Paco Hope

Ugh. This is such a stupid #password dialog for #Dell #idrac.

If you have less than 8 characters, it tells you to use "at least 8". If you have 8 characters, it is happy. If you type 9 characters it tells you that you have too many characters.

You must have exactly 8. No more. No less.

Dec 4 at 3:36amWeb
Show threadJosh Dec 4
@paco @intothewestaway
Show threadCanela BlancaDec 4
@paco @catsalad Worst pw rule ever.
Show threadDavid ZaslavskyDec 4
@paco Eight shall be the number thou shalt type. Nine shalt thou not type, neither type thou seven, excepting that thou then proceed to eight.
Show threadDavid ZaslavskyDec 5
@paco honestly, now that I think about it... I could almost forgive a bad password policy if all the error messages for invalid passwords were Monty Python quotes.
Show threadDaveDec 4
@paco DES encryption you say
Show threadJeff NoxonDec 4
@paco @catsalad but "calvin" is not 8!
Show threadRob RicciDec 4
@paco All out of band server management software is exceedingly terrible
Show threadRobinDec 4
@paco fortunately the word “password” is exactly eight characters long.
Show threadRaven667Dec 4
@paco I love when they just truncate the password, so the 16 char password I put in my password manager is _actually_ a 15 character password because "fuck you, that's why". *sigh* that's why I don't fiddle with the frustration machine at home, no home servers, just Steam games.
Show threadStuart Longland (VK4MSL)Dec 4
@paco There's a reason "Dell" rhymes with "Hell".
Show threadMOULE Dec 4

@paco Bendigo Bank has the same requirement.

https://dumbpasswordrules.com/sites/bendigo-bank/

Show threadPeritia SystemDec 4
@paco
So at max like 20min to Bruteforce.... That is ridiculous. In 2025 you should always use a Passphrase with psedu words, Numbers and special characters.
Show threadFubaroqueDec 4

@paco Having a maximum password length typically also means they do not store it as a (salted) hash. #redflag

Oh and very handy… a date has eight digits. 🥴

Show threadscreambiogenesisDec 4

@paco Wow. In iDRAC 8 on my R530, it's even more fucky.

Enter a long password? The text box just... stops accepting characters after the eighth one.

Enter a short password? No error message. Nice. But try to connect to iDRAC over VNC, and it just closes the connection.

Either way, once you hit Apply, the page reloads with the password and confirm boxes empty. Did you set a password and forget? Who knows!

Someone tried to "fix" this, and came up with the Angry Red Text version. Well done.

Show threadSpaceLifeFormDec 4

@paco

It is worse than stupid. Why does the form box have more room then?

Show threadJoe WDec 4
@paco
I know a system that even requires that you do not reuse parts of your previous password. I'm not sure how that works with the requirements to store passwords safely....
Show threadJernej Simončič �Dec 4
@drchaos @paco Simple: when you're changing the password, you have to provide the old password, so the system can compare it directly.
Show threadJoe WDec 4

@jernej__s @paco hm.
Need coffee.

That makes sense. Today I learned two things: me not think good and how this check can work in a sensible way.
d'oh.

Show threadBert DriehuisDec 4
@paco just for kicks, run the firmware through a hex dump. You'll likely still find tech debt all the way to the stone age. VLAN it off, or better yet: disable the network port unless you need it.
Show threadTaffer 🇨🇦Dec 4
@paco @catsalad This type of stupidity always makes me assume they’re storing plaintext passwords directly in an ancient database somewhere.
Show threadCurmudgeonDec 4

@paco

Goldilocks
Password exceeds maximum length

3Bears
Use at least 8 characters

BabyBear
Password just right. Login successful