My laptop was stolen. So I decided to go through ~300 accounts stored in my 1password looking for weak passwords, 10-year old passwords etc. And updating them.
I updated ~50 accounts. Too bad I was busy changing passwords and not taking screenshots. Here's what I found:
2/12
I updated ~50 accounts. Too bad I was busy changing passwords and not taking screenshots. Here's what I found:
2/12
- If you use a password manager, you will have to copy paste the new generated password into the "New password/Reset password form".
Pasting text will not trigger form validation. You have to at least delete and re-type a character. The most common problem.
3/12
Pasting text will not trigger form validation. You have to at least delete and re-type a character. The most common problem.
3/12
- "Your password must be less than 20 characters" (PayPal)
4/12
4/12
- Any number of third-party scripts will be running on any page of your account, including password reset pages.
A reCaptcha on a password reset page? Why not? (PragProg)
5/12
A reCaptcha on a password reset page? Why not? (PragProg)
5/12
- You registered with an email, but you have to log in with a username, or vice versa (Wordpress)
6/12
6/12
- Effing SPAs. Click "Sign In" button, provide user name and password, get shown front page again with "Sign in". 10-20 seconds later it's replaced with relevant account links
7/12
7/12
- Password reset not available in the app, or on the website, or in the mobile version of the website, and you can't get out of the mobile version. (Slack is guilty of at least one of them)
8/12
8/12
- Where would you put the link to change your password? How about create a button at the very button of your "edit profile" page right next to "Update Data" button (Sunfleet)
9/12
9/12
- Password reset links go through trackers (sometimes third party trackers because you know, you gotta track clicks in emails)
10/12
10/12
- Central login hubs and account management systems that lose your login status, end up in endless redirects, know who you are in only half of connected systems. Or keep you logged in when you've logged out. (Jetbrains, Google, Yahoo, Microsoft, the list goes on)
11/12
11/12
Everyone is guilty: big companies, small companies, dev and user darlings.
The next security or data breach, or stolen accounts? I can't imagine why it would ever happen in a security-conscious industry like ours.
If you've reached this, go and check your passwords :)
12/12
The next security or data breach, or stolen accounts? I can't imagine why it would ever happen in a security-conscious industry like ours.
If you've reached this, go and check your passwords :)
12/12
@threadreaderapp Please, unroll
