I'm going to kill all of you

fartswithanaccent@fedia.io

Maybe it was just time, maybe your password got scrambled because your account was compromised: They'll never tell!

remembertheapollo_@lemmy.world

Maybe for some. Government sites that I use do this deliberately (not accept your current password) to make you change it. Pretty frustrating the first few times it happened, but now I know that when this happens it's because of a password change requirement. It's been years and they still haven't just made a "time to change" prompt.

some_guy@lemmy.sdf.org

minimum of 5 chars, max of 8

That's bizarre. I've never seen such a narrow runway for password length. Sounds like hell for sure.

echospire@lemmy.ml

Sometimes I wonder if they're doing it now to push passkeys

buddahriffic@lemmy.world

Step 1: find phishing site
Step 2: find/write brute force script that doesn't stop on successful login but has longer random delay between attempts (so it isn't obvious it's a form of a DOS attack)
Step 3: poison phishing site data

Use proxies from areas that would normally use the service the phishing site is mimicking.

Bonus step: in case the phishers use the same proxies source, make enough invalid login attempts to the actual service to get the proxies IP blocked so they can't use them to test the large number of invalid logins to find if any are valid.

kolanaki@yiffit.net

Nah; this shit has been a thing since forever.

5too@lemmy.world

That pretty much narrows it down to MonthYear!

wise_pancake@lemmy.ca

I want to do this now...

buddahriffic@lemmy.world

It's frustrating but it does give information to attackers. If an attacker just sees the login attempt was rejected, then they have no idea if it was because the password changed, the user entered it wrong in the phishing form, the user realized it was a phishing attempt and gave garbage to fuck with them, the password expired, or if the service provider is on to them.

If an attacker sees "your password has been reset and you must set a new one" then they have some information that could be used to social engineer their way into the account. Especially if it's a work account where the email is behind the same password.

monkemischief@lemmy.today

My old job did this.

"Oh Monkeybutthair01,02,03 has already been used....Monkeybutthair04 it is."

password updated

SECURITY.

mralternatetape@lemm.ee

I've once had a user who managed to add a second keyboard layout by accident and switch to it on login. I found out when I reset his password and it still didn't work on the laptop of the users even if I typed it in myself.

mtchristo@lemm.ee

Don't get me started on captchas

nef@slrpnk.net

It's actually impossible to detect someone doing this without storing passwords in plaintext, which is incredibly insecure.