"Password" by PervisTime

If they just showed the password rules on the login page, this would happen 80% less often to me.

It's so annoying to have to discover the rules one rejected attempt at a time. Worse yet: sometimes you just get vague feedback a la "password contains illegal characters". I usually let KeePassXC generate a safe password for me but in that case I then have to manually permutate the different character classes (numbers, letters, spaces, punctuation, etc) until I find the offender. No good.
- Password must contain an uppercase letter.
  Password must contain a special character.
  Not that one.
  Not that one either.
  Nearly had it there! Too bad you only get 5 attempts. Account locked.
- One time i hand to look up what "half width character" even was. Answer lower case
If they just showed the password on the login page, this would happen 100% less often to me.
- Use a password manager. The fact you use the same password on every site is very disturbing.
  KeepassXC (KeepassDX on android, I don't know what I apple option is) is a good free open source option.
- I like $ and # as chars to put as the mandatory special when the requirements are hard to find

"Password is already taken by user123"

That's number 1 in how to tell the organisation has really bad password management
Number 2 is getting an email:
Welcome to shittyTech
Your account is successfully created with name "psud", password "T<©"9_Pt#sbw«:r_R }$° Z-"
*Edited to have a password like a sensible modern user would let their password manager set, instead of the XKCD one
- I don't minde the email when it continues with "please change the password when you first log in"

that last panel is freaking hilarious

I don't understand what it's communicating. Is he happy? Did he give up on technology, or society altogether?
- He's reexamining his life.
- relevant

Wait. This is starting to sound like it is no longer a user error.

I swear I've had this happen even with password managers, where there's no way it's being typed incorrectly. Some possibilities:
They're truncating on one form but not the other
They're being case insensitive on one but not the other
They're otherwise filtering certain characters on one but not the other
None of which bode well for that company's password handling security.
- My electric and gas utility truncates passwords, but lets you type hundreds of chars when setting a new password
  To log in, you need to intuit how much of your password they're using, if you enter too many chars it fails like in the op image
- I hit the truncation thing just yesterday. People seriously have a password input clipped at like 16 characters. A big company too.
- I've had that happen a couple of times too. In the most striking example, I was able to log in by typing html escape tags instead of the special characters in the password. ... ... That's a very bad sign for the website security for several obvious reasons.
- Walmart's internal systems used to do this, if you used a special char in your password (such as an % or &) on newer devices you couldn't log in anymore, only solution was having HR reset your login lol
- None of these possibilities have any effect on their password handling security since all of that is usually handled on the frontend (on your computer).
My company forces me to change the password every 3 months AND I cannot use the last 10. I use a very strong password and this rule is ridiculous. So I just change it 11 times, iterating a number at the end until I can use my last one. Fuck you.
Also correcthorsebatterystaple.
- The more convoluted the Password rules are, the more sticky notes with the monthly password are found.
- You get three whole months? We have to change ours monthly. Everyone has passwords written on our laptops.
- Couldn't a password manager generate and remember them for you?
- I feel your pain. Then again,, that is a good way to exercise your brain, getting you some new/fresh braincells.
  Your "future you" will definitely appreciate those "brain workouts".

"Your password is incorrect"

"Oooooh..."

Types "incorrect"

Tell me you’ve had a data breach without telling me you’ve had a data breach.

This'll happen if there's been a suspected data breach with poor password encryption or requirements. Gotta be safe and change the algorithm, breaking everyone's existing passwords. But yeah, it is annoying...

I wouldn't have a problem with this if the website just told us there was a breach and we need to change our password. The problem is when they gaslight me about it.
It also happens with the following process:
create a new 20 char password
system truncates your input to 16 chars
try to log in with your 20 char password, fail since it doesn't match the hash for the 16 char version of it
go to 1 (or follow the op image if you use the same pass)
Oh, I thought it had something to do with password hashes, where websites don't actually know your password, but if the hash is the same, then it assumes that you entered the right PW. At least that's how my non-technical brain understands how it works.
- That's correct, let's say a database was breached and the hacker has every user and their password hashes. They can login with testuser@email.com with password "password123" and see if the generated hash matches any other user's password hash. If so, they might be able to hack many accounts with the same password or even reverse engineer and decrypt every other password.
  Developers can make the hash more secure by adding arbitrary characters to the password (aka a salt), and this becomes the site's "authentication algorithm". But if the hashes are stolen, it may be a matter of time before the algorithm is figured out, which leads to updates, which leads to your pre-existing hash no longer matching.