That just means they’re forcing everyone to change their passwords but they don’t want to come out and tell you about it.
If you’re lucky, some overzealous sysadmin is just trying to enforce regular password updates on his users, and makes them expire every once in a while.
More likely, there was a breach of some sort that they want to keep on the hush.
It’s also possible there’s a hidden max password size somewhere, like some fields only counting the first x characters of the password but it’s inconsistent across different forms.
Not sure what is worse, not telling you and giving an error or not telling you and letting you log in (ie truncating the password both times, letting you think your password is longer than it is)
but they don’t want to come out and tell you about it.
It also doesn’t require a code change to continue blaming the user when you invalidate all current passwords.
It’s a couple database queries to move all current passwords to old passwords, and change current (hashed) password for everyone to “deadbeef”. Nobody can guess a value that adds to their salt and hashes to “deadbeef”, and you get this behavior.
That just means they’re forcing everyone to change their passwords but they don’t want to come out and tell you about it.
If you’re lucky, some overzealous sysadmin is just trying to enforce regular password updates on his users, and makes them expire every once in a while.
More likely, there was a breach of some sort that they want to keep on the hush.
It’s also possible there’s a hidden max password size somewhere, like some fields only counting the first x characters of the password but it’s inconsistent across different forms.
USAA is guilty of this shit. Let’s you set a huge password. Truncates it. Doesn’t tell you about it. Error when logging in.
I want to beat the motherfucker behind this strategy.
E: Kagi too. I removeded out the support and I got a ‘meh, it should have told you’ response. Fix your shit.
Not sure what is worse, not telling you and giving an error or not telling you and letting you log in (ie truncating the password both times, letting you think your password is longer than it is)
The first is more annoying, the second is scummier.
Yep
It also doesn’t require a code change to continue blaming the user when you invalidate all current passwords.
It’s a couple database queries to move all current passwords to old passwords, and change current (hashed) password for everyone to “deadbeef”. Nobody can guess a value that adds to their salt and hashes to “deadbeef”, and you get this behavior.