadPappyNov 3, 2023
@foone LOL, my work just changed our network somehow. IS does this shit, never tells anyone and then it only seems to affect a handful of machines at any one time. Anyway, I had to create a "pin" for a machine i rarely work on. The "pin" had to be at least 10 characters and I could use letters and symbols, no spaces? I was like, well, that's not a pin, is it? That's a whole-ass password.
Show threadQCATOPR Nov 3, 2023
@foone I remember a SAML provider whose password change feature didn't allow "us" in my password because it was found in my user record (country code I'm guessing)
Show threadAlice Averlong🏳️‍⚧️Nov 3, 2023
@timjclevenger hah. nice
Show threadAstraNov 3, 2023
@foone https://neal.fun/password-game/
The Password Game

Please choose a password

Show threadPepijn SchmitzNov 3, 2023
@astro @foone Ah damn, I wanted to post that. 😄
Show threadmilasNov 3, 2023
@foone don't forget that certain special characters are prohibited but which ones is a secret
Show threadDave MandlNov 3, 2023
@foone @xris Ha, I've got to use one of those apps for work. Literally impossible to log in.
Show threadMoos-a-dee 🫎Nov 3, 2023
@foone AND the upper case and number cannot be the first or last letter... 🥴
Show threadb8sellNov 3, 2023
@foone my favorite is how many of them choke when you start them with a bang. Try it!
Show threadMelissaNov 3, 2023
@foone No, but there really should be. Which reminds me - why do some things require 15 digits for an account number, when the number of beings counted by all possible combinations is earth x a huge number?
Show threadMycotropicNov 3, 2023

@foone

Login.gov

Show threadJosh WoldNov 3, 2023
@foone yes! Yes! YES!
Show threadthetacolaNov 3, 2023

@foone honestly i think that we really gotta start just making it the norm to have spaces in passwords so that people can make easily rememberable sentences that are a pain to brute force

That way, one doesn’t need to put all their trust in a password manager, while still having unique, secure, and usable passwords

Show threadShadSterlingNov 3, 2023
@thetacola @foone we should do that, but we’d each still have to use a different password for every site, and that’s way too many to keep memorized
Show threadCloud JanitorNov 3, 2023
@foone oh what’s that, you want to enter a password? Here, let’s pop up a virtual keyboard so you can do character entry with your mouse.
Show threadDan RileyNov 3, 2023
@foone disabling pasting is really annoying (and counter productive), but I still have a special place in some organ or another for the site that told me my mother's maiden name had to be more than four characters...
Show threaddpendolinoNov 3, 2023
@foone
Show threadbluGillNov 3, 2023
@foone a few years back NIST published a password guide that is admissible in court. If you can't use a password program to both generate and paste the password it is insecure. Just set an obvious password and the judge will be forced to rule it is their fault if your account is hacked.
Show threadChrisAshtearNov 3, 2023
@foone my fav is one that had a maximum password length of like 12 characters.
Show threadJohn DetersNov 3, 2023

@foone It's a bright red flag, and time to leave.

It's a proclamation they know almost nothing of actual value about password security. If they can't get the public-facing systems right, what are the chances they're properly securing anything you can't see?

Show threadkegthothrhaNov 3, 2023
@foone Why... Would anyone even do this. It's even worse than forcing people to change their passwords every 3 months with no reason. This is how you get people to use p@ss0Rd12345678, including people who know better.
Show threadLaberpferdNov 3, 2023

@foone
Also i have a few times seen another UI failure of hell

You type

-yourusername
<TAB>
-yourpassword
<ENTER>

and it opens the "i lost my password" site as default action, the actual login is not a Form-post but a seperate button below

Show threadGabriele L.Nov 3, 2023
@foone and you're forced to change it every 3 months
Show threadDigitalStefanNov 3, 2023
@foone Royal Mail's "business" login was like this. 8 attempts it took me to create a new, valid password.
Show thread Why Not Zoidberg? 🦑Nov 3, 2023
@foone blocking copy-paste does not improve security at all.
Show threadbrandonNov 3, 2023
@foone oh god, yes. Also a shoutout to the website that wouldn’t tell me the password requirements, but would tell me that I didn’t meet them, and also didn’t allow special characters.
Show threadKelvin n0mql EN35ldNov 3, 2023
@brandon @foone
I ran into this very thing recently. Chain restaurant where I was trying to order ahead using their app. Password reset instructions on the app & on the website didn’t agree. The one that was actually correct was not explained until after failure.
Show threadDr James J TeethNov 3, 2023

@foone @briankrebs

I find the best approach is to reset my password every time I need to access such sites.

Show threadYosa Beam ✅🌈🏳️‍🌈🏳️‍⚧️Nov 3, 2023
@foone then you move away from it and if possible tell them why
Show threadOld accountNov 3, 2023
@foone @jgamet Even worse are the ones who don’t tell you the requirements up front.
Show threadDavid JašaNov 3, 2023
@foone that's what right-click → Inspect (Q) is for. However that's not a solution that'd scale anywhere close to the meaningful fraction of the users. :/
Show threadKatNov 3, 2023
@foone “at least one special character”
“ok”
“no not that one, that one is illegal”
“but you said—“
“a special character is required but it can only be one of five we have randomly selected, the rest are prohibited”
“are you going to tell me which special characters are acceptable?”
“no”
Show threadMartin M. S. PedersenNov 3, 2023
@foone https://neal.fun/password-game/
The Password Game

Please choose a password

Show threadFish in the PercolatorNov 4, 2023
@foone extra super bonus for apps that also disable the system keyboard and force you to use their own, randomised keyboard to enter your password (in addition to all the winning conditions that you described) 🤢 #banking #Chinatrust....
Show threadFish in the PercolatorNov 4, 2023
@foone and oh how much I also love captchas on login pages (my ISP supplied router's LAN login for example ffs)... Way too popular this side of the earth. I guess I'd need to evangelize rate limiting...
Show threadGarrett WollmanNov 4, 2023
@foone At least one special character but not any of THOSE special characters (and we won't tell you which are which).