this post was submitted on 13 Mar 2024
1003 points (97.2% liked)

Memes

45870 readers
1823 users here now

Rules:

  1. Be civil and nice.
  2. Try not to excessively repost, as a rule of thumb, wait at least 2 months to do it if you have to.

founded 5 years ago
MODERATORS
 

Brute force protection

@memes

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 178 points 9 months ago (3 children)

It's not quite complete without code on the password reset page to tell you that you can't reuse your password.

[–] kryptonianCodeMonkey 130 points 9 months ago (3 children)

And label the text box "username" when it only accepts email address.

[–] helpImTrappedOnline 61 points 9 months ago (2 children)

Don't forget to have hidden password requirements and secretly truncate any password longer than 12 characters.

[–] kautau 31 points 9 months ago

Well yeah, if you don’t truncate the password to 12 chars how will you fit the plaintext in a memory efficient fixed latin1 CHAR column that only accepts letters, numbers, and underscores

/s

[–] Buddahriffic 3 points 9 months ago (1 children)

Battle.net used to not be case-sensitive for passwords, back in like the pre-wow era.

[–] helpImTrappedOnline 1 points 9 months ago

Intresting. At least they got their act together, even making a physical totp authenticator in the 2000s.

[–] [email protected] 13 points 9 months ago* (last edited 9 months ago) (1 children)

And then validate the email with a custom regex that definitely doesn’t account for all the valid syntax permutations defined by the several email-oriented RFCs

[–] [email protected] 3 points 9 months ago

Only on mobile though, on desktop have different criteria. Perhaps give the text box an arbitrary max length of like 30 characters on sign-in but not on account creation.

[–] [email protected] 10 points 9 months ago (2 children)

You guys are evil - who shat on your pillow??

[–] bruhduh 6 points 9 months ago
[–] [email protected] 2 points 9 months ago
[–] [email protected] 9 points 9 months ago

I've had that before and I'm very confident the password was correct - my theory is that they'd changed how non-ASCII characters like £ were handled and their code only half recognised my password.

[–] [email protected] 4 points 9 months ago* (last edited 9 months ago) (1 children)

I never got that rule. Surely it is less secure to keep records of historical passwords than to let someone rotate between !!!! And #### etc

[–] [email protected] 1 points 9 months ago

Hopefully they're not sitting the old passwords in plain text and just have the hashes.