We’ve all been there.
I too love the Password game! Please save Paul! ~I truly care about him!~ Truly!
(Sorry, I sometimes like to post really bad comments…)
Same. My country was Jordan. Took way too long to figure out, because it dropped me in the middle of an empty amphitheater with no visible road signs, license plates, etc…
Bruh, it just made me google dork to find out where a random street view was. 10/10 would recommend
My Roman numerals should multiple to equal 35, but then the county I got starts with a C… how do you multiply by fractions in Roman numerals?!
It was great until that step 20 where some ‘fire’ deleted everything I made. It’s one thing to make you think, it’s a completely different thing to just delete everything and make you start over. Fuck that noise.
Yeah, I just got to the password on fire and survived, but I wanted to move Paul to an edge so he doesn’t get killed if there’s another fire. But apparently cutting/pasting him kills him. :(
Edit: I went back and got to rule 25. Rule 24 was a bitch and a half, but I did it. Then I had to sacrifice letters, and I thought, oh, I can’t use M or D because they are roman numerals for 1000 and 500, so I chose those. It included lowercase as well, and that made some previous rules impossible. In my anger, I may have overreacted, because I intentionally overfed Paul to kill him.
I got stuck on rule 14 where I had to guess the country in Google maps.
Au2WonderfullyshellnIcepigsXXXV!85mayy4n6mfiend🌘
I guess it’s kind of secure. Does the password change daily with the current wordle word?
if you walk down the path like 20m there’s a sign that tells you where you are
I stopped playing when my whole password caught fire lmao
“Sorry, that password is already in use” ruins it for me. That’s not a realistic message to receive.
Maybe “Your password cannot be one you’ve used previously”.
Especially for those places that want your password changed every two weeks.
If they want to play that game - the calendar date becomes part of the password. It’s never the same, but you can always work it out!
At my work they wanted better security, and made the rule of minimum 12 characters, must include all sorts of numbers, special characters, etc, no previously used password and it must be changed every month, 3 attempts then the account is locked and you have to call IT.
The result was that people wrote their passwords on post-its on the screen, so it led to worse security overall and they had ro relax the rules.
It follows the vein of some of the password rules and feedback reducing security itself. Like why disallow any characters or set a maximum password length in double digits? If you’re storing a hash of the password, the hash function can handle arbitrary length strings filled with arbitrary characters. They run on files, so even null characters need to work. If you do one hash on the client’s side and another one on the server, then all the extra computational power needed for a ridiculously long password will be done by the client’s computer.
And I bet at least one site has used the error message “that password is already in use by <account>” before someone else in the dev team said, “hang on, what?”.
Fun fact: password controls like this have been obsolete since 2020. Standards that guide password management now focus on password length and external security features (like 2FA and robust password encryption for storage) rather than on individual characters in passwords.
Since 2017 at least; and IIRC years before that; that’s just the earliest NIST publication on the subject I could find with a trivial Web search.
https://pages.nist.gov/800-63-3/sp800-63b.html
Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
“Memorized secrets” means classic passwords, i.e. a one-factor authentication through a shared secret presumed to be known to only the right person.
I wouldn’t say obsolete because that implies it’s not really used anymore. Most websites and apps still use validation not too dissimilar from the OP, even if it goes against the latest best practices.
I wouldn’t say obsolete because that implies it’s not really used anymore.
I’m not sure where you heard someone use the word “obsolete” that way, but I assure you that there are thousands if not millions of examples of obsolete technologies in constant and everyday use.
https://www.merriam-webster.com/dictionary/obsolete
no longer in use or no longer useful
Yeah i agree. The best example of this is Linux. To anyone who disagrees, why does a modern operating system require you to use a terminal, or edit config files instead of changing settings in a gui?
Its THE example of ancient software being pushed on to niave techies that would rather have an insecure open source project than a safe, walled garden like Microsoft Windows 11.
Although Windows 11 does have its problems. The chief of which is bogging down the streamlined simplicity with things a normal user wont need like a package manager.
For today’s 10,000 who have never seen it, https://xkcd.com/936/ succinctly explains why the whole mixed character types thing isn’t favoured.
I’m still waiting on an XKCD that references #936 with the fact that we soon as we have reliable, functional quantum computing, all of the passwords from before that point in time will be completely and utterly broken. That the only way to make a password that a quantum computer would have a tough time breaking is if it was made by another quantum computer. Unless of course the comic has already been made and I just missed it, which is a complete possibility because this year for me has been utterly crap.
Some of them are broken by quantum computers, but not all of them. For example, SHA256. You can use Grover’s algorithm to take sqrt(n) steps to check n possible passwords, which on the one hand means it can be billions of times faster, but on the other hand, you just need to double the length of the password to get the same security vs quantum computers. Also, this is the first I’ve heard of a hash that uses a quantum computer. Do you have a source? Hashes need to be deterministic, and quantum computers aren’t, so that doesn’t seem like it would work very well.
Maybe you’re getting mixed up with using quantum encryption to get around quantum computers breaking common encryption algorithms?
My favorite, though, is:
types in password “Password incorrect” goes to reset password “please enter a new password” types in password “your new password cannot be the same”
It often means that one could have derived the correct password from the set of rules - but those rules are not shown when asking for the old password
Sometimes it means the page checking the password is following a different ruleset eg. the main page is case sensitive and the change password page isn’t. Sometimes it’s stuff like the entered password is silently truncated to a fixed number of characters and because of that won’t let you log in. Sometimes it’s wierd character expansions being passed directly to the password checking routine (& or similar).
Sorry, that password is already in use
BIG red flag. Abort. Abort.
Also I love when they only support certain special characters. So the psuedo random noise created by my password generator won’t work until I curate out the unsupported characters.
I was changing my password on a pretty big company website the other day.
The password generated by my password manager kept giving me a http error (500 I think)
I generated a new password and deleted all the special characters other than the obvious ones. Boom, worked first time.
So looks like someone is not sanitising their inputs properly.
I sent them an email so hopefully they will fix.
I sent them an email so hopefully they will fix.
One can only hope. But based on my experience, they usually do not. I once sent an email to Microsoft telling them that their Microsoft account app had a vulnerability, and I even sent them the XML line they needed to add to their Android Manifest to fix it, and they wouldn’t do it because it required physical access to the device to exploit. I mean, that’s fair enough, but it was literally one line of code to plug the hole.
They eventually did add that line about 6 years later.
It boggles sometimes.
I remember about 2015 (?) In the vicinity anyway, PayPal has a 12 character MAXIMUM on their passwords.
PayPal, you know the place where you can literally transfer all the money. A 12 character MAXIMUM
I emailed them to suggest they change this requirement. And they replied saying that 12 characters was sufficient if you used special characters and numbers.
Glad they have finally changed it now.
Funniest thing was when I registered on a website which parsed the \0 sequence and hence truncated the password in the background unbeknownst to me. This way you could circumvent the minimum length and creare a one character password.
Once I registered on a website. I used an auto generated password. Next time I tried to log in to the website I was confused that my stored password didn’t work. Requested to change the password, but I used the stored password again. To my surprise, it said the password must be different from the current one.
After a bit back and forth I finally figured it out. Apparently the site had a max length on the password. Any password longer than that is truncated. This truncation wasn’t applied in the login form. Only when creating a password.
