• BlueMagma@sh.itjust.works
      8·
      12 hours ago

      To be able to display this error message and force you to use a different password, that way you won’t remember it.

  • magic_lobster_party@fedia.io
    49·
    22 hours ago

    One way this happened to me was because the ” choose password” page silently truncated too long passwords. The login page didn’t truncate.

    • helpImTrappedOnline@lemmy.world
      24·
      19 hours ago

      That’s been the most frustrating thing about using a password manager. I set the random generator pretty high and have to reset and decrease it randomly until the login works.

      • Sabata@ani.social
        8·
        14 hours ago

        When the shitty site dose not allow half the special characters in the generated password…

  • Lvxferre [he/him]@mander.xyz
    16·
    21 hours ago

    I hate poorly made security/identity systems in general, but by far the worst is poorly made 2FA.

    No, I’m not giving you my number; and if using your site requires it, I’m probably giving up using your site. Ask my email and I’ll provide my burner account.

  • candyman337@lemmy.world
    20·
    23 hours ago

    That means they’ve updated their password requirements and your new one is now rejected, or they reject passwords of a certain age or with a lack of account activity.

    • coffee_tacos@mander.xyz
      51·
      12 hours ago

      They better not know whether the old password matches their new password requirements, as all they should have is the salted hash of the password, which reveals no information about the password on its own.

    • pelespirit@sh.itjust.works
      72·
      23 hours ago

      I’m pretty sure it was because the password was compromised. That’s what I’ve heard for a decade now.

  • Thorry@feddit.org
    9·
    22 hours ago

    That’s because you’ve been rate limited trying passwords for an hour. When an attacker is randomly trying incorrect passwords, even the correct password will be rejected. Otherwise the protection wouldn’t be very useful.

    • kibiz0r@midwest.socialEnglish
      5·
      14 hours ago

      Had a convo with someone a while back:

      Bug report: “The ‘reset password’ form doesn’t show an error if you try to reset an account that doesn’t exist.”

      Me: “That would be a security risk. Closed.”

      Them: “What? How? You have to click the link in the email before it does anything.”

      Me: “Try putting in a bogus email on the login screen. See how it says ‘wrong email/password combination’, and not ‘no such account’? If we tell the user whether we recognize a given email, we’re basically providing attackers a list of users they can try passwords for.”

  • purplemonkeymad@programming.dev
    93·
    21 hours ago

    They keep multiple old passwords. You’ve done this whole stick before and you tried to use that same password last time. You use it for everything, and every time your new account gets “hacked.” You keep using that password even when we show you that it’s been in multiple leeks and is associated with your email.

    “But I like the password, it’s my favourite football team!”

  • diptchip@lemmy.world
    42·
    19 hours ago

    I’m more pissed that they are keeping all my old passwords… So when they get leaked, they all get leaked. Meanwhile, all our phones have cameras but we can’t have them take a pic on the wrong pin entered because why? No logic in Emailing the picture to you. That’s just silly.

  • dumbass@aussie.zoneEnglish
    4·
    23 hours ago

    There’s few things more violently infuriating than being told that… You fucking told me it was the wrong password in the first place for fuck sake, I only have 3 fucking password variants I use, but noooo you need a brand new, never before used by any human ever, password. Fuck you web developers!

    • TheRealKuni@piefed.socialEnglish
      4·
      15 hours ago

      I only have 3 fucking password variants I use

      I used to live that life. It’s a dangerous one. Consider a password manager.

  • Rhaedas@fedia.io
    51·
    23 hours ago

    I’ve always thought that the best password security possible would be to always have the real password fail a few times. People who know their password will keep trying it, someone else will try a different one. It’s a variation of not giving an error that tells what failed.