You must log in or register to comment.
“Your selected password is already being used by SwiftyFan05. Please choose another password.”
another_password
Somebody isn’t sanitizing their inputs properly. Like putting a bandaid on a heart attack
Whenever I see something like this I just laugh because you’re exactly right. Something isn’t being handled properly and their dev team just proved they don’t know how to do some basic handling. Every API library in JS and restful API I know of handle special characters. If they wanted they could base64 encode it over the wire. Then you’re exactly right, if the database “can’t handle it” more than likely it’s a home spun database connection where they’re serializing it themselves (which even then this is solvable), but even then that proves that they make poor choices.
if the database “can’t handle it” […] that proves that they make poor choices.
Exactly, the database should never even have to handle the password in it’s original form and hashing algorithms don’t care about special characters.
This is like when I was in my twenties working at a crappy grocery store with a MoneyGram inside of it. I live in Washington state, and at the time, if your last name was less than five characters, you would have asterisk’s in your license number. The MoneyGram system wanted people’s license numbers but was unable to recognize a license with an asterisk. It happened pretty rarely, but it always happened to people whose last names were four characters or less long. Five letters in your last name and you were gold. To make the transactions happen, I would just do the whole license number minus the asterisk.
Anyway, Washington changed how it generates license numbers so its a moot point anyway but I don’t think MoneyGram ever spent a dime to fix this since it only affected a small number of people in one US state.
Are you saying that your driver’s license number contains your name? Do you get a new number if you change your name?
Some states base it on your name in some ways. Mine used to have (maybe still do but I don’t live there anymore) letters from first and last names plus birth date as most of the number. I assume if you change your name your number changes as well.
Sometimes I wonder if I’m even fit for employment as a developer and then I see shit like this where I wonder who and what happened for this to even become an option?
Always remember there is someone much cheaper than you who will do a much worse job, but be more arrogant about it
Fuck I’m literally one of the cheapest, all I’m asking for is 700-800 dollars a month
Seems to be they’re dropping the passwords in the database in plain text, but they’re deathly afraid that someone will drop a '; in there or something and the insert will break.
Notwithstanding that storing passwords in plain text is a slapping with the 10 foot rubber chicken, but mysqli_real_escape_string() or any number of other similar solutions are indeed a thing that exists. A prepared statement would work, too.
but mysqli_real_escape_string() or any number of other similar solutions are indeed a thing that exists. A prepared statement would work, too.
You make it sound as if a prepared statement is a last resort. I would turn that around: as a rule always use prepared statements when dealing with user input. It’s very easy to forget a single call to
mysqli_real_escape_string().I was thinking more along the lines of the types of laziness/ineptitude most likely present at wherever OP’s example were being written. Escape string is one line of code for this whereas preparing a statement is like five.
But really they should just be hashing it. Then the input doesn’t matter.
Was my first thought. The only reason special characters would ever matter in a password is if you’re storing/processing them improperly
Lol I recently have found the opposite!
Might be a minimum of 16 chars. Or the parsing is broken and treats the ’ as the end of the password
deleted by creator
I let my password manager create 32 char passwords, that should be enough for a while. But of course then you have websites that throw you a ‘your password is too long’ message and have you find out by trial and error that they only accept 12 characters.
Or the off-by-one errors where they insist that 24 chars are the max, but in reality they accept 23. Probably never tested the limit.
Or websites that truncate your password after X characters when registering, but not when logging in, so you end up with an incorrect password and good luck finding out which limit the registration page actually uses.
That’s a big rainbow table. Like, with just precomputed values and random ascii character passwords it’s on the order of 1042 entries. You can shave that down a bit probably with all the tricks rainbow tables use, but I think you’re safe.
deleted by creator
State actors don’t generally need to break passwords. They ask the company “nicely” and they get what they want. The exception would be if that password is being used to encrypt data.
1031 is ridiculously huge too. The NSA probably works on EB scales, which is “only” 1018 bytes. If you can get up to 1022 equally likely passwords you’re fine against dragnet, brute force-style attacks. (If you’re zombie Bin Laden and the NSA will stop for a whole year cracking your drive, and doesn’t have any shortcuts, maybe you need 1039 I guess)
That being said, if more characters is no problem, go ahead and do that. I’m not saying more security for free is a bad thing.
Fandom is gross anyway. Contributing to independent wikis is a much better use of your time. https://getindie.wiki/
It’s not Fandom
they don’t specify a limit so 64 character password it is.
Go all in, 1024 character password.
They’ll accept it, but won’t tell you they ignored everything after character n, and their login page won’t take anything but the “correct” password so you’ll be spending some time figuring out the actual character count limit…
deleted by creator
I have experienced this far too many times.
Fucking MICROSOFT did that with Hotmail
Not a big surprise, they did the same with Windows 98. Everything after the first 14 was silently dropped.
Even worse the password was accepted in full when registered, but the login field won’t accept the full length.
Bcrypt/Scrypt have a 72 byte limit. Developers can get around that by putting it through a regular hash first, but that’s not common.
My previous bank forced 8 characters with only numbers and letters.
Hunter2
Some months back, there was a thread here on Lemmy where people were discussing western names written using Chinese characters. Phonetically, the names will sound alike. But meaning-wise, the characters will result in a Correct Horse Battery Staple-esque string of words.
Which is why I have since decided to make passwords by typing random names into a Chinese name generator and using the English translated result.
Sounds like a lot of work, but the way I see it, trying to think of new passwords is always work so I might as well have fun with it.
64 characters picked at random in
[a-zA-Z0-9_]is perfectly fine if password is your only option. Special character do not increase significantly the difficulty of bruteforcing it, but introduce the risk of having to manually type"}à.å÷Â!!ç-×ô@¸Á¢±ãÕß>>úÓ}¼º¤«<_`àÅû§Æ]*ÂñçÌÿ§à®&ܱ=Ú-´ð¹é$.>=;Öif something goes catastrophically wrong.Not being allowed to use special characters can be a sign of the website saving your password in plain text.
It can be. Or it can be someone that had to deal with users (or was trained about it) and is limiting the chances of a user being kept out because they type something that looks like their password but isn’t, and then have to go to support.
Try this one, has lots of special characters:
a_a_a_a_a_a_a_aThis one too: _____________
or the entirety of the Bible with special characters removed and spaces replaced with underscores
recently did one that only cared about being very long, so i typed thispasswordisfuckinglong and it took it
Password length is more secure than complexity.
“for best results, your password should be the street you grew up on or your favourite book”
Use a password manager
I hate these arbitrary limitations of 16 characters, 25 is unbreakable and some sites won’t allow longer than 16 20, I’ve even had one site not allow over 6.
At least if you ever forget it, they’ll be able to email it to you.
I mean, 63^6 is a lot of possibilities, but just make the password longer to increase its security.
Blocking out special characters is dumb, but as others have pointed out, they’re probably not sanitizing inputs.
Ah, I’ve done that before, 1/100 odds it’s because someone doesn’t want to fuck with RegEx.
