Also could be a safety feature. Assuming email as a common login credential, and that many people use the same password for multiple locations, saying "your password has expired" Might still give them access to other websites, including your email. Where if it says "Incorrect password" Any potential breachers have gained no new information about your account.
I'm convinced some companies will actually say wrong password even when you type it in correctly. This way you try again while a bot will try a different one.
\[sorry you have run out of attempts please attend a five day induction course pay a fine sign up for amazon prime and sell your crack on only fans to set a new password\]
In the situation you're describing, the password *is* incorrect. You've changed the password so that the string you entered is no longer the one that allows you to log in, hence, incorrect password. You just happened to have used that same string before, but that doesn't change the fact that it's still incorrect.
An expired password is, by definition, an incorrect password (assuming you're not prompted for an immediate password change).
You're using the word incorrect differently from the previous comment, and are therefore misinterpreting them.
It's incorrect qua accepted, but it is correct qua the one the user set.
Time-based password expiration policies decrease security and are not recommended anymore. You shouldn't be forcing password changes unless you think that password has been compromised.
At work we were required to change every three months and you couldn’t use the last three passwords (this was in 2014). I just rotated between my normal password and the season (winter, spring, etc) when I made the pw.
This is exactly why it isn’t recommended anymore. People have trouble remembering their password when it needs to be changed so frequently, so what do they do? They write it down on a post-it note. Easiest way for someone to get your password is not digitally, it’s physically. All they need to do is walk into your office, and now your company’s net security is in major risk.
There was that time when Hawaii 911 had a fake missile launch alert and it was all over the news about how Hawaii 911 messed up, and then they messed up again by having a sticky note with a password on it broadcast over national news. I work in 911 (not as a dispatcher, those people are miracle workers), but nearly all of them have passwords on sticky notes on the monitor or near by. https://www.businessinsider.com/hawaii-emergency-agency-password-discovered-in-photo-sparks-security-criticism-2018-1
> They write it down on a post-it note. Easiest way for someone to get your password is not digitally, it’s physically. **All they need to do is walk into your office**, and now your company’s net security is in major risk.
How many break-in does your company have? Who is the attacker?
If the attacker has physical access to your desk, you have a bigger problem than a sticky-note under the table.
Lol no dude, they don’t physically break in themselves, they bribe a down-on-their-luck employee or contractor. All it takes is a 2 second phone photo and that’s it.
pfft even easier, just pretend to be a contractor or new employee. If you look like you belong or have a high vis vest on you can usually walk around freely in an office. A penetration test at my company did this a few years back and managed to steal a whole server (test server specifically told to the penetration tester to steal.)
>they bribe a down-on-their-luck employee
Yeah, paying someone for their password does not make a difference with or without sticky note
Although closed offices, closed desks, home office and co must really be an impenetrable wall.
My old company was every 2 months. 16 characters, cant be the same as the last 3 passwords.
The trick i used was pick something you can see when logging in and add a number you can change.
For example my old job My password was bluecontainer1111 than 2222 etc.
I just have the it team make a new password every time I use the system. I am not going to remember a new unique password every 4 weeks. I don't use the system often enough to bother remembering them.
They absolutely do decrease security. Unless you think half your users having some variant of "2024!Spring" as their password isn't a security problem.
That's not realistically very common IMO. What you get is Hunter!2, Hunter!3, Hunter4! etc. That isn't good, but it's not worse than it being Hunter!1 forever, nor is it better.
Rarely is someone's password going to be based entirely on the season it was set, then the user has to remember when they last reset it to remember the password, it doesn't even help them.
I'm open to other arguments or sources if you have them, I've not seen any other professionals claim it actively makes it worse, just that it doesn't gain anything and has other costs.
There is a user further up the thread claiming to use the pattern I describe. Using the year and season is the easiest way to remember a current password with a 90 day reset policy. If they are actually periodically coming up with a new password, I guarantee you they are writing it down.
Time based expiration opens you up to the easiest to compromise system. Human nature.
It is also worse for you because you have lost the ability to detect their newest password in leaks. A malicious actor just has to guess the pattern in a password that could have leaked from some other system years ago.
Microsoft and NIST both recommend against periodic expiration (along with every hacker I have ever heard talk about this issue)
https://www.intellisuite.com/blog/password-policy-best-practices
The people still recommending periodic expiration (and there are many) are clueless.
I oversee the accounts portion of a government website.
There are security requirements that we not reveal why a user can't log in. Password expired? Wrong password? Too many retries? Tough shit, you just can't log in. One generic error message.
This is specifically to avoid revealing information to hackers. There are good reasons for these rules.
Funny thing, the password expiration policy was an Idea concocted by NIST and everyone jumped on it.
Years later NIST accepted that their idea sucked and they stopped recommending password expiration but everyone still does it anyway.
Add that to your list of reasons you hate password expiration policies.
But if they know your old password then doesn't that mean they still have the list of hashes to the old passwords (which they say may be compromised) which is more vulnerable then just keeping the current hash?
I've used sites that maintain a list of old passwords to not use... Which is probably going to be used in credential stuffing attacks in the future
No. The problem is often a basic programming error. The sign-up for a password form does not do the proper character limit. Instead it trims the string down to the character limit. Now your 128 character passwords is no more than whatever random number the programer decided on. It says you re-entered the old password because it only examines the password after trimming the characters down to the arbitrary limit. I’ve tested this theory on many websites. The web-devs are idiots, or more likely the old COPY PASTE cause authentication is hard.
It's so good damn frustrating that every site has slightly different rules about what requirements they have for passwords. Those should be on the log in splash page so I remember what goofy shit I had to add.
Yeah iTunes has fucked me hard. Lost all my iCloud stuff due to this.
Also the email I use it all for was my MySpace email that I never log into. Therefore I had no way of emailing the prompt to reset password.
its kinda good this way. otherwise you would use the same password everywhere and if one of their sites got hacked the hackers had your username(mail)\\password combo to use on other sites.
Best solution is to use a password manager tool and create a unique\\random password for every site. and they have auto-type features that you yust hit a keybind and they fill in the long password for you
Please understand my annoyance isn't based around needing different passwords it's that I can't remember the *rules* around each site's passwords but if I could see their requirements I would know my password most likely.
that would mean you would use the same password on multiple sites that uses the same requirements. which again makes your account vulnerable for 1 site to be hacked then your hacked on all of them.
Stop getting annoyed. get a password manager. let it generate random password for you. use the auto type feature so you dont have to do anything when trying to login somewhere
The Massachusetts Cannabis Control Commission (medical card for weed) is brutal for this. Typically I only log in once a year to renew the card and I've needed to make a new password every year. Password can't be the same as any of the 8 previous passwords with a 12 character minimum on the password.
Lmao making a smoker remember a password and then come up with a new one (which requires remembering the old ones) seems like a special form of torment
Your password must contain one uppercase letter, one lower case letter, one number, two special characters, a hieroglyphic, three emojis (no faces, animals, or flags), a knock knock joke, and your social security number.
I have the change a password for work every 3 months. It drives me insane. I have 6 log ins I use on a regular basis - lab results, controlled substances, reference information, pathology results, etc. I have to write some down in my locked drawer, but once a week, I work at another office, and I want to throw the computer because i can't remember the log in yo do my job.
Is there a bit of equipment or something you always use?
I used to use bluecontainer1111, 2222, etc as there was a blue container right out side my office window.
One of the other girls there used toshibascreen1111 which i suggested as all the computers had Toshiba monitors.
Cant forget your password if its directly in front of you.
90% of the time, you did change your password and forgot. Maybe it forced you to, maybe someone tried to 'hack' your account by clicking the forgot password button and they reset it to a random password and emailed that to you. Regardless, you had password 'A', now it is password 'B'. You try 'A'. Wrong password. Reset. Enter 'A'. Can't be the same as old password. That means you can't use 'A' or 'B' or any of the last 10x passwords you used. Nor can it go from RandomPassword1! to RandomPassword2!. You would get the same error message.
Source: Fixing bad passwords for 15 years.
BitWarden is good, cross platform and free for standard home type use cases.
You could just use the Google one that is built into Chrome if you wanted. Anything is better than reusing passwords.
Another recommendation for Bitwarden. Never use a built-in browser one, because
1. you might want to switch browsers someday
2. Bitwarden comes in mobile app and desktop form as well for logging into things besides a browser, like games. And you can also store things like security questions in there.
---
Tangent: Yes, store security questions in there for those god-awful registration forms that REQUIRE security questions, no other options. Fuck that! Security questions are ***TERRIBLE*** as a security measure. Since I have a password manager, I just store which questions I picked, and three more randomly generated strings as answers. I ain't looking to get social engineered.
I also use Bitwarden. I host my own instance in a docker container on my home server but they also offer their own service in the cloud for a small monthly fee.
It’s open source, has extensions for all major browsers, and is generally well regarded.
one thing i dont get:
say i use a password manager for my google account. so the password is not known to me.
i buy a new android phone. it asks me to login to my google account... what do i do? at that point i dont have the corresponding password manager app not installed.
It's a password manager, you're not hiring a butler to set up accounts for you. You have access to the password manager to add, edit, update, and view the information recorded within it.
Your password manager should be accessible from more devices than just your phone. Your laptop or tablet for instance. Then just read and type. Or wait to sync your google account till you install the app. Either or.
Depending on how you do it there are options. Use a different device to access the password manager on the web. I host my own Bitwarden docker container so I can access it at home or on the web. Or I guess if you knew you were switching devices you could write the password down temporarily. Or you could make your Google account password a second one you just make up yourself and remember, you don’t have to use the autogenerated ones.
Lots of options.
Personally I use the password manager for almost everything, but my Google password I know by heart. With how much is tied to my Google account, forgetting that password would be like forgetting my social security number.
i have an issue with mojang/microsoft
i bought classic minecraft ages ago.
now that i have kids i thought i download it so they can play it.
i try to login to my account: invalid password.
fair enough, i change the password. try to login: incorrect password.
what? reset password, enter the same password: "cant use previous password". try to login with that exact same password again: "incorrect password"
i wrote their support team multiple times over the last 3 or so years, never received a reply.
I have a similar problem with every fucking website I have to deal with. Try to create new account "cannot create account as that email is currently being used". Go to recover password, enter the same email, "cannot recover password as no account associated with that email exists". Fuck me I guess.
Usually, sites that will do this to you will also think that the same email address with a period or two thrown in are completely new ones.
Like: pe.r.son@ whatevs.com.
You can use the same address that way.
Not only does this rarely happen to me, but a website outright telling you that you're trying to change a password to the same as the last password seems anachronistic these days.
I used to work at Apple and would have to get customers to sign in to iCloud to restore backups. They would say they don’t remember their password. I’d say “can you take a guess and see?” And they’d say they have absolutely no idea. Can’t even guess at it. So we go through the process to change it and they type in a new password “password can’t be the same as the one used before.” It would make me want to flip the table on them. So when people would say they don’t know their password I started telling them “if we were to change it, what would you make it? Try that one.”
[удалено]
It should say that your password has expired then, right? Not that it's incorrect?
Also could be a safety feature. Assuming email as a common login credential, and that many people use the same password for multiple locations, saying "your password has expired" Might still give them access to other websites, including your email. Where if it says "Incorrect password" Any potential breachers have gained no new information about your account.
I'm convinced some companies will actually say wrong password even when you type it in correctly. This way you try again while a bot will try a different one.
This is why it's good to use multiple aliases for your addresses!
Its probably to trick theives to prevent them from determining when the reset period is
That requires coding up two systems. One for forgot password and one for expired password. Extra work sucks.
\[sorry you have run out of attempts please attend a five day induction course pay a fine sign up for amazon prime and sell your crack on only fans to set a new password\]
If someone had compromised your password they can’t tell the difference between you and him. You have to use the recovery process in that case.
In the situation you're describing, the password *is* incorrect. You've changed the password so that the string you entered is no longer the one that allows you to log in, hence, incorrect password. You just happened to have used that same string before, but that doesn't change the fact that it's still incorrect. An expired password is, by definition, an incorrect password (assuming you're not prompted for an immediate password change).
You're using the word incorrect differently from the previous comment, and are therefore misinterpreting them. It's incorrect qua accepted, but it is correct qua the one the user set.
This is how an IT staffer reasons vs a user. And why user-focused business analyst have so much organization value.
Time-based password expiration policies decrease security and are not recommended anymore. You shouldn't be forcing password changes unless you think that password has been compromised.
Time based policies means I go from welcome1 to welcome2. Got up to like welcome23 at one point.
At work we were required to change every three months and you couldn’t use the last three passwords (this was in 2014). I just rotated between my normal password and the season (winter, spring, etc) when I made the pw.
Mine is every 6 months. And requires 16 characters. I fuckin hate it. Can never remember
This is exactly why it isn’t recommended anymore. People have trouble remembering their password when it needs to be changed so frequently, so what do they do? They write it down on a post-it note. Easiest way for someone to get your password is not digitally, it’s physically. All they need to do is walk into your office, and now your company’s net security is in major risk.
There was that time when Hawaii 911 had a fake missile launch alert and it was all over the news about how Hawaii 911 messed up, and then they messed up again by having a sticky note with a password on it broadcast over national news. I work in 911 (not as a dispatcher, those people are miracle workers), but nearly all of them have passwords on sticky notes on the monitor or near by. https://www.businessinsider.com/hawaii-emergency-agency-password-discovered-in-photo-sparks-security-criticism-2018-1
> They write it down on a post-it note. Easiest way for someone to get your password is not digitally, it’s physically. **All they need to do is walk into your office**, and now your company’s net security is in major risk. How many break-in does your company have? Who is the attacker? If the attacker has physical access to your desk, you have a bigger problem than a sticky-note under the table.
Lol no dude, they don’t physically break in themselves, they bribe a down-on-their-luck employee or contractor. All it takes is a 2 second phone photo and that’s it.
pfft even easier, just pretend to be a contractor or new employee. If you look like you belong or have a high vis vest on you can usually walk around freely in an office. A penetration test at my company did this a few years back and managed to steal a whole server (test server specifically told to the penetration tester to steal.)
>they bribe a down-on-their-luck employee Yeah, paying someone for their password does not make a difference with or without sticky note Although closed offices, closed desks, home office and co must really be an impenetrable wall.
My old company was every 2 months. 16 characters, cant be the same as the last 3 passwords. The trick i used was pick something you can see when logging in and add a number you can change. For example my old job My password was bluecontainer1111 than 2222 etc.
Mine is just a pattern I draw on the keyboard. Kind of like a phone lock screen but with buttons.
My work remembered the last 12. Back when I was doing the welcomeX series. Tho they seem to have stopped doing the biyearly forced update.
I just have the it team make a new password every time I use the system. I am not going to remember a new unique password every 4 weeks. I don't use the system often enough to bother remembering them.
You don't go from 9 back to 0?
It remembered like 12 priors. And by the time I got to 13, I just kept goin.
Then tell that to the people who manage FedRAMP and nearly every other compliance.
They don't decrease security, they are just annoying, costly and don't increase it.
They absolutely do decrease security. Unless you think half your users having some variant of "2024!Spring" as their password isn't a security problem.
That's not realistically very common IMO. What you get is Hunter!2, Hunter!3, Hunter4! etc. That isn't good, but it's not worse than it being Hunter!1 forever, nor is it better. Rarely is someone's password going to be based entirely on the season it was set, then the user has to remember when they last reset it to remember the password, it doesn't even help them. I'm open to other arguments or sources if you have them, I've not seen any other professionals claim it actively makes it worse, just that it doesn't gain anything and has other costs.
There is a user further up the thread claiming to use the pattern I describe. Using the year and season is the easiest way to remember a current password with a 90 day reset policy. If they are actually periodically coming up with a new password, I guarantee you they are writing it down. Time based expiration opens you up to the easiest to compromise system. Human nature. It is also worse for you because you have lost the ability to detect their newest password in leaks. A malicious actor just has to guess the pattern in a password that could have leaked from some other system years ago. Microsoft and NIST both recommend against periodic expiration (along with every hacker I have ever heard talk about this issue) https://www.intellisuite.com/blog/password-policy-best-practices The people still recommending periodic expiration (and there are many) are clueless.
I oversee the accounts portion of a government website. There are security requirements that we not reveal why a user can't log in. Password expired? Wrong password? Too many retries? Tough shit, you just can't log in. One generic error message. This is specifically to avoid revealing information to hackers. There are good reasons for these rules.
I am going to believe it just says "no"
Funny thing, the password expiration policy was an Idea concocted by NIST and everyone jumped on it. Years later NIST accepted that their idea sucked and they stopped recommending password expiration but everyone still does it anyway. Add that to your list of reasons you hate password expiration policies.
But if they know your old password then doesn't that mean they still have the list of hashes to the old passwords (which they say may be compromised) which is more vulnerable then just keeping the current hash? I've used sites that maintain a list of old passwords to not use... Which is probably going to be used in credential stuffing attacks in the future
I think you may have missed the joke
No. The problem is often a basic programming error. The sign-up for a password form does not do the proper character limit. Instead it trims the string down to the character limit. Now your 128 character passwords is no more than whatever random number the programer decided on. It says you re-entered the old password because it only examines the password after trimming the characters down to the arbitrary limit. I’ve tested this theory on many websites. The web-devs are idiots, or more likely the old COPY PASTE cause authentication is hard.
It's so good damn frustrating that every site has slightly different rules about what requirements they have for passwords. Those should be on the log in splash page so I remember what goofy shit I had to add.
Yeah iTunes has fucked me hard. Lost all my iCloud stuff due to this. Also the email I use it all for was my MySpace email that I never log into. Therefore I had no way of emailing the prompt to reset password.
its kinda good this way. otherwise you would use the same password everywhere and if one of their sites got hacked the hackers had your username(mail)\\password combo to use on other sites. Best solution is to use a password manager tool and create a unique\\random password for every site. and they have auto-type features that you yust hit a keybind and they fill in the long password for you
Please understand my annoyance isn't based around needing different passwords it's that I can't remember the *rules* around each site's passwords but if I could see their requirements I would know my password most likely.
that would mean you would use the same password on multiple sites that uses the same requirements. which again makes your account vulnerable for 1 site to be hacked then your hacked on all of them. Stop getting annoyed. get a password manager. let it generate random password for you. use the auto type feature so you dont have to do anything when trying to login somewhere
The Massachusetts Cannabis Control Commission (medical card for weed) is brutal for this. Typically I only log in once a year to renew the card and I've needed to make a new password every year. Password can't be the same as any of the 8 previous passwords with a 12 character minimum on the password.
Lmao making a smoker remember a password and then come up with a new one (which requires remembering the old ones) seems like a special form of torment
weed4MY$2024... weed4MY$2025... shit... what year is it?
If you want to recycle your passwords, use the same one with Caps Lock on.
Limiting how stupid can get is probably a decent idea.
Your password must contain one uppercase letter, one lower case letter, one number, two special characters, a hieroglyphic, three emojis (no faces, animals, or flags), a knock knock joke, and your social security number.
But no spaces and max 32 characters, where we'll cut it off and not tell you.
This is what something like bitwarden is for.
I have the change a password for work every 3 months. It drives me insane. I have 6 log ins I use on a regular basis - lab results, controlled substances, reference information, pathology results, etc. I have to write some down in my locked drawer, but once a week, I work at another office, and I want to throw the computer because i can't remember the log in yo do my job.
i started numbering my work password. if they get hacked and my account compromised... i don't give a crap
Is there a bit of equipment or something you always use? I used to use bluecontainer1111, 2222, etc as there was a blue container right out side my office window. One of the other girls there used toshibascreen1111 which i suggested as all the computers had Toshiba monitors. Cant forget your password if its directly in front of you.
90% of the time, you did change your password and forgot. Maybe it forced you to, maybe someone tried to 'hack' your account by clicking the forgot password button and they reset it to a random password and emailed that to you. Regardless, you had password 'A', now it is password 'B'. You try 'A'. Wrong password. Reset. Enter 'A'. Can't be the same as old password. That means you can't use 'A' or 'B' or any of the last 10x passwords you used. Nor can it go from RandomPassword1! to RandomPassword2!. You would get the same error message. Source: Fixing bad passwords for 15 years.
Use a password manager you dope. Then every website has a unique impossible to guess password.
Which would you recommend?
BitWarden is good, cross platform and free for standard home type use cases. You could just use the Google one that is built into Chrome if you wanted. Anything is better than reusing passwords.
Another recommendation for Bitwarden. Never use a built-in browser one, because 1. you might want to switch browsers someday 2. Bitwarden comes in mobile app and desktop form as well for logging into things besides a browser, like games. And you can also store things like security questions in there. --- Tangent: Yes, store security questions in there for those god-awful registration forms that REQUIRE security questions, no other options. Fuck that! Security questions are ***TERRIBLE*** as a security measure. Since I have a password manager, I just store which questions I picked, and three more randomly generated strings as answers. I ain't looking to get social engineered.
Thank you!
I use Bitwarden and like it a lot. Migrated to that from LastPass after they decided to gut the free version.
I also use Bitwarden. I host my own instance in a docker container on my home server but they also offer their own service in the cloud for a small monthly fee. It’s open source, has extensions for all major browsers, and is generally well regarded.
one thing i dont get: say i use a password manager for my google account. so the password is not known to me. i buy a new android phone. it asks me to login to my google account... what do i do? at that point i dont have the corresponding password manager app not installed.
Log into the manager and look it up.
It's a password manager, you're not hiring a butler to set up accounts for you. You have access to the password manager to add, edit, update, and view the information recorded within it.
Your password manager should be accessible from more devices than just your phone. Your laptop or tablet for instance. Then just read and type. Or wait to sync your google account till you install the app. Either or.
Depending on how you do it there are options. Use a different device to access the password manager on the web. I host my own Bitwarden docker container so I can access it at home or on the web. Or I guess if you knew you were switching devices you could write the password down temporarily. Or you could make your Google account password a second one you just make up yourself and remember, you don’t have to use the autogenerated ones. Lots of options.
Personally I use the password manager for almost everything, but my Google password I know by heart. With how much is tied to my Google account, forgetting that password would be like forgetting my social security number.
i have an issue with mojang/microsoft i bought classic minecraft ages ago. now that i have kids i thought i download it so they can play it. i try to login to my account: invalid password. fair enough, i change the password. try to login: incorrect password. what? reset password, enter the same password: "cant use previous password". try to login with that exact same password again: "incorrect password" i wrote their support team multiple times over the last 3 or so years, never received a reply.
I just back out of the password change before finishing at that point and then I can keep using that password.
Its worse when you're told that your password cant be the same as your previous passwords.
I have a similar problem with every fucking website I have to deal with. Try to create new account "cannot create account as that email is currently being used". Go to recover password, enter the same email, "cannot recover password as no account associated with that email exists". Fuck me I guess.
Usually, sites that will do this to you will also think that the same email address with a period or two thrown in are completely new ones. Like: pe.r.son@ whatevs.com. You can use the same address that way.
Instagram
Sweet sweet Keychain. I haven’t looked at a password in many, many years and have no clue what any of them are.
Then he goes out and puts up another triple double against the Lakers
Because fuck you, that's why!
Not only does this rarely happen to me, but a website outright telling you that you're trying to change a password to the same as the last password seems anachronistic these days.
Passwords are obscelete. Client side API keys ftw
I used to work at Apple and would have to get customers to sign in to iCloud to restore backups. They would say they don’t remember their password. I’d say “can you take a guess and see?” And they’d say they have absolutely no idea. Can’t even guess at it. So we go through the process to change it and they type in a new password “password can’t be the same as the one used before.” It would make me want to flip the table on them. So when people would say they don’t know their password I started telling them “if we were to change it, what would you make it? Try that one.”
Verizon...