negativenullIncorrect Password
ttyybb
orcaFuck the cyber idiots and their “change password” requirements.
Static password with good 2FA is the way to go.
I ran into some app a while back that required 2fa “text you a code” to log in every time.
If you put in the wrong password, it’s still sent you the 2fa… Which it would accept for login.
I’m honestly not sure if it ever even checked the password.
I’ve seen an increase of sites that bypass passwords altogether and rely on 2fa (claude.ai was one I noticed the otherday)
dual_sport_dork 🐧🗡️That’s… not 2FA anymore. It’s reverted to 1FA, now with sprinkles on it.
Current best practice in cybersecurity is to not arbitrarily ask users to change passwords every x days, so any site doing this are following old guidelines.
Yes, because among other things this annoys users into just writing down their password on a Post-It and sticking it to the bottom of their keyboard or monitor ripe for any passerby to take.
I have explained this to various management types repeatedly over the decades and nobody seems to get it.
I’ve had success directing people to the NIST password policy guidance.
Cyrus DraegurWow it’s almost as though somebody in there reads xkcd and knows about correct horse battery staple!
The folks at NIST know what they’re talking about. The US government directed them to develop security policy for government information systems in 2002 (FISMA) - they’ve been thinking about how to do this properly for 24 years.
If you happen to work for a US government agency of any kind, you can basically tell your boss “NIST guidance says we should do X” and compliance is technically required by law (within the context of security policies that apply to your agency’s work area). If you work for a company that does business with the US government, there are similar compliance policies also published by NIST that you should be following (and your company could lose its contracts if it is not compliant).
CarbonIceDragonWhen that happens I usually just exit the password reset page without entering a new one and then log in again with the old
Seefra 1They invalidate it because they got hacked or they fucked up some other way but they don’t want to admit it, so they don’t tell you about it and they act like the user is wrong.
Ive never had a password continue to not work after doing this, personally, so I must not’ve encountered that reason
Government sites do this to me more frequently than any other site. The worst part is that I use a password manager so I know for certain it’s the correct password.
They probably have a character limit they don’t tell you about. They accept the password when you make it, but they also chopped of last 10 digits.
Password is only 8 characters. It’s the perfect password!
HuudaHarkitenI only see /
hahaha, you hunter2ing hunter2.
Yes. I tried my best, but failed miserably.
But then again, failing miserably is my best. So in a sense I succeeded as expected.
edgemaster72Task failed successfully
Google, of all companies, limits passwords to just a hundred characters.
I’ve gotten “New password cannot be the same as the four previous passwords”. I live too far from a large body of water to watch the sun rise/set over the horizon and ponder my life.
Password1
Password2
Password3
Password4
Password5
Password1
Aaaaaaaand repeat.
LogicalDrivelShuddup, you don’t know me!
You can really mix it up by changing the ! at the end with ?. The hackers will never expect that.
All I see is *********
That one is okay-ish. The one that is going to have me getting in the elevator with my samurai sword to go and have a chat with somebody is “Your password cannot contain any sequence of characters from previous passwords,” or “password cannot be your old password backwards.”
Sure, just admit to me that you’re storing passwords in plain text as carefree as you like.
The backwards one can be easily checked against the hash of the previous password, no need for plaintext.
Bullshit IT trick. If they suspect a possible security compromise they’ll force this out to everyone. It gets you to change your password without them revealing that they may have been compromised and had data stolen.
Companies like Apple say the password has to have a capital lowercase number and 8+ characters. But leave out that your password can’t be something you have used in the last year, can’t contain your name, birthday, or email address. Those errors will come up separately. In this case it would say you can’t reuse your password. It doesn’t say your last password because it wasnt your last password. Some people just don’t use the password daily/weekly, so they forget 6 times a year and have to keep resetting it.
Also the number of people forget their passcode because they use face/touch id all all the time is higher than you’d expect apparently. I knew someone who used to complain about it when they did support for them. Essentially people plug their device in every night, use it daily and never turn it off so it always accepts face or touch. Then they leave automatic updates on … and it restarts for an update and they can’t get back into their device because face/touch doesn’t work on first boot, it is a subsidiary of the passcode and cannot be set up without the passcode.
Then since they forgot their passcode, they have to wipe everything from the phone to bypass it… But of course they don’t know their password so they can’t sign back into their account and it is then activation locked because that’s how they prevent people from using stolen devices.
Then the extreme cases dude was telling me at that point is they changed their phone number at some point, so they can’t reset their password without it, it takes days if not a week to recover the account, all the while their phone is a brick
WraithGearmy favorite is my login for my phone needing me to authenticate i with… the authenticator… on my phone…. which to log into the authenticator…. requires me to verify using the authenticatior…
you call the IT department and i get an AI telling me that all password retrievals are done through the web portal, so it sends the password reset… to my email, accessed by my phone, that needs me to authenticate using the authenticatior…
the real answer it to lie to the AI to talk to a person and ambush them with a password reset and don’t take no for an answer.
i am currently 1 month behind on my required training modules about the importance of network security.
If your talking about a company like Apple, they can’t reset your password no matter what, they have no access. It is only controlled by the user unless it is an account recovery which takes days. (Which if a user creates an account recovery key, it takes it completely out of their hands). It’s a 28? Digit code that makes it so the password/account can never be recovered without that code and access to the phone number on the account unless there is still a device logged into that account you can change it from. You could have spent $8000 on the account for subscriptions/music/whatever, you won’t be able to access it ever again. All purchases lost
no it’s a company login.
Pikafrom what people told me who’s had this happen, even with a lost account recovery key it is possible to recover the account, it’s just apple doesn’t advertise it.
Basically it’s the same account recovery process but they nuke the accounts cloud(which is likely a deal breaker) prior to handing the account over. The issue is you can’t start that from a self service portal, it has to be originated from apple support and getting them to actually do it can be a pain because they don’t like to for obvious reasons.
also i believe Not having a method of account recovery that allows you to retain goods that was exchanged for monetary value would be concidered fraud so I would expect they are forced to have some way of retaining purchases as long as you can clearly identify yourself as the buyer
It’s factual you will lose it. It even says you will have a permanent loss of access to the account if you don’t have the information supplied to you to recover it. Basically you signed a contract that you won’t lose it and you control it, then you fucked up. Not their problem is what they see it as.
That is not how it works.
They keep a log of the 3 (or more) previously used passwords. If you try to change to any of them, it will give you this error.
So if you changed your password and then forgot. Changing it back to the password before that will tell you not to use previous passwords even if it is not the current password.
Except sometimes I know for certain the “wrong password” it wants me to change is the currently used one.
This happened to me yesterday. Turned out that the site had a password length limit on the reset-password-form, but not on the login page.
There’s a special category reserved for the devs that design their apps to invalidate passwords, but not give a message saying the password is invalidated and needs to be changed.
In my experiences that is usually the cause. Them invalidating the password sending an email (or sometimes not). cue me trying the old password, failing, changing the password, and getting that message. /tableflip
Came here to say this.
Pretty sure most of the time the password is expired or invalidated, as you said, but whoever vibe coded the system was too lazy, too dumb, or too terrified of being blamed for the frustration of changing a password, that they think it is better to put ALL the frustration on the user.
Whatever the reason, I fucking hate them.
“I’ll just gaslight them into thinking they couldn’t remember it”
Fucking assholes.
The time and attendance software at my old job would do that. It took me a while to figure out that it wasn’t me forgetting the password, the password had just expired. Extremely frustrating.
God the college I went to had you change your password once a semester, so twice a year. But the password couldn’t be the same as any of your last six passwords. What the fuck are you expecting from me?
RivalarrivalWhat the fuck are you expecting from me?
PasswordSpring2026!
I prefer having my passwords stored on paper in cyphers.