Comment by terribleperson
8 hours ago
You say locking oneself out, but I decline to consider any situation where a password can be set but not later entered as one where the user bears even a modicum of fault.
8 hours ago
You say locking oneself out, but I decline to consider any situation where a password can be set but not later entered as one where the user bears even a modicum of fault.
I remember a website that silently removed everything but the first 8 characters from the "password" field upon registration but somehow didn't do the same on the login page. It took me several hours and several password resets to actually log in after registration, since for some reason the trimming happened client-side and only when typing the password manually (and I was pasting my password from a password manager).
In a similar vein, I remember encountering a site where the frontend enforced basic complexity requirements ala “use at least one number and one symbol” but the system would silently drop all non-alphanumerics when it saved (presumably in some kind of failed conversion on the way into the backend DB). So setting a password like “foo_bar4!” would become “foobar4” which was surprising. What blew my mind though was when I figured out the stripped password worked to log in, which was how I eventually figured out what was happening, escaped the reset flow, and generated a compliant password.
We're so far down this path the language around the problem is distorted. Ownership has been perverted and the only thing you control is the bill.
Relevant xkcd: https://xkcd.com/2700/