@beyondmachines1 "We require full ASCII password with at least 16 characters"
Blocks pasting of passwords. Dafuck? You know who actually does this shit? VMWare. I wanted to create account and they didn't allow me to paste a god damn super complex password into their stupid form. ?!
@beyondmachines1 And limiting password lenghts and complexity (limited list of allowed special chars) as well.
Some even
- suddently started to not recognize complex passwords that has been valid in the past
- still allow such complex when defining a password BUT not in the actual authentication form… leaving you with an "invalid" password 🤡
- limit your ability to reset your password (only once every x hours) AND not providing a list of special characters they consider "valid". 😠
@rejzor That's Brother for you. Limit is 16 chars. Or rather… micro$hit does. Since brother uses M$ for authentication for their Europe/France e-shop (at least they like last year when I needed to order a black ink toner for my LED printer).
Becaude they limit passwords to 16 characters/depend on M$ servers, I stopped the account creation process in the middle and ordered the toner elsewhere 🖕
It takes special kind of stupid to depend on 3rd party servers for authentication…
@holzchopf That shit is actually frequent, from devs who think "users are stupid and don't know their email address so I make sure they provide the right one by forcing them to put it 2 or even 3 different fields without the ability to paste". The same use regex to "validate" email @ 🤬
I just past it to another field, then select/slide it into the email address field… Fuck'em, I'm not going to waste time typing long email addresses 2-3 times just because of an asshole web dev…
@qgustavor Wait, what… They auusmed you had a gmail address (or expect you to create one)??? What the hell…
> they use different validation schemes between sign-up and log-in.
I had a similar case recently, not exactly but close enough. Needed to manage electricity contract fast without having to waste tome in offices and take a leave each time I need something, I'm still at work when they close and their office isn't exactly close so I created an online account…
@qgustavor My main email account uses my full ID (first name and name). Nope, invalid address. I fist though they discriminate based the domain. So just for testing purpose, I tried replacing the actual domain with gmail dot com. Still not invalid.
Then I tried another address, under a pseudonym, username is shirt. Still not gmail but it worked. My full ID is longer than the usual western names… Some moron decided to limit the left hand part (username) length to something way too short…
1/2
Email RFC fixes the username length to 64 octets, which is plenty enough…
But the electricity company implemented some stupid design accepting only much sorter usernames… If only web Deva stop using regex to "validate" usernames… There's no point in it, they still send validation links… They have no valid for stupid, DIY, random regex based on stupid assumptions, based on what white people/westerners consider to ba "a valid name"… 😠
But that only half of the joke […]
@qgustavor Their system actually registered both my email addresses. Only the one with shortner username allowed me to move to the next page and to validate account creation. But I receive "news" which I never consented to, and other notifications to both email addresses 🤡
The online account worked for sometime, but I can't connect to it it anymore. Not sure if that's they changed to password validation scheme since I can't even change the password due their broken password update process […]
[…] My current password is not wrong. I can't make a typo or misremembered it since it comes from a password manager… It just doesn't work
And in order to reset the password, they send an OTP password by SMS in order to access the actual "update your password" page. Which is not a problem per se…
The thing is: I never receive their OTP password.
Possible explanations are:
- They resort to SMS spamvertising to send their OTP. I could be one I opt-out¹ from
- Although they claim using SMS, they actually use google's RCS crap… My phone don't support that…
1. Although laws requires opt-in, in practice it opt-out… Stupid companies collect phones numbers for valid reasons then misuse them for ads purposes without consent, although it's compelely illegal in Europe… 😠 Some spamvertising companies honor opt-out until someone else gives them that phone number again. Some others simply ignore the opt-opt "stop" SMS… I'm tired of this shit…
@qgustavor It's not so different. RCS still require having Internet connectity and messages are stored on google's servers. While in theory, telephony service providers could host RCS servers, they won't bother. "google provides it for free and handles technicals issues, right"…
They don't give a flying fuck about users privacy… Their websites are trackers-ridden already and full of dark patterns to limit users ability to protect themselves from advertising tracking…
Should be right there next to the guy who wants you to type a long password into a short field where each character turns into an asterisk when you type it.
Because .... dunno ... there's someone in a black hood hanging from a rope above my head??
@Epic_Null @number6 that's a weird risk reduction idea.
Have spyware on my computer, then make my computer less accessible to me so the spyware has a more difficult time.
🤔
@beyondmachines1 @number6 Does that also not technically describe any remote desktop software used for tech support?
But yeah... definitely a weird risk reduction situation.
@Epic_Null Pasting passwords in password fields (masked by default) and displaying passwords are two different things.
Preventing pasting passwords DOESN'T protect you from spywares making screenshots… Copying passwords from a password manager doesn't imply displaying it.
On the contrary, preventing pasting passwords forces users to type it, and mostly likely, to display it from password managers in order to type it. Thus exposing it to M$' screenshot-based malware…
@devnull @Epic_Null @beyondmachines1
You're saying that it protects people from some hypothetical edge case where malware is recording and sending screenshots off into the internet, but that the developer forgot to capture keystrokes or clipboard contents?
The reality is that hacks occur because people get fatigued having to put in unique, long complicated passwords. Oh, and if they get it wrong 3 times they get locked out of their own data.
Asterisks hinder good security practices.
I think that @Epic_Null was joking about very small password input fields where part of password string would overflow and not be visible on the screen.
>> You're saying that it protects people from some hypothetical edge case where malware is recording and sending screenshots
No, I'm NOT. I said the exact opposite. That preventing pasting passwords DOESN'T protect from it.
Also, it's not "hypothetical"… I was answering to someone who mentionned "recall" which is micro$oft bullshit "AI that find data you might have accidently deleted" which does EXACTLY that: Screenthots your screen every few seconds…
@number6 Asterisks prevent anyone next to you to know your password is crao… Not to "hinder good security practices"
I won't answer to the rest of your post about "why hacks happens".
Any "single/unique reasons" that fits an easy narrative il total bullsiht… Security efis complicated
And the rest of your comment has nothing to do with my initial statement anyway. Also, I'm not interested in debating with someone claiming I said the exact opposite of what I said…
I'm tired of people acting as if M$ screenshot spyware BS and typical "AI" crap¹ wasn't a problem "cause real malware can capture your keystrokes".
Thanks captain obvious, I know how computers work, it pays my bills… And keystrokes has nothing to do with M$ malware "recall"…
1 To refer to stupid and intrusive continuous screenshots + OCR based spyware, recording everything people do on M$ OSes with builtin malware…
@number6 People are not supposed to "to put in unique, long complicated passwords" and complain about asterisks, which are not the problem
They're supposed to use local password, not "the claoud", not shitty DIY "encyption" in JS by random joe that you're "supposed to just trust" cause he slapped a megacorporporation logo on his crap code…
What hinders good security practices is stupid web devs preventing pasting in password (and to a lesser extent username) field
@Epic_Null My client shows his post as an aswer to mine 🤔
@devnull @Epic_Null @beyondmachines1
I barely do Windows. I thought "Recall" was a virus of some type. Guess I'll have to read up.
My only point is that asterisks don't make us safer.
@number6 @devnull @beyondmachines1 In spirit, you would be correct. It is spyware that takes screenshots of your screen regularly, making any information on the screen vulnerable.
In technicalities, it's a first party tool from Microsoft.
@Epic_Null Yeah it's from M$. And being from M$ is exactly what makes it even worse than third party malware, not less
Because
- It normalises spywares from corporation, "because there's no risk, you can trust Microsoft 🤡" kind of bullshit
- Users don't even need to "makes mistakes or install software from unstrusted sources". They just have a built-in malware and no one even asked them permission. Some marketing moron just decided it's acceptable to dobit
@devnull @number6 @beyondmachines1 You are talking to someone who ditched Windows years ago on their personal machine.
IMO the only way it becomes not worse than malware is if it finally breaks Window's hold on companies and users, as well as destroying the trust in Microsoft once and for all.
@Epic_Null @devnull @beyondmachines1
Can you opt-out or uninstall? I just installed a duo-boot with Windows 11. I noticed something about AI but ignored it.
"Consent" to micro$oft.
Do you want to be spied on? We won't tell clearly that the default answer is "yes". Here's your choices
- Yes, I want to spied on as much as you'd like
- Yes, I want to spied on as much as you'd like. Just slightly less than response one. Let's call that "Basic telemetry"
On their OS
And
- Yes, I want to spied on as much as you'd like
- Yes, ask me later again later so I assume I'm not being spied on for now
On their web crap
@beyondmachines1 To be blunt, it's an accessibility issue and should be treated as such.
Hey asshole, I can't use a keyboard well. Screw you for blocking the tool that auto-fills.
(Hm... Having typed that just now... I should look into what it would take to make an extension that force-injected keyboard events into the currently-selected form so that "paste" can become "hand-type this."
@beyondmachines1
We shouldn't. But @mark should check if he already has the tool before creating it himself.
The browser should ignore attempts at preventing paste, at least as an option.
Which makes me wonder, my browser (Vivaldi) has a lot of such options, I wonder if this is among them. If you have a link to such a site, I will check it - I haven't run into such a site for years myself, but I'm not sure if that's because web devs around here figured out that if you make it hard to use a password manager, people will use lousy passwords, or because my browser ignores it.
Lord Matt Borg 2 of 9
BeyondMachines 
RejZoR
🐧DaveNull🐧 ☣️pResident Evil☣
Gustavo
Jernej Simončič �
rpgwaiter
Philip Brewer
Sir Toootenstein
Sundew
Olivier Stuker (he/him)
auroroboros
Number6 
Epic Null
Mark Fraser
Mark T. Tomczak
Leeloo
Julien Avérous – 🇫🇷🇪🇺🇺🇦