If there has been a data leak, they might block your current password because the hash has been leaked
this post was submitted on 10 Jan 2025
308 points (96.1% liked)
Cybersecurity - Memes
2634 readers
1 users here now
Only the hottest memes in Cybersecurity
founded 2 years ago
MODERATORS
Yes, that might be a plausible theory. Basically a bad yersion of you must change your password.
How would that be considered bad? Is this some meme I'm too stupid to understand or something?
It would be better if the login flow said something like
For security reasons, we ask you to set a new password, please use the "password forgotten" function to gain access again.
instead of me being puzzled why my password doesn't work.
except now anyone guessing your password knows when they guess your password right? while that site is safe most users use the same password and any site they use with the same email is now vulnerable.
Yes... but your credentials are already for sale in the darknet
Only the hash, not the password
I mean they can guess the password you used previously that no longer works...?
If there has been a data leak, they might block your current password because the hash has been leaked
I'm sure that makes them feel much better, lol.
The leak doesn't even need to happen on their site, they could check the password hash against known leaked hashes (from have I been pwned for example) and block it
I once had to reset my password as the new one got truncated without telling me.
Yes. It was deemed too long.
It was for an company that got plenty of my personal data
Why on earth would someone truncate a password? I could make at least 10 more memea about bad handling of passwords
Why? Probably some wild row length limit being hit where a table storing user data was storing an asinine amount of data, just terrible DB organization in an org where someone said “who even needs a DBA.”
How? If you can truncate user passwords, you should never handle user passwords again, unless you’re a student or hobbyist learning a valuable lesson.
How? If you can truncate user passwords, you should never handle user passwords again, unless you’re a student or hobbyist learning a valuable lesson.
Yeah. The real reason to be alarmed is worse than the obvious one.
If a partial version of what was originally set actually works later, it implies a scary chance they're not even hashing the password before storing it.
I think it's a nonzero chance they're not hashing it. Pretty much every hashing function, in the interest of preventing collisions, provides vastly different responses on small amounts of input. Even if they were hashing it, it would just appear to be the same password in a situation where they somehow got a collision, but again, the column length for passwords would always be fixed since a hash function always outputs the same data length.
Also suggests the user may be reusing the same prefix if only the changed bits are getting truncated.
Should use different random passwords every time. Completely random or a random string of words. While it doesn't solve the cleartext password storage issue, a data breach won't compromise all your other accounts to same degree.
Doesn't hurt to also randomize usernames, emails, and even security question answers.
edit: or my new favorite passkeys, just make sure you trust whatever tool is managing your private keys.
Not how password hashing works. Demonstrated with sha256:
hunter2butitsreallylong:
a9953dfbfec699349341edc857dcfe5c7a617c81f312cf57297d5b852881bab3
hunter2:
f52fbd32b2b3b86ff88ef6c490628285f482af15ddcb29541f94bcf526a3f6c7
a hash algorithm encompasses all provided data and returns a single fixed length data response
https://en.wikipedia.org/wiki/Cryptographic_hash_function
Any changes, even just removing a few characters, drastically changes the output of the hash function (https://en.wikipedia.org/wiki/Avalanche_effect)
You have no way of knowing a user password when you are storing hashes, you can't truncate them, and the user password length doesn't matter (up to a certain point where it's technologically dumb to hash user input over a certain amount of data)
I do agree however that changing / randomizing your password is important, as someone brute forcing or running rainbow tables etc on a hash dump can quickly attack a common password across different dumps
Ultimately we don't know the implementation. I've seen some bad sites like stealth truncating on the registration form but leaving the login form unbounded so the password you pasted in both times doesn't work.
Separate issue from truncating, I get suspicious when I see passwords capped to 16-20 chars for the reason you gave that they should be stored as fixed length hashes.
That’s true, there’s no way to know what sort of back asswards string modifications are happening to the password before it makes it to a hashing function, if it ever does. But the OP did say they told him his previous password was too long, and he was required to change it, so they were either storing it in plaintext, or storing the length of it somewhere. One is really really bad, one is weird, but also bad
There's no good reason. Whoever did it, did it for a bad reason. (Oh, well, there's no good reason until you reach several thousand characters.)
That said, it could be worse. Some sites do not truncate your password at the creation form, and only truncate it on the login screen. (Yeah, that happened to me, in 2 different sites.)
Why is it always the one's for whom security is of utmost importance?
Login to meme account to share shitposting on the internet: top notch up to date security.
Login to the bank who actually handle my money: Clown ass security practices on obsolete infrastructure.
Yep, one of mine was the federal government's bounds buying portal...
They improved since then, but it's always the entity that holds your money or oversees your health...
This often happens when you entered the right password but have a typo in the user name. Everyone tries the password again, but nobody spell checks their email or username.
You're right, this is plausible
What about my banking app????
Six digits!!! Only six digits!!!
this is probably some half of the site is silently truncating the password, while the other half isn't
Or adding a space because pasting. That happens a lot too
It's surprisingly often that the login page doesn't use the same password processing code as the password reset/account creation pages, and it can be very frustrating at times.
I had this happen once where input validation on login and password change were different. I was allowed to set my password to a string containing a special character not accepted by the login form. Top men.
I've had a similar experience with a service that automatically truncated passwords if they were too long
Note that for others reading this, what normal people think of as too long probably doesn't signify. Some asshat somewhere may have decided greater than something like 8 characters is "too long." Without telling you. Said asshat may indeed even be on the database side, and concluded somehow that varchar(8) should be sufficient for storing passwords. Right???
It is not only easy for flagrantly badly designed web systems to display this behavior, but also depressingly common. And more closely the page or system you're using is related to your local government, the probability of it being hilariously incompetently designed moves ever closer to becoming 1.
Ya know what's actually even more absurd? The password was truncated on creation. The webpage allowed me to type 36 characters into the field, then only saved the first 30 of them.
I verified the full 36 character password before creating the account, and was immediately met with "wrong password." Noticed the 30 character limit when looking at the password change form, and tried cutting the last 6 characters off my existing password, which unfortunately was successful.
They must have been storing your password in plaintext on their end in order for that to work.
So not only did somebody forget a maxlength=30 on the field, but their validation on the server side was also crap. Genius!
Get a password manager.
I've never really understood why most systems are set up to reject a password reset if it's the same password. Is there a security issue there that I'm not picking up on?
It seems like they should just let you reset your password anyway if you've reached that screen (usually using some kind of authorisation, like using a link with a token in it that gets emailed to you or something).
The security risk I see is that the cause of you resetting your password could be that it is leaked. For that case, it is good to remind the user that they shouldn't override it with their current password. That said it would be nice to have a "I know what I am doing" option and allow it anyway
If you forgot your password and are trying to reset it with the exact same password you forgot, then you obviously don't know what you are doing.
Ah, that's a great point!
Having a "change password" option that allows you to not change your password would be somewhat strange ;)
As someone who regularly uses a vpn, I've noticed that there's a surprising number of sites that will just lock your account if they decide they don't like your ip address.
Yeah, I hate that. They don't always lock it but will just reject the password with no indication of why.
Lol I usually abort the password reset flow and try to login with the same password lmao
It's like when you are trying to blindly install a USB type A . First orientation is wrong so you flip it. Second orientation is wrong so you get confused and flip it again only for it work easily lol.
The joke I’ve heard is that USB cables exist in 4 dimensions, that’s why you need to flip them around twice before they connect.
They could be truncating the password in one form but not the other.
They're lying about the issue and don't trust that you're who you say you are. It's security systems 101. If you give informative error messages, they can be used to reverse engineer the password of accounts. So every error is going to be "incorrect password"
Sounds like security by obscurity to me. Works, but rarely the best solution.
That part is possible:
They’re lying about the issue and don’t trust that you’re who you say you are.
The rest of your comment is just bad. I doubt you even manage to keep that information secret, much less get a positive value out of the entire machination.