Conversation

Notices

1. Embed this notice
   prettygood (prettygood@socially.drinkingatmy.computer)'s status on Monday, 09-Jun-2025 10:08:39 JST prettygood
   If a site/service/software limits what characters you can use in a password, I will personally guarantee that they are mishandling your security in some way or another, probably multiple ways.
   • Embed this notice
     crow (crow@irlqt.me)'s status on Monday, 09-Jun-2025 10:13:12 JST crow

     in reply to

     @prettygood@socially.drinkingatmy.computer real - i always assume it's in plain text somewhere
     
     probably a VARCHAR64 column in an ancient MySQL db

     prettygood likes this.
   • Embed this notice
     prettygood (prettygood@socially.drinkingatmy.computer)'s status on Monday, 09-Jun-2025 10:18:55 JST prettygood

     in reply to

     • gray
     @gray
   • Embed this notice
     gray (gray@clubcyberia.co)'s status on Monday, 09-Jun-2025 10:18:56 JST gray

     in reply to
     @prettygood I had a work website say I wasn’t supposed to use a password manager to save my password so I just saved it into an Outlook sticky note
   • Embed this notice
     Nudhul (nudhul@shitposter.world)'s status on Monday, 09-Jun-2025 10:19:06 JST Nudhul

     in reply to
     @prettygood same with an unreasonable minimum length
     prettygood likes this.
   • Embed this notice
     prettygood (prettygood@socially.drinkingatmy.computer)'s status on Monday, 09-Jun-2025 10:20:06 JST prettygood

     in reply to

     • Paradox
     @Paradox my go-to is 64 characters, full ASCII set, randomized. It works more often than not, but the notable exceptions always seem to be the important places, like financial institutions and core service providers.
   • Embed this notice
     Paradox (paradox@raru.re)'s status on Monday, 09-Jun-2025 10:20:08 JST Paradox

     in reply to

     @prettygood I haven't found a single one that lets you use anything and everything.

   • Embed this notice
     gray (gray@clubcyberia.co)'s status on Monday, 09-Jun-2025 10:20:58 JST gray

     in reply to
     @prettygood it is also one of the bullshit sites that forces you to change your password every 90 days or something
     prettygood likes this.
   • Embed this notice
     prettygood (prettygood@socially.drinkingatmy.computer)'s status on Monday, 09-Jun-2025 10:21:19 JST prettygood

     in reply to

     • gray
     @gray this doesn't bother me, I have a lot of entropy to expend on generating random strings
   • Embed this notice
     Epsi (epsi@akko.wtf)'s status on Monday, 09-Jun-2025 10:21:41 JST Epsi

     in reply to
     @prettygood no single quote or <> allowed hmmm...
     prettygood likes this.
   • Embed this notice
     prettygood (prettygood@socially.drinkingatmy.computer)'s status on Monday, 09-Jun-2025 10:21:58 JST prettygood

     in reply to

     • Epsi
     @epsi little bobby XML parser (bullshitting)
   • Embed this notice
     Paradox (paradox@raru.re)'s status on Monday, 09-Jun-2025 10:22:45 JST Paradox

     in reply to

     @prettygood I have never thought about using carriage returns in my passwords. I don't even know if I could copypaste one. That's interesting.

     prettygood likes this.
   • Embed this notice
     Epsi (epsi@akko.wtf)'s status on Monday, 09-Jun-2025 10:24:02 JST Epsi

     in reply to
     @prettygood yeah I'm just musing haha
     prettygood likes this.
   • Embed this notice
     Vo (vo@noauthority.social)'s status on Monday, 09-Jun-2025 10:29:09 JST Vo

     in reply to

     • gray

     @prettygood @gray My credit union got bought out or are outsourcing their online services (idk which I can't keep up, changes like this happen yearly) and the new service's mobile app won't let you paste your password from your password manager. Browser works fine though.

     I don't know what this is supposed to prevent. Are they worried about hackers brute-forcing via Android automation or something?? They wouldn't need the clipboard then...

     prettygood likes this.
   • Embed this notice
     prettygood (prettygood@socially.drinkingatmy.computer)'s status on Monday, 09-Jun-2025 10:29:45 JST prettygood

     in reply to

     • Vo
     • gray
     @Vo @gray some executive got fed some bullshit at some conference and dictated bad policy to the org and now we're all worse off for it. That's just how it goes, unfortunately.
   • Embed this notice
     prettygood (prettygood@socially.drinkingatmy.computer)'s status on Monday, 09-Jun-2025 10:31:08 JST prettygood

     in reply to

     • Paradox
     • Vo
     @Vo @Paradox would you believe I've seen this happen as well?
   • Embed this notice
     Vo (vo@noauthority.social)'s status on Monday, 09-Jun-2025 10:31:09 JST Vo

     in reply to

     • Paradox

     @prettygood @Paradox I found a site once that said (and accepted) 8-64 length but actually truncated to 63 before salting/hashing/storing. That was fun to figure out.

     prettygood likes this.
   • Embed this notice
     Vo (vo@noauthority.social)'s status on Monday, 09-Jun-2025 10:35:58 JST Vo

     in reply to

     • Paradox

     @prettygood @Paradox we're past "poweruser" and into the "edge case" fringe, apparently

     prettygood likes this.
   • Embed this notice
     Vo (vo@noauthority.social)'s status on Monday, 09-Jun-2025 10:38:48 JST Vo

     in reply to

     • gray

     @prettygood @gray they made me choose a username (instead of just using the debit card number like the old site) so I took the opportunity to call their app some tasteful cusswords

     prettygood likes this.
   • Embed this notice
     Sparkler (sparkler@mastodon.is-a.horse)'s status on Monday, 09-Jun-2025 10:38:53 JST Sparkler

     in reply to

     • Paradox
     • Vo

     @Vo @prettygood @Paradox Hotmail/outlook used to do this, except it was 16 characters

     prettygood likes this.
   • Embed this notice
     Vo (vo@noauthority.social)'s status on Monday, 09-Jun-2025 10:54:32 JST Vo

     in reply to

     • Paradox
     • Sparkler

     @sparkler @prettygood @Paradox I guess it would work fine (but insecurely) if the login page did the same truncate, but alas

     prettygood likes this.
   • Embed this notice
     prettygood (prettygood@socially.drinkingatmy.computer)'s status on Monday, 09-Jun-2025 11:00:59 JST prettygood

     in reply to

     • Ulysses
     @professionalbigot69 sauce? Bold claim. I wouldn't be surprised
   • Embed this notice
     Ulysses (professionalbigot69@poa.st)'s status on Monday, 09-Jun-2025 11:01:00 JST Ulysses

     in reply to
     @prettygood Cloudflare MITMs passwords entered through the front end btw
   • Embed this notice
     Ulysses (professionalbigot69@poa.st)'s status on Monday, 09-Jun-2025 11:22:23 JST Ulysses

     in reply to
     @prettygood In their developers knowledgebase:
     
     https://developers.cloudflare.com/fundamentals/account/account-security/leaked-password-notifications/
   • Embed this notice
     prettygood (prettygood@socially.drinkingatmy.computer)'s status on Monday, 09-Jun-2025 11:22:23 JST prettygood

     in reply to

     • Ulysses
     @professionalbigot69 oh so they're MITMing your CF password, not just any old thing entered into a CF hosted/proxied site. I misunderstood.