Funny thing at work, I was handling some legacy users - we need to make sure that on the next login, if they have a weak password, they have to change it.

So the whole day I'm typing "123" as a password, 123 123 123 123 all good. So finally I'm done and now I'm testing it, and accidentally I type 1234 instead of just 123. Doesn't really matter, either is "weak", so I just click "Login".

Then goes Chrome, "1234 is known as a weak password, found in breaches, you should change it".

So TIL 123 is still good.

top 50 comments

sorted by: hot top controversial new old

[–] dev_null@lemmy.ml 9 points 2 days ago

My guess would be that the password checking feature has a minimum character limit of 4 characters, to avoid false positives on things that aren't actually passwords.

[–] Nastybutler@lemmy.world 53 points 3 days ago* (last edited 3 days ago) (2 children)

1234? That's amazing! I have the same combination on my luggage!

[–] Nastybutler@lemmy.world 26 points 3 days ago (1 children)

[–] Klear@lemmy.world 6 points 3 days ago

123456? That’s amazing! I have the same combination on my luggage!

[–] peaceful_world_view@lemmy.world 1 points 2 days ago

6969 ftw

[–] owenfromcanada@lemmy.world 39 points 3 days ago (4 children)

If you're looking to see how strong a password really is, check it here.

[–] Aussiemandeus@aussie.zone 5 points 2 days ago

Weird that it asks for your email before you can test your password

[–] peaceful_world_view@lemmy.world 3 points 2 days ago

NEAL.FUN*ThePasswordGame1 is a good password.

[–] ExtantHuman@lemm.ee 2 points 2 days ago

Nice try...trying to steal my passwords...

[–] hakunawazo@lemmy.world 13 points 3 days ago (2 children)

"The roman numerals in your password should multiply to 35." Ah crap.

[–] Aussiemandeus@aussie.zone 5 points 2 days ago (2 children)

Today's wordle answer killed me

[–] Krelis_@lemmy.world 2 points 2 days ago

It's:

Tap for spoiler

Arrow

Tip: Make it 'Narrow' so you also have an atomic symbol (Na)

[–] Matriks404@lemmy.world 3 points 2 days ago (1 children)

The best move in algebraic chess notation killed me. Maybe some day I will beat this game dammit!

[–] jnod4@lemmy.ca 4 points 2 days ago

I gave up after the atomic numbers must add up to 200

[–] Krelis_@lemmy.world 2 points 2 days ago (1 children)

Just get a V and a VII in there

[–] hakunawazo@lemmy.world 1 points 2 days ago

[–] TootSweet@lemmy.world 24 points 4 days ago (1 children)

Where I work, the infra folks are way overworked. Getting them to do things is impossible given their existing todo list. And when you do get them to do something (by throwing managers at them) they half-ass it.

(I'm not blaming them. I blame the managers. It is frustrating though. Anyway.)

And as a result, there's one system that I use frequently that they set up, but cut corners and never hooked it up to our single sign-on solution. And so in order to get into this system, everyone has to use a shared username/password. "readonly:readonly". And every time I log in, my browser nags me about the known weak password.

[–] Kissaki@programming.dev 16 points 3 days ago (2 children)

So, is the account actually read-only?

[–] TootSweet@lemmy.world 9 points 3 days ago

I'm not sure I've ever tried to do any write operations. I'm honestly not even sure the service behind that login page offers any write operations. I might have to check sometime. I'm curious.

[–] zerofk@lemm.ee 8 points 3 days ago

No, only the password is.

[–] ExLisper@lemmy.curiana.net 22 points 4 days ago (12 children)

Everyone post your favorite strong password!

[–] Alexstarfire@lemmy.world 5 points 2 days ago

Correct.staple.horse.battery

[–] thr0w4w4y2@sh.itjust.works 43 points 4 days ago (1 children)

hunter2

[–] Valmond@lemmy.world 33 points 4 days ago (1 children)

I only see ******* ?

[–] zlatko@programming.dev 10 points 3 days ago

hunter2

it doesn't look like *s to me

[–] zerofk@lemm.ee 15 points 3 days ago (1 children)

Correct house stapler battery

[–] unbuckled_easily933@lemmy.ml 1 points 3 days ago (1 children)

Horse*

[–] Hagdos@lemmy.world 2 points 2 days ago

Nono, that would be unsafe

[–] Irelephant@lemm.ee 7 points 3 days ago

hunter2

[–] Artyom@lemm.ee 10 points 3 days ago

I always go with password2 cuz everyone throws a fit about password1 being insecure.

[–] Mutterwitz@discuss.tchncs.de 6 points 3 days ago (2 children)

Bananabananabananaterracottabananaterracottaterracottapie

[–] DannyBoy@sh.itjust.works 2 points 3 days ago

Vicinity of obscenity in your eyes

[–] WhiskyTangoFoxtrot@lemmy.world 1 points 2 days ago

Longing. Rusted. Seventeen. Daybreak. Furnace. Nine. Benign. Homecoming. One. Freight car.

[–] Kissaki@programming.dev 7 points 3 days ago* (last edited 3 days ago) (1 children)

3bitswalkintoabarandoneflips

[–] ExLisper@lemmy.curiana.net 6 points 3 days ago (3 children)

No upper case or special chars? Kinky!

load more comments (3 replies)

[–] Robust_Mirror@aussie.zone 1 points 2 days ago

travesty1$urged3$Lofty$Suggest$2doric$altitude3$napping5$herman$1Discuss$alton2$tripe0$Energize$Lumber$yank2$console7

[–] zlatko@programming.dev 3 points 3 days ago

asd

[–] eager_eagle@lemmy.world 3 points 3 days ago (1 children)

Chuck Norris

load more comments (1 replies)

[–] projjalm@lemy.lol 3 points 4 days ago

https://www.youtube.com/watch?v=QpLx_2YiA7Q my personal favorites

load more comments (1 replies)

[–] spongebue@lemmy.world 20 points 4 days ago (3 children)

How does the system know that an already-established password is weak if not in plain text? Or are you saying you have a set of passwords, each of which have gone through the same cipher algorithm, and see if there are any matches?

[–] bamboo@lemmy.blahaj.zone 33 points 4 days ago

On browser side implementations or extensions, they can see the input into the form field. As for plain text, generally sites will send the plaintext password over HTTPS when logging in, and it's the server side which hashes/salts, and compares to the value in the DB. Sites can reject or inform users to bad passwords this way, generally when changing the password. Cloudflare does offer a product to do this for sites to add warnings to the user if the credentials were found in a breach. More information on that here: https://blog.cloudflare.com/privacy-preserving-compromised-credential-checking/

[–] pelya@lemmy.world 13 points 4 days ago (1 children)

Password strength is usually checked inside your browser, not on the server.

[–] spongebue@lemmy.world 12 points 4 days ago (4 children)

When setting it, sure. But if we're talking about next login, that would imply we're talking about passwords established in the database/server.

Then again, you do have that plaintext password available when it's entered. Rather than checking what's in the database, you could see what's in the form that just triggered a successful login. That's not as scary

[–] biscuitswalrus@aussie.zone 3 points 3 days ago* (last edited 3 days ago)

Enterprise applications are often developed by the most "quick, ship this feature" form of developers on the world. Unless the client is paying for the development a quick look at the sql table shows often unsalted passwords in a table.

I've seen this in construction, medical, recruitment and other industries.

Until cyber security requires code auditing for handling and maintaining PII as law, mostly its a "you're fine until you get breached" approach. Even things like ACSC Australia cyber security centre, has limited guidelines. Practically worthless. At most they suggest having MFA for Web facing services. Most cyber security insurers have something but it's also practically self reported. No proof. So if someone gets breached because someone left everyone's passwords in a table, largely unguarded, the world becomes a worse place and the list of user names and passwords on haveibeenpwned grows.

Edit: if a client pays and therefore has control to determine things like code auditing and security auditing etc as well as saml etc etc, then it's something else. But say in the construction industry I've seen the same garbage tier software used at 12 different companies, warts and all. The developer is semi local to Australia ignoring the offshore developers..

load more comments (3 replies)

[–] Aurenkin@sh.itjust.works 6 points 3 days ago

You would have the plaintext password at login time based on the users input. I'm guessing that's why it happens at login time rather than proactively asking people to update their passwords.

[–] WhiskyTangoFoxtrot@lemmy.world 15 points 3 days ago

So my luggage is still safe.

[–] F04118F@feddit.nl 16 points 4 days ago* (last edited 4 days ago) (1 children)

I bet that 1234 is used more often because of the 4-character minimum, like PIN codes on debit cards. It's 4 characters so it's safe. 123, on the other hand, is not safe, because it is 3 characters. /s

My solar inverter admin interface has a certain 4-digit password. So I wanted to change it to secure it, and found out that it only allows 4-digit passwords. Luckily the access point can be set up with a higher entropy password though (it is constantly advertised and had a very "secure" 8-digit password by default, I think you can guess which one)

[–] mattd@programming.dev 3 points 3 days ago

55378008?

load more comments