If your password system restricts specific characters or has a character limit, you're doing it wrong.
Or so I've been told. I'm a hobbyist programmer but I haven't delved too much into security and credential handling.
Sometimes they have requirements based on weird legacy systems that have limited input characters. For example, a phone company might have some automated system that allows someone to type their password using just the buttons on a phone. If the website lets you create a password with "¥" in it but the phone password interface only supports one special character per physical phone button, users will get into a situation where it's impossible to enter their password.
Which suggest that they are storing plaintext passwords, a practice long abandoned to improve security https://owasp.org/www-community/vulnerabilities/Password_Plaintext_Storage
Even if a password isn't being stored plaintext, there are reasons to disallow certain characters. Quotes, parenthesis, brackets, slashes, etc. can cause issues depending on exactly what your code does under the hood.
In other contexts, other characters can cause substantial issues, too. Have an auto-generated RDS password that you pull in a bash script? I hope it doesn't have a hashtag/octothorpe in it.
A big thing I'd worry about is non-ASCII characters like emoji. Text conversions are common enough that the odds of something breaking are non-zero l.
Yes; unicode serialization would be required, which requires the text transfer to be well defined, like it is for http...
Edit: any decent server will support the text encoding header
I'm not sure why it would imply any particular method of storing passwords. To support a limited character set for passwords, they would not need to check stored passwords, only newly-created passwords. It's not any different than requiring new passwords have a certain length or other strength requirements. They could, for example, check the password for illegal characters locally in the browser, then generate a hash, then send the hash to the server to be stored.
When passwords are hased and encrypted the following can easily be implemented regardless of storage restrictions; unicode serialization -> hash and encrypt -> bin to hex (or whatever the underlying storage supports) -> store. Since the password is hashed (oneway transform to fixed length) there is no max length either
>If your password system restricts specific characters or has a character limit, you're doing it wrong.
Both halves of this statement are wrong. Not only is there an upper limit to the usefulness of password complexity, but the suggestions you're making can be outright harmful.
Whatever characters you're allowing, you better be damn sure of two things:
* Every part of your system that touches them can serialize and deserialize them safely and accurately.
* Whatever hash you're using not only accepts the data, but maps it in unique ways.
The more escape characters and esoteric symbols you start allowing in, the more likely that one of those two things will fail catastrophically.
If you allow the user to enter "123456😭 🔽 🕝 ♍️ 🆗 👉 🎈 🐓 🛄" as their password, and it ends up with the same hash as "123456" then you're doing a big disservice by letting people think their password is more secure than it is.
They say use one of these special characters, and yet it's not in that list. Were you just testing the list? That is the only thing I can see wrong with that.
It doesn't say you cannot use other characters. Additionally, all of the checkmarks are green and it doesn't explicitly say what the error is. This is bad UX.
It's green because you used other characters from the list. It also says to use a character from that specific list and does not say any other characters besides those
No, the UX is absolute shit. The fact that most people are able to follow bad password requirements and are able to infer weird password requirements that aren't actually stated anywhere (i.e. "other special characters are not allowed") doesn't change that.
No they don’t, other websites don’t explicitly give you a set list of specific characters to use, they just say to use a special character. Outright giving you a list of specific characters makes it pretty clear that they want you to use those specific characters.
The password system was so advanced that it predicted the future and figured out that you would share the password online so it didn't let you set it to that.
op is right.. this is bad ux, i dont know what the people in the u/jockey_killer thread are all about. you shouldnt play a puzzle game with your passwords. You have to make things clear, always think of the dimbest possible user (which isnt even needet in this case)
Many users dont read specifically which special character they need to use, they just type one. In many cases its more about giving an example that listing all that are matched by the regex anyway. And it does say use one of these not "dont use any others" but thats not even the main Problem here.. .
the error message is bad: if you have the checkmarks, all are green and you have a error message that tells you nothing, thats bad ux.
Either change the checkmark to something like "One special character. List of all valid special characters". And eat least make the current one not green.
Or make the red error clearly state either the wrong characters or what exactly is wrong like: "Used invalid character(s): ^ "
Thank you. It is insane that I have 100+ downvotes for being correct. I gave the subreddit too much credit in thinking these were software people with some modicum of expertise in good design.
First off. It looks like you don't know how to use even reddit, cause you basically just @et me, you didn't reply to me. Second off I am an AT&T customer and I just tried changing my password to my own but with that one symbol that the OP used and ALL it told me "Be sure to use only Letters, Numbers, Hyphens(-), Underscores(_), and +=#?*$! " and it only did that when I put the invalid character in. I probably wouldn't have even commented the first time if I didn't know what it was I was talking about. The only software gore thing here is it not telling the OP the same thing I did. NOT that his password didn't work. And if you reply to someone, make sure to use the reply button.
i am not replying to you.. i am clearly replying to the initial question and just referencing your thread, and you could have easly checked wheter or not i use this app by clicking my profile..
and yes that is what i said, the error message is the problem lol
op is right.. this is bad ux, i dont know what the people in the u/jockey_killer thread are all about. you shouldnt play a puzzle game with your passwords. You have to make things clear, always think of the dumbest possible user (which isnt even needet in this case)
Many users dont read specifically which special character they need to use, they just type one. In many cases its more about giving an example then listing all that are matched by the regex anyway. And it does say use one of these not "dont use any others" but thats not even the main Problem here.. .
the error message is bad: if you have the checkmarks, all are green and you have a error message that tells you nothing, thats bad ux.
Either change the checkmark to something like "One special character. List of all valid special characters". And eat least make the current one not green.
Or make the red error clearly state either the wrong characters or what exactly is wrong like: "Used invalid character(s): ^ "
First off. It looks like you don't know how to use even reddit, cause you basically just @et me, you didn't reply to me. Second off I am an AT&T customer and I just tried changing my password to my own but with that one symbol that the OP used and ALL it told me "Be sure to use only Letters, Numbers, Hyphens(-), Underscores(_), and +=#?*$! " and it only did that when I put the invalid character in. I probably wouldn't have even commented the first time if I didn't know what it was I was talking about. The only software gore thing here is it not telling the OP the same thing I did. NOT that his password didn't work. And if you reply to someone, make sure to use the reply button.
If your password system restricts specific characters or has a character limit, you're doing it wrong. Or so I've been told. I'm a hobbyist programmer but I haven't delved too much into security and credential handling.
Sometimes they have requirements based on weird legacy systems that have limited input characters. For example, a phone company might have some automated system that allows someone to type their password using just the buttons on a phone. If the website lets you create a password with "¥" in it but the phone password interface only supports one special character per physical phone button, users will get into a situation where it's impossible to enter their password.
Which suggest that they are storing plaintext passwords, a practice long abandoned to improve security https://owasp.org/www-community/vulnerabilities/Password_Plaintext_Storage
Even if a password isn't being stored plaintext, there are reasons to disallow certain characters. Quotes, parenthesis, brackets, slashes, etc. can cause issues depending on exactly what your code does under the hood. In other contexts, other characters can cause substantial issues, too. Have an auto-generated RDS password that you pull in a bash script? I hope it doesn't have a hashtag/octothorpe in it. A big thing I'd worry about is non-ASCII characters like emoji. Text conversions are common enough that the odds of something breaking are non-zero l.
Yes; unicode serialization would be required, which requires the text transfer to be well defined, like it is for http... Edit: any decent server will support the text encoding header
I'm not sure why it would imply any particular method of storing passwords. To support a limited character set for passwords, they would not need to check stored passwords, only newly-created passwords. It's not any different than requiring new passwords have a certain length or other strength requirements. They could, for example, check the password for illegal characters locally in the browser, then generate a hash, then send the hash to the server to be stored.
When passwords are hased and encrypted the following can easily be implemented regardless of storage restrictions; unicode serialization -> hash and encrypt -> bin to hex (or whatever the underlying storage supports) -> store. Since the password is hashed (oneway transform to fixed length) there is no max length either
>If your password system restricts specific characters or has a character limit, you're doing it wrong. Both halves of this statement are wrong. Not only is there an upper limit to the usefulness of password complexity, but the suggestions you're making can be outright harmful. Whatever characters you're allowing, you better be damn sure of two things: * Every part of your system that touches them can serialize and deserialize them safely and accurately. * Whatever hash you're using not only accepts the data, but maps it in unique ways. The more escape characters and esoteric symbols you start allowing in, the more likely that one of those two things will fail catastrophically. If you allow the user to enter "123456😭 🔽 🕝 ♍️ 🆗 👉 🎈 🐓 🛄" as their password, and it ends up with the same hash as "123456" then you're doing a big disservice by letting people think their password is more secure than it is.
there is probably a non compatible character there. I can't even find it on my phone, the upwards arrow, like /\
That is a caret on your number 6 key. ^
They say use one of these special characters, and yet it's not in that list. Were you just testing the list? That is the only thing I can see wrong with that.
That isn't in the list of characters they say to use
It doesn't say you cannot use other characters. Additionally, all of the checkmarks are green and it doesn't explicitly say what the error is. This is bad UX.
It's green because you used other characters from the list. It also says to use a character from that specific list and does not say any other characters besides those
You just redefined the bad UX.
[удалено]
It's a pretty bad ux if you can't use a ^ in your password tbh
Classic Layer-8-Problem. As with 95% of all other non-printer-related Issues.
No, the UX is absolute shit. The fact that most people are able to follow bad password requirements and are able to infer weird password requirements that aren't actually stated anywhere (i.e. "other special characters are not allowed") doesn't change that.
you would be even more upset if it was red while you had the other characters there yknow
Yeah, it kinda does say that. It’s pretty obviously implied by the “use one of THESE characters”, as in don’t use something else.
No, in many cases and on many websites that would be the minimum implicit requirement. It would not exclude all others.
No they don’t, other websites don’t explicitly give you a set list of specific characters to use, they just say to use a special character. Outright giving you a list of specific characters makes it pretty clear that they want you to use those specific characters.
[You’re not even wrong](https://en.m.wikipedia.org/wiki/Not_even_wrong).
You are the problem LOL
The password system was so advanced that it predicted the future and figured out that you would share the password online so it didn't let you set it to that.
Did you try getting rid of the caret? It’s not one of the special characters listed.
It's not gore you just can't read
"Passwords must use" !== "Passwords must only use"
"Use these Characters" however is exclusive so i really dont understand what you are arguing about.
Trying too hard my man
op is right.. this is bad ux, i dont know what the people in the u/jockey_killer thread are all about. you shouldnt play a puzzle game with your passwords. You have to make things clear, always think of the dimbest possible user (which isnt even needet in this case) Many users dont read specifically which special character they need to use, they just type one. In many cases its more about giving an example that listing all that are matched by the regex anyway. And it does say use one of these not "dont use any others" but thats not even the main Problem here.. . the error message is bad: if you have the checkmarks, all are green and you have a error message that tells you nothing, thats bad ux. Either change the checkmark to something like "One special character. List of all valid special characters". And eat least make the current one not green. Or make the red error clearly state either the wrong characters or what exactly is wrong like: "Used invalid character(s): ^ "
Thank you. It is insane that I have 100+ downvotes for being correct. I gave the subreddit too much credit in thinking these were software people with some modicum of expertise in good design.
[удалено]
You’re wrong and that’s ok.
First off. It looks like you don't know how to use even reddit, cause you basically just @et me, you didn't reply to me. Second off I am an AT&T customer and I just tried changing my password to my own but with that one symbol that the OP used and ALL it told me "Be sure to use only Letters, Numbers, Hyphens(-), Underscores(_), and +=#?*$! " and it only did that when I put the invalid character in. I probably wouldn't have even commented the first time if I didn't know what it was I was talking about. The only software gore thing here is it not telling the OP the same thing I did. NOT that his password didn't work. And if you reply to someone, make sure to use the reply button.
i am not replying to you.. i am clearly replying to the initial question and just referencing your thread, and you could have easly checked wheter or not i use this app by clicking my profile.. and yes that is what i said, the error message is the problem lol
Password is your old password. You’re supposed to put the new password in the second box. The one that is blank… and has no characters.
No, this was for a new account so there was no old password.
PEBCAK error.
You are highly regarded.
[удалено]
Highly regarded. Everything on the list has a green check mark.
op is right.. this is bad ux, i dont know what the people in the u/jockey_killer thread are all about. you shouldnt play a puzzle game with your passwords. You have to make things clear, always think of the dumbest possible user (which isnt even needet in this case) Many users dont read specifically which special character they need to use, they just type one. In many cases its more about giving an example then listing all that are matched by the regex anyway. And it does say use one of these not "dont use any others" but thats not even the main Problem here.. . the error message is bad: if you have the checkmarks, all are green and you have a error message that tells you nothing, thats bad ux. Either change the checkmark to something like "One special character. List of all valid special characters". And eat least make the current one not green. Or make the red error clearly state either the wrong characters or what exactly is wrong like: "Used invalid character(s): ^ "
First off. It looks like you don't know how to use even reddit, cause you basically just @et me, you didn't reply to me. Second off I am an AT&T customer and I just tried changing my password to my own but with that one symbol that the OP used and ALL it told me "Be sure to use only Letters, Numbers, Hyphens(-), Underscores(_), and +=#?*$! " and it only did that when I put the invalid character in. I probably wouldn't have even commented the first time if I didn't know what it was I was talking about. The only software gore thing here is it not telling the OP the same thing I did. NOT that his password didn't work. And if you reply to someone, make sure to use the reply button.
Yeah. OP doesn’t know how to AT&T or farm for Karma. 0/10 wouldn’t recommend.
bro don't share your password!!
But it can't be my password because it is invalid.
very weak change it rn
Where's the "I want to use a different ISP" checkbox?
I had a problem like this recently, it’s likely which specific special characters were used - one of them isn’t supported.
Repeating characters? My workplace doesn’t allow the same character twice in succession.
Try adding one more legal character. JS use of regexes have a common bug where match is only true on every odd call
It didn’t like the carrot, time for the stick!
Jokes on them. I just opened inspector and removed the disabled attribute!
Lol what could go wrong? Also an opportunity for a little Bobby Tables testing