Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
Get a devDuck
Rubber duck debugging has never been so cute! Get your favorite coding language devDuckBuy Now
Search - "password strength"
Mam: Hey can I ask you a question about Facebook?
Me: (Christ give me strength) ... sure whats up?
Mam: You know when you get a notification and you click on it and see what someone uploaded?
Me: ... you are not on Facebook, you can't be getting notifications
Mam: well I do. Is it possible to...
Me: No hang on a second, it is 110% not possible for this to happen. Something else is going on that you think is a notification.
Mam: You know when you are on, and you see a message like "12 new notifications"
Me: on? on what? this is happening on your phone is it? Can I see?
Mam: No its on my laptop at home.
Me: ... you have an old laptop with an old windows, you can't get notifications on it.
Mam: OH FOR GOD SAKE! ... you know when you are in your emails and it says "12 new notifications"?
Me: ... right so we are talking about EMAILS about unread notifications and not getting notifications on your phone. So you have an old account then that you don't use?
Mam: Yeah I don't know the password to it, haven't logged in, in years.
Me: of course
Mam: Right anyway. When I get one and click on it, lets say its about you, can you see me reading your notifications?
Me: ..... you can't not read my notifications.
Mam: uh, can you see me reading your emails then smart arse?
Me: ... can't do that either.
Mam: So what the hell am I doing then?
Me: You are reading a post someone uploaded, which you got alerted to from an email.
Mam: Right, can you tell when I've read your POST then?!?!?!
Mam: was that so hard?
Me: ... yep7
This is from my days of running a rather large (for its time) Minecraft server. A few of our best admins were given access to the server console. For extra security, we also had a second login stage in-game using a command (in case their accounts were compromised). We even had a fairly strict password strength policy.
But all of that was defeated by a slightly too stiff SHIFT key. See, in-game commands were typed in chat, prefixed with a slash -- SHIFT+7 on German-ish keyboards. And so, when logging in, one of our head admins didn't realize his SHIFT key didn't register and proudly broadcast to the server "[Admin] username: 7login hisPasswordHere".
This was immediately noticed by the owner of a 'rival' server who was trying to copy some cool thing that we had. He jumped onto the console that he found in an nmap scan a week prior (a scan that I detected and he denied), promoted himself to admin and proceeded to wreak havoc.
I got a call, 10-ish minutes later, that "everything was literally on fire". I immediately rolled everything back (half-hourly backups ftw) and killed the console just in case.
The best part was the Skype call with that admin that followed. I wasn't too angry, but I did want him to suffer a little, so I didn't immediately tell him that we had good backups. He thought he'd brought the downfall of our server. I'm pretty sure he cried.5
I am beyond speechless. My Bank forces me to use a password that consists of EXACTLY 8 characters, and at least one small character, one big and one number. Oh, and it should not be identical to the last 5 passwords.
What's the best part about this?
THEY HAVE A FUCKING METER TO MEASURE YOUR PASSWORD STRENGTH. FUCKING HYPOCRITES!
Not even a 2 factor makes via sms can make me feel save when you have such a big pile of shit behind it11
I know i know, its an old story.
FUCK YOU AND YOUR STUPID PASSWORD REQUIREMENTS
NO SPECIAL CHARACTERS WONT MAKE IT SAFER
FFS. JUST SAY IT HAS TO BE 20 CHARACTERS AND BE DONE WITH IT15
Ladies and gentleman, I've done it.
Remove your hacker game trophies from your wall.
That nasty bug you fixed a couple of nights ago? Meh.
Your top devRant post? You'll delete it after reading this.
Every awesome accomplishment you can think of: it all means shit now.
>> I have SUCCESSFULLY changed my business Microsoft account password into something I can remember AND Microsoft accepted it in under an hour of trying!!!!! <<
I want to say a big FUCK YOU to MICROSOFT for WASTING MY BLOODY TIME.
FUCK YOU for giving me a max of 16 characters. DASB&(*(&G*HH*& for telling me every time my password is 100% strength and then after every submit tell me I have to change it AGAIN because it should be harder to guess. WUT?! It was 16 characters including a (capital) letter, number and multiple special characters, WHAT ELSE DO YOU WANT FROM ME?! UNICODE EMOJI'S???!!! ALLOW ME TO USE MORE CHARACTERS SO I WILL MAKE IT HARDER TO GUESS IT, IT'S 2018 FFS.
I don't even understand why my new password is accepted compared to the other one, but fuck it I can access my account again.
Now I might have to find a new job before the company password policy kicks in again.
/me drops everything and walks out of the office to get wasted (not sure if celebrating or just really pissed off)9
Is there such a thing as a password policy that sets expirations based on the strength of a password? That should be a thing.5
I don't want to use Visual Basic!
I'm a 17 year old boy and I have a couple of years of experience with coding. At school we had to choose between a couple of things to do 2 hours every week. One of them was about computers and programming. Sounds fun, right?
The teacher is letting us code in Visual Basic in MS Excel. I tried to explain him that I know how to code, but he still wants me to listen to him.
He doesn't even use any indentation! I can't look at it and I don't want to use VB it sucks just let me use js or anything else but not VB! Why won't you just accept I'm 10 times better than you! Just let me do my thing!
Now he thinks he can challenge me with a password strength checker. I want to use js, some regex to make it very short and efficient and a nicely styled web page. But now I'll be forced to use a horrible programming language (VB) I never used before!24
Who actually started the reign of mixed character passwords? because seriously it sucks to have an unnecessarily complex password! Like websites and apps requesting passwords to contain Upper/Lower case letter, numeric characters and symbols without considering the average user with low memory threshold (i.e; Me).
Let's push the complaint aside and return back to the actual reason a complex password is required.
Like we already know; Passwords are made complex so it can't be easily guessed by password crackers used by hackers and the primary reason behind adding symbols and numbers in a password is simply to create a stretch for possible outcome of guesses.
Now let's take a look into the logic behind a password cracker.
To hack a password,
1) The Password Cracker will usually lookup a dictionary of passwords (This point is very necessary for any possible outcome).
2) Attempts to login multiple times with list of passwords found (In most cases successful entries are found for passwords less than 8 chars).
3) If none was successful after the end of the dictionary, the cracker formulates each password on the dictionary to match popular standards of most website (i.e; First letter uppercase, a number at the end followed by a symbol. Thanks to those websites!)
4) If any password was successful, the cracker adds them to a new dictionary called a "pattern builder list" (This gives the cracker an upper edge on that specific platform because most websites forces a specific password pattern anyway)
would be cracked faster compared to
Because the former is short and follows a popular pattern.
In reality, password crackers don't specifically care about Upper-Lowercase-Number-Symbol bullshit! They care more about the length of the password, the pattern of the password and formerly used entries (either from keyloggers or from previously hacked passwords).
So the need for requesting a humanly complex password is totally unnecessary because it's a bot that is being dealt with not another human.
My devrant password is a short story of *how I met first girlfriend* Goodluck to a password cracker!9
To all websites requiring at least one upper case, one lower case, one number, one special character, 25 emoji and 49 unicorns in the password when signing up.
If you say something is required, then your regex BETTER be checking ONLY for those things. You should not have hidden requirements for passwords that users are supposed to dream about and know. Especially if it's a super time-sensitive thing that they should have opened 2 Fridays ago.
I had to pull my hair out for 20 minutes (that felt like an hour) before looking at their code and reading their regex. The regex was different from what the page said the requirements actually were. What were they even thinking? 😑
The rest of everything related to this organization uses an SSO system, why can't they just use it? Isn't the whole point of SSO to avoid a different login for every tiny part of the system?
I wonder what the other less technically inclined people using the system are doing right now. Sadly, I have no way of letting them know.
I sincerely hope the dev that made that website faces the same thing while picking a password for creating an account somewhere else and realizes what he/she did.
I really needed to let it out.
I feel much better now.
Time to take out the stress ball :)1
A password strength plugin, which really encourage user to improve password strength: