The password entered is already in use



  • I got this when trying to re-register at a site where I'd forgotten my login details:

    "We're sorry, but we cannot process your request because of the following:
    The password entered is already in use."

    Awesome. Thanks for telling me that there exists a user with that password. In this case, the user is my other account (I've forgotten the login name but obviously not the password). I remember seeing this exact scenario somewhere else AS A JOKE. WTF?

    I have a screenshot but can't figure out how to post it.



  • @smxlong said:

    I have a screenshot but can't figure out how to post it.

    Thankfully there are already guides available.



  • Use some service like Photo Bucket or Picasa. And yeah, nice WTF there.



  • @smxlong said:

    I have a screenshot but can't figure out how to post it.
     

    So this means the site you're trying to re-register to is Flikr?



  • @Lingerance said:

    @smxlong said:
    I have a screenshot but can't figure out how to post it.

    Thankfully there are already guides available.

    Didn't realize I had to host the image myself. Ok, no problem:




  • They must have been doing too many shrooms.



  • Actually, the site's ordering system is outsourced, so I imagine that all vendors using that system would have the same issue. My God, what are they doing anyway? Using the password as a primary key?



  • @smxlong said:

    what are they doing anyway?
    Obviously preventing users with multiple accounts from using a weak approach to passwords by using the same password for all accounts - break one and you break them all!!! Mustn't let the bad guys get the same user's sensitive details twice. Can't be too careful, you know.



  • @smxlong said:

    My God, what are they doing anyway? Using the password as a primary key?

    Unlikely.  More likely, it's the result of some developer who's concerned about security, but hasn't grasped the concept of 'consequences'.  If it's good to keep you from reusing your old passwords, why not keep people from using passwords others are using?

    Actually, that's not entirely a bad idea.  However, telling the user any more detail than, "your new password is in my dictionary (that is, it's been exposed online before)" is pretty much asking for trouble.

    Of course, it could be that the admin is more cluefull than we can tell from outside, and is *actually* asking for trouble, as a way to identify from whence crackers come.  All it would take are a couple of adjustments from the naive system:

    • The message indicating a password is already in use is returned as an alternate form of, "password is in my dictionary of no longer used passwords."
    • The system's running an IDS or similar code to dynamically detect individuals attempting to use the same unacceptable password to log into multiple accounts, and respond "accordingly".

    This is, however, highly unlikely.



  • Kind of like VISA then, when you are directed to a site asking for your password to ensure your the person the card belongs to is you. Only problem is that if you forget your password you can reset it easily by entering your card number, security code, name and date of birth. The first three are actually on your card and also on any computer system you've bought goods from (yes, companies are not supposed to store your security code, but some still do), and the last isn't exactly difficult considering they have your full name. So someone changes your password and you don't notice until next time you try to use it, and then you just think you forgot it.

    The other weird thing is you forget your password, click the "forgot password", go through the above and enter a new password (thus getting told the password rules), and then get told "You have already used that password", and then go "Ah! Thanks!", try to login as that password and it works. However, they can't tell you the password rules on the signin page for "security reasons". 



  • @tgape said:

    All it would take are a couple of adjustments from the naive system: [...]

    BTW, have you read Cuckoo's Egg by Clifford Stoll?

    Seems very relevant to your suggestion.



  • @dstozek said:

    @tgape said:
    All it would take are a couple of adjustments from the naive system: [...]

    BTW, have you read Cuckoo's Egg by Clifford Stoll?

    Seems very relevant to your suggestion.

     

     Aah, I remember that book. A very engaging (if extremely outdated by now) hacking/drama novel written in the late 80s.  A wonderful find for a teenager like myself, when my uncle sent it to me back in the day.



  • @Mole said:

    The other weird thing is you forget your password, click the "forgot password", go through the above and enter a new password (thus getting told the password rules), and then get told "You have already used that password", and then go "Ah! Thanks!", try to login as that password and it works. However, they can't tell you the password rules on the signin page for "security reasons". 
     

    I usually go through that exact process with my Wells Fargo loan account (which, of course, only lets me make payments online; it won't show me my balance or any other useful tidbit of information, such as what my minimum payment might be).  I'll try to log in with my usual password, which fails.  I then try with my secondary usual password, which also fails.

    So I go to reset my password, and when I see the rules, I create a variation on my usual password that complies with the rules - only to be told "your new password cannot be the same as your current password."  So I return to the regular login page and sign in.

    This could all be avoided if they'd just provide a little popup reminder of what the password rules are...



  • @Mole said:

    The other weird thing is you forget your password, click the "forgot password", go through the above and enter a new password (thus getting told the password rules), and then get told "You have already used that password", and then go "Ah! Thanks!", try to login as that password and it works. However, they can't tell you the password rules on the signin page for "security reasons". 

     

    That's not weird at all. If they are using one-way-encryption (like the old md5 or sha1) they simply can't tell you what your password is, because they can not decrypt it. That's in case they get stolen. If you tell them your 'new' password, they encrypt it, and see that it's the same (hash) as your old one. Thus not allowing it for security reasons, wich is perfectly reasonable.


  • Discourse touched me in a no-no place

    @Mole said:

    Kind of like VISA then, when you are directed to a site asking for your password to ensure your the person the card belongs to is you. Only problem is that if you forget your password you can reset it easily by entering your card number, security code, name and date of birth.
    Oooh, they added that then.It used to be that you... Uh, couldn't. At all.



  • @Heron said:

    This could all be avoided if they'd just provide a little popup reminder of what the password rules are...

     

    It could also be avoided if they didn't have all those pointless rules, and instead learned how to store their psswords and secure their site properly.  A basic minimum length and dictionary search are fine, but some of the BS I've seen for financial sites (i.e. maximum 8 alphanumeric characters) is a joke.



  • @ari said:

    That's not weird at all. If they are using one-way-encryption (like the old md5 or sha1) they simply can't tell you what your password is, because they can not decrypt it. That's in case they get stolen. If you tell them your 'new' password, they encrypt it, and see that it's the same (hash) as your old one. Thus not allowing it for security reasons, wich is perfectly reasonable.
    You've just grabbed completely the wrong stick and ran with it. I don't expect them to tell me my password - any site that can is a serious security risk. Read the rest of my message - they can't tell me the password rules on the signin page for "security reasons", but they do when you go to change your password, and thus you remember how you modified your password to suit the rules.

    Considering how easy it is to get access to these password rules, they might as well put them on the signin page so we don't have to visit the "last password" page to remind ourselves what our password was. 

    Saying that, I remember the password to an old financial system used by a previous employer which was a real WTF. You had to use both upper and lower case letters, at least 2 numbers, 1 'special' character (such as the character above the numbers on your keyboard, but it didn't say that), and, wait for it... It must be no longer than 8 characters in length. So 'aY42!' was a perfectly acceptable password.



  • Mole, do a quick search for the American Express WTF I posted a while back - it's worse than what you described. (I'd link it myself but it's inconvenient right now, using my new iPhone.)



  • @Heron said:

    Mole, do a quick search for the American Express WTF I posted a while back - it's worse than what you described. (I'd link it myself but it's inconvenient right now, using my new iPhone.)
     




  • That's the one.



  • For a six character password, that would be 436,700,160 possible combinations (almost 29 bits). You could brute-force that on your new iPhone.



  • The REAL Real WTF is that they're probably not using salted password hashing. I say probably because while they could re-hash the new password using each existing hash, anyone who would go to that much trouble would no doubt remember why they used salts in the first place...



  • @Faxmachinen said:

    For a six character password, that would be 436,700,160 possible combinations (almost 29 bits). You could brute-force that on your new iPhone.

    Uh, how exactly would you do that? You do not have the hash of the password. Do you think the bank just wouldn't notice your approximately 215 million connection attempts and maybe, I dunno, do something to stop you?

    And the number of possible passwords is WAY higher than that:

     def factorial( n ):
        x = 1
        for i in xrange( 1, n + 1 ):
            x *= i
        return x

    npas = 0

    for nchar in xrange( 6, 9 ):
        for nletter in xrange( 1, nchar ):
            ndigit = nchar - nletter
            npas = npas + 26 ** nletter * 10 ** ndigit * factorial( nchar )

    print npas


    Results in  5,281,246,171,468,800 unique passwords. 


  • Discourse touched me in a no-no place

     Rather wondering why my AmEx password works, then.

     

    27 characters, and several "special characters"



  • @smxlong said:

    Uh, how exactly would you do that? You do not have the hash of the password. Do you think the bank just wouldn't notice your approximately 215 million connection attempts and maybe, I dunno, do something to stop you?

    Actually, since account numbers tend to be exposed in bulk these days, it's unlikely that anyone would be attempting millions of attempts against a *single* account.  Depending upon AMEX's setup, it's entirely possible that they wouldn't notice hundreds of failed attempts (over many weeks) against millions of accounts - especially if a borrowed botnet were involved.  As such, a user's real goal is not to have an uncrackable password, but rather to not have a password in the first 10k or so compromised.  (Eventually, AMEX will either catch on or go under.  Of course, they won't go under for just 10k accounts being compromised, but the 1k or so of those compromises that get reported would be sufficient notice for you to close your account there.)



  • @smxlong said:

    And the number of possible passwords is WAY higher than that:

    Now I did say brute force, so you are not wrong. But I'd like to mention that there are 36 times as many possible passwords in a seven character password than in a six character password. Is it 36 times more likely for you to pick a seven character password over a six character one?


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.