this post was submitted on 09 Sep 2024
595 points (99.5% liked)

Programmer Humor

19623 readers
2 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 1 year ago
MODERATORS
 

Edit: @Successful_Try543@feddit.org solved it. It says "one special character". Not "at least one".

top 50 comments
sorted by: hot top controversial new old
[–] xmunk@sh.itjust.works 226 points 2 months ago (25 children)

It's fucking insane that an internet banking portal has such a low cap on max characters and such shitty rule enforcement.

[–] sorter_plainview 91 points 2 months ago (3 children)

Their desktop site is even more shitty. It won't allow right click or paste actions. There goes compatibility with password managers.

[–] superkret@feddit.org 59 points 2 months ago (1 children)

Bitwarden has a function where it types in (not pastes) the password and shows the prompt for it without right-click.

[–] Appoxo@lemmy.dbzer0.com 17 points 2 months ago (2 children)

And even if theres an app for Windows (https://github.com/jlaundry/TypeClipboard) that can type it for you and even has a shortcut.
I am sure someone in the linux world knows an equivalent tool.
We use it at work to paste long passwords when remoting in.

load more comments (2 replies)
[–] xmunk@sh.itjust.works 38 points 2 months ago (3 children)

As a super secret dev hack may I introduce you to shift + insert a fair few sites specifically block ctrl + v instead of properly disabling the clipboard action and, of course, if you read this and then submit a Jira ticket to block shift + insert... well... h8u

[–] LuycYQ2uUiTjR3yLri@sh.itjust.works 21 points 2 months ago

You can also drag the password in from another text field instead of pasting

[–] independantiste@sh.itjust.works 14 points 2 months ago (1 children)

I usually to in the developer tools and manually disable the thing preventing the paste action. It's usually a string to remove some JS or something or an Event that you need to uncheck

[–] xmunk@sh.itjust.works 18 points 2 months ago (1 children)

If you're opening up the dev tools you can also paste your string directly into <input value="" /> unless something weird is going on.

load more comments (1 replies)
load more comments (1 replies)
[–] Creat@discuss.tchncs.de 17 points 2 months ago

Any password manager should be able to "type in" the password. Or be a browser plugin that doesn't rely on copy pasting, but use other mechanisms to inject it directly into the field.

But yes, if that's their online portal, I am not kidding I would change banks.

[–] stealth_cookies@lemmy.world 33 points 2 months ago (1 children)

My bank's password used to have to be exactly 6 characters, no special characters and you could use numbers and letters interchangeably because it was also your phone banking password.

[–] hushable@lemmy.world 43 points 2 months ago* (last edited 2 months ago) (1 children)

a previous bank used to have a max password length of 8 characters, then proudly announced that they will increase it to 32

Then I made a typo at the end of my password and it let me in anyway, and I realised they were just trimming the first 8 characters to give the illusion of security

[–] Wizard_Pope@lemmy.world 15 points 2 months ago (1 children)

That is so insane. To think they would rather just clip the passwords instead of habing it be longer.

Did you try out your hypothesis by using the first 8 letters than just random junk until you hit your password length?

[–] hushable@lemmy.world 16 points 2 months ago (2 children)

I tried then first N characters of my password until I found out the threshold was at 8, then I tried with the first 8 chartacters of my password and then random junk and it worked.

I also had two friends in the same bank to validate

[–] Wizard_Pope@lemmy.world 12 points 2 months ago

Unbelievable.

load more comments (1 replies)
[–] DudeDudenson@lemmings.world 27 points 2 months ago (1 children)

Visa has a hard limit of 8 and requires the first 4 to be numbers because the phone tree might require it as a password

The whole banking industry is ridiculous and is ridiculously legislated

load more comments (1 replies)
[–] Flipper@feddit.org 20 points 2 months ago (1 children)

The ERP software I have to use has a strict limit of 6 characters as password. Only alphabet and numbers allowed.

Maybe when I leave I try an SQL injection.

[–] ICastFist@programming.dev 10 points 2 months ago

Bobby tables, noooooooo!

[–] ImplyingImplications@lemmy.ca 12 points 2 months ago

I had to create an account on a government website. The website didn't list a character limit so I used a password manager to generate a 32 character password. My account was created but I couldn't log in. I used the "forgot my password" option and I received an email of my password in plain text. I also noticed why I couldn't log in. The password was truncated to just 20 characters. Brilliant website! Tax dollars at work!

load more comments (20 replies)
[–] Successful_Try543@feddit.org 124 points 2 months ago* (last edited 2 months ago) (4 children)

It says one special character, not at least one. Maybe the password has more than one.

[–] sorter_plainview 106 points 2 months ago (3 children)

Holy shit!! You did it. I would never expect a banking password to max special characters. I have been scratching my head with Bitwarden and this shitty app for an hour.

[–] FederatedSaint@lemmy.world 48 points 2 months ago (4 children)

But wouldn't that mean the bottom checkbox should be cleared and the 2nd one should be checked?

Still doesn't make sense.

[–] sorter_plainview 23 points 2 months ago

Yeah that's true. The UI does not accurately represent the validation conditions.

[–] Panda@programming.dev 10 points 2 months ago

Yes, the 2nd one implies that there should be more than one.

load more comments (2 replies)
[–] tooLikeTheNope@lemmy.ml 20 points 2 months ago* (last edited 2 months ago)

Yeah but It still states "A combination of letters, digits and special charaters"

It should then be spelled as "A combination of letters digits, and one special character"

[–] superkret@feddit.org 13 points 2 months ago

It's like a Captcha that only lets in autistic people.

[–] kionite231@lemmy.ca 10 points 2 months ago (1 children)

You solved the puzzle! here is a cookie for you :D 🍪

load more comments (1 replies)
load more comments (2 replies)
[–] xoggy@programming.dev 66 points 2 months ago (8 children)
load more comments (8 replies)
[–] superkret@feddit.org 56 points 2 months ago (1 children)

It says “one special character”. Not “at least one”.

oh. oh god. what the fuck.

load more comments (1 replies)
[–] oo1@lemmings.world 49 points 2 months ago

If >1 special character is not allowed the last check should be failed . The second check is literally satisfied even if there are 2+ specials.

I'd not be using that bank.

[–] refalo@programming.dev 28 points 2 months ago (2 children)

Now imagine how many services just silently cut off your password at 8 characters and people never notice.

UltraVNC is very guilty of this.

[–] Scoopta@programming.dev 16 points 2 months ago

Wells Fargo cuts to 14 on their sign in page but not on their change password page, ask me how I know

[–] Buddahriffic@lemmy.world 12 points 2 months ago (7 children)

Once upon a time, battle.net passwords weren't case sensitive. I used upper and lower case letters in my password then one day realized I didn't hit shift for one of the caps as I hit enter out of habit, but then it still let me in instead of asking for the password again.

It was disappointing because it takes more work to remove case-sensitivity than to leave it. I can't think of any good reason to remove it. At least the character limit had a technical reason behind it: having a set size for fields means your database can be more efficient. Better to use the size of a hash and not store the password in plaintext, so it's not a good reason, but at least it's a reason.

[–] lud@lemm.ee 12 points 2 months ago* (last edited 2 months ago) (2 children)

It's possible that the passwords want through an old ass cobalt system or something that forced everything to be capitalized so to solve that they made everything non case sensitive.

But even that sounds insane as the passwords should have been hashed.

load more comments (2 replies)
load more comments (6 replies)
[–] Matriks404@lemmy.world 23 points 2 months ago (2 children)

Your Internet Banking Password should one special character (~!@#%^&*)

Great grammar on their part.

[–] WhiskyTangoFoxtrot@lemmy.world 9 points 2 months ago

Yeah, they noticed their mistake too late, hence the expletive.

load more comments (1 replies)
[–] tofubl@discuss.tchncs.de 22 points 2 months ago (1 children)
load more comments (1 replies)
[–] robdor@lemmynsfw.com 17 points 2 months ago

Maybe you accidentally did a permutation instead of a combination.

[–] TheSealStartedIt@lemmy.world 16 points 2 months ago* (last edited 2 months ago)

This was a new one for me:

this was a new one for me

Translation: Password strength: weak. Please don't use any special characters.

It was a generated 14 char password.. (╯°□°)╯︵ ┻━┻)

[–] merc@sh.itjust.works 12 points 2 months ago (2 children)

Noone should of aloud this code to go out the door. Atleast alot of other people people probably complained aswell, so your apart of a bigger group, incase you were worried.

spoilerAnd yes, this was painful to type.

[–] eclipse@lemmy.world 18 points 2 months ago (1 children)

Your comment is painful to read.

load more comments (1 replies)
[–] FuglyDuck@lemmy.world 12 points 2 months ago

My guess is they mean, one capital letter, one lower case letter, a number, and a special character

what's always amused me about these rules is that they exist because people are dumb. Technically, they lower the difficulty of the passwords slightly. ( for example, knowning that one character is a number reduces it to 10 options in stead of 10+26+26+whatever set of special characters)

anyhow. people should use password managers. just saying.

[–] Artyom@lemm.ee 12 points 2 months ago (2 children)
load more comments (2 replies)
[–] corsicanguppy@lemmy.ca 11 points 2 months ago* (last edited 2 months ago)

Please tell me someone didn't buy software with 'atleast' spelled like that in there. Please, tell me someone tested the web app and had the brains God gave a douglas fir and knew that wasn't a word; that it was never a word; that the writer's spell check should have picked that up; that it's not been over-ruled by stupid so much that it just takes it.

[–] addie@feddit.uk 9 points 2 months ago (4 children)

Well now. When we've been enforcing password requirements at work, we've had to enforce a bizarre combination of "you must have a certain level of complexity", but also, "you must be slightly vague about what the requirements actually are, because otherwise it lets an attacker tune a dictionary attack against you". Which just strikes me as a way to piss off our users, but security team say it's a requirement, therefore, it's a requirement, no arguing.

"One" special character is crazy; I'd have guessed that was a catch-all for the other strange password requirements:

  • can't have the same character more than twice in a row
  • can't be one of the ten-thousand most popular passwords (which is mostly a big list of swears in russian)
  • all whitespace must be condensed into a single character before checking against the other rules

We've had customers' own security teams asking us if we can enforce "no right click" / "no autocomplete" to stop their users in-house doing such things; I've been trying to push back on that as a security misfeature, but you can't question the cult thinking.

load more comments (4 replies)
load more comments
view more: next ›