I can tell when I’m being phished if my password works on the first try
this post was submitted on 21 Jan 2025
278 points (98.3% liked)
memes
11546 readers
2608 users here now
Community rules
1. Be civil
No trolling, bigotry or other insulting / annoying behaviour
2. No politics
This is non-politics community. For political memes please go to [email protected]
3. No recent reposts
Check for reposts when posting a meme, you can only repost after 1 month
4. No bots
No bots without the express approval of the mods or the admins
5. No Spam/Ads
No advertisements or spam. This is an instance rule and the only way to live.
A collection of some classic Lemmy memes for your enjoyment
Sister communities
- [email protected] : Star Trek memes, chat and shitposts
- [email protected] : Lemmy Shitposts, anything and everything goes.
- [email protected] : Linux themed memes
- [email protected] : for those who love comic stories.
founded 2 years ago
MODERATORS
Ok, that's pretty funny. Nicely done
Step 1: find phishing site
Step 2: find/write brute force script that doesn't stop on successful login but has longer random delay between attempts (so it isn't obvious it's a form of a DOS attack)
Step 3: poison phishing site data
Use proxies from areas that would normally use the service the phishing site is mimicking.
Bonus step: in case the phishers use the same proxies source, make enough invalid login attempts to the actual service to get the proxies IP blocked so they can't use them to test the large number of invalid logins to find if any are valid.
I want to do this now...
- Try to log in to my ISP's website. "Username not found."
- Try the password reset link and put in the username just to see what happens. "Password reset email sent."
- Email turns up. Click the link. Type a password. "Password reset successfully."
- Try to log in to my ISP's website. "Username not found."
This can occur when you're entering the correct password, but there is a typo in the username you entered. Nobody spellchecks the username.
It can also happen if your password expired. Active Directory is infamous for just locking accounts if your user doesn't change their password when they get the popup that it expired
They have nothing better to do than store a decade's worth of password hashes so that every 90 days I have to come up with a completely new password that's somehow magically different enough from every other password I've come up with in the past 10 years and is at least 10 characters from each of the 4 holy categories.
My current employer has the worst password policies of anywhere I’ve ever worked. I hate it. It’s insane. I know I can install a password manager, but the one that’s approved isn’t the one I want to use so I just suffer.
I’ve been in tech for decades now, so the above statement (worst ever) is truly horrific to me. Especially given that the job is so great otherwise and I don’t want to move on.
Must have lowercase, uppercase, numbers, symbols, minimum of 5 chars, max of 8. No dictionary words, no reusing characters (one char instance only), no numbers in order (123), no letters in order (abc nor qwe), nor in descending order (987, mnb). Caps lock is a unique character that must be used. Password expiration every 28 days. Cannot reuse old passwords, remembers last 10 passwords. Cannot add a number or letter at the end that causes an ascending or descending pattern. Password field cannot be pasted into.
They don't just store your current password. They keep the old hashes too. This error might really mean: "you've used this password before, you can't use it again. We do this as people seam to think they can go back to already compromised passwords."
Maybe time to look at a password manager.
Brutal truth: You entered it wrong that many times.
Yes, really.
No, I know: It's crazy.
Did you have capslock on?
Edit: lol, I get the angry downvotes but I promise you this happens all the time
That or you just being obligated to change your password.
Yeah, this. There are sites for some maddening reason that don't bother to tell you it's time to change your password, they just force you to reset it without telling you why. Gotta be some kind of lazy shortcut to do it this way and not prompt the user that a password change is required.
Maybe it was just time, maybe your password got scrambled because your account was compromised: They'll never tell!
Maybe for some. Government sites that I use do this deliberately (not accept your current password) to make you change it. Pretty frustrating the first few times it happened, but now I know that when this happens it's because of a password change requirement. It's been years and they still haven't just made a "time to change" prompt.
My old job did this.
"Oh Monkeybutthair01,02,03 has already been used....Monkeybutthair04 it is."
password updated
SECURITY. 👍👍
It's actually impossible to detect someone doing this without storing passwords in plaintext, which is incredibly insecure.
Don't get me started on captchas