• GreenKnight23@lemmy.world
    5·
    15 hours ago

    my bank did this shit to me. I finally tracked down a dev that worked on the software through LinkedIn.

    I asked why the fuck does this happen. their response?

    When your password expires it will give you a password invalid on login. this is the best way the software can force a password change.

    I seriously wanted to hurt the guy, but realized he was just trying to deliver a feature that his boss wouldn’t give him the time to fully deliver on.

    now, for a moment, just imagine how many other corners were cut when your banking software was written…

  • prole@lemmy.blahaj.zone
    17·
    1 day ago

    The worst is when I forget what the requirements for the password were, and that all I did was add a special character to the pw I thought it was. So when I get to the “enter new password” part, and it actually tells me that I need a special character, then I enter my current password and get this message

  • Smoogs@lemmy.worldEnglish
    7·
    1 day ago

    But also ‘passwords don’t even matter anymore. They don’t keep you safe. Get an MFA’ And yet it has to be changed every 3 months with complicated instructions on characters

    • GreenKnight23@lemmy.world
      1·
      14 hours ago

      my bank blocks the ability to copy and paste passwords into the password change form.

      want to have a 128 character alphanumeric password with multiple special characters? you’re going yo type it allllll in, twice.

      oh, you have @%:;}°¥¢ characters in your password? we only allow !?+-(). now do it again.

      hey, we noticed your password has too many repeating characters. repeating characters: 88 now do it again.

      hey, your password must start with a letter.

      hey, can’t be an uppercase letter.

      hey, can’t end with 0

      1000003352

  • jeffep@lemmy.world
    20·
    2 days ago

    At least it’s not “Invalid, this password is already taken by user SweetyPie1997”

  • ColeSloth@discuss.tchncs.de
    56·
    2 days ago

    Bullshit IT trick. If they suspect a possible security compromise they’ll force this out to everyone. It gets you to change your password without them revealing that they may have been compromised and had data stolen.

    • Honytawk@discuss.tchncs.de
      4·
      23 hours ago

      That is not how it works.

      They keep a log of the 3 (or more) previously used passwords. If you try to change to any of them, it will give you this error.

      So if you changed your password and then forgot. Changing it back to the password before that will tell you not to use previous passwords even if it is not the current password.

        • MML@sh.itjust.works
          1·
          16 hours ago

          It will also tell you a password is incorrect using a VPN in certain cases, which is an okay security measure, but it can be pretty annoying till you figure out what’s going on.

    • LifeInMultipleChoice@lemmy.world
      14·
      2 days ago

      Companies like Apple say the password has to have a capital lowercase number and 8+ characters. But leave out that your password can’t be something you have used in the last year, can’t contain your name, birthday, or email address. Those errors will come up separately. In this case it would say you can’t reuse your password. It doesn’t say your last password because it wasnt your last password. Some people just don’t use the password daily/weekly, so they forget 6 times a year and have to keep resetting it.

      Also the number of people forget their passcode because they use face/touch id all all the time is higher than you’d expect apparently. I knew someone who used to complain about it when they did support for them. Essentially people plug their device in every night, use it daily and never turn it off so it always accepts face or touch. Then they leave automatic updates on … and it restarts for an update and they can’t get back into their device because face/touch doesn’t work on first boot, it is a subsidiary of the passcode and cannot be set up without the passcode.

      Then since they forgot their passcode, they have to wipe everything from the phone to bypass it… But of course they don’t know their password so they can’t sign back into their account and it is then activation locked because that’s how they prevent people from using stolen devices.

      Then the extreme cases dude was telling me at that point is they changed their phone number at some point, so they can’t reset their password without it, it takes days if not a week to recover the account, all the while their phone is a brick

      • WraithGear@lemmy.worldEnglish
        10·
        2 days ago

        my favorite is my login for my phone needing me to authenticate i with… the authenticator… on my phone…. which to log into the authenticator…. requires me to verify using the authenticatior…

        you call the IT department and i get an AI telling me that all password retrievals are done through the web portal, so it sends the password reset… to my email, accessed by my phone, that needs me to authenticate using the authenticatior…

        the real answer it to lie to the AI to talk to a person and ambush them with a password reset and don’t take no for an answer.

        i am currently 1 month behind on my required training modules about the importance of network security.

        • LifeInMultipleChoice@lemmy.world
          2·
          1 day ago

          If your talking about a company like Apple, they can’t reset your password no matter what, they have no access. It is only controlled by the user unless it is an account recovery which takes days. (Which if a user creates an account recovery key, it takes it completely out of their hands). It’s a 28? Digit code that makes it so the password/account can never be recovered without that code and access to the phone number on the account unless there is still a device logged into that account you can change it from. You could have spent $8000 on the account for subscriptions/music/whatever, you won’t be able to access it ever again. All purchases lost

          • Pika@sh.itjust.worksEnglish
            1·
            2 hours ago

            from what people told me who’s had this happen, even with a lost account recovery key it is possible to recover the account, it’s just apple doesn’t advertise it.

            Basically it’s the same account recovery process but they nuke the accounts cloud(which is likely a deal breaker) prior to handing the account over. The issue is you can’t start that from a self service portal, it has to be originated from apple support and getting them to actually do it can be a pain because they don’t like to for obvious reasons.

            also i believe Not having a method of account recovery that allows you to retain goods that was exchanged for monetary value would be concidered fraud so I would expect they are forced to have some way of retaining purchases as long as you can clearly identify yourself as the buyer

      • ColeSloth@discuss.tchncs.de
        3·
        2 days ago

        God’s, I’d hate to deal with losing my phone number. I have most everything crosslinked where my number isn’t the only option, but some I’m sure would still give me a big fat FU to deal with. I have all my passwords to everything correctly saved in my PW manager, at least

  • Pika@sh.itjust.worksEnglish
    44·
    2 days ago

    There’s a special category reserved for the devs that design their apps to invalidate passwords, but not give a message saying the password is invalidated and needs to be changed.

    In my experiences that is usually the cause. Them invalidating the password sending an email (or sometimes not). cue me trying the old password, failing, changing the password, and getting that message. /tableflip

    • limelight79@lemmy.world
      9·
      1 day ago

      The time and attendance software at my old job would do that. It took me a while to figure out that it wasn’t me forgetting the password, the password had just expired. Extremely frustrating.

    • sartalon@lemmy.world
      8·
      2 days ago

      Came here to say this.

      Pretty sure most of the time the password is expired or invalidated, as you said, but whoever vibe coded the system was too lazy, too dumb, or too terrified of being blamed for the frustration of changing a password, that they think it is better to put ALL the frustration on the user.

      Whatever the reason, I fucking hate them.

  • YoiksAndAway@piefed.zipEnglish
    30·
    2 days ago

    I’ve gotten “New password cannot be the same as the four previous passwords”. I live too far from a large body of water to watch the sun rise/set over the horizon and ponder my life.

  • Wifi0041@fedinsfw.appEnglish
    29·
    2 days ago

    Government sites do this to me more frequently than any other site. The worst part is that I use a password manager so I know for certain it’s the correct password.

  • CarbonIceDragon@pawb.social
    13·
    2 days ago

    When that happens I usually just exit the password reset page without entering a new one and then log in again with the old

    • jaybone@lemmy.zipEnglish
      6·
      2 days ago

      They invalidate it because they got hacked or they fucked up some other way but they don’t want to admit it, so they don’t tell you about it and they act like the user is wrong.

    • limelight79@lemmy.world
      7·
      1 day ago

      I do, but more and more sites are unintentionally (or intentionally?) making them hard to use, by relying on Javascript triggers, like requiring typing in each field or at least putting each field into focus, before the “log in” button becomes active.

        • limelight79@lemmy.world
          4·
          1 day ago

          One is my bank, so, kinda, yeah. That one just has the “active” triggers, so it’s easy enough to click-click and then login.

          I forget what the other one I hit occasionally is, I just did it the other day, too. That one I actually have to type a character then delete it after the password manager fills in so I can log in.

          I can’t figure out why they are doing this…I guess it’s so that you don’t accidentally try to log in before typing username and password, but…