Context is that I had to register for a lot of accounts recently and some of the rules really make no sense.
Not name-and-shaming, but the best one I’ve seen recently is I might have accidentally performed an XSS attack on a career portal using a 40-digit randomly generated password…
Not so much password requirements as just a completely removed implementation:
To access payment stubs in a data center (not us) that I worked at, the user account was our public email address and the password was a personal code, sorta like SSN, but that code could be easily looked up as it was public info.
I showed the director of HR, who authorized this her own payment stub as evidence that this was baaaaadddd
So she asked me to check that system for more issues
Turns out it stored passwords in blank (wtf) and would authenticate with two queries. First query would check if the username (email) exists. Second query would check if the password exists. If both exists, you’re in! So i could login to any account with MY password…
This is a tip of a very big iceberg there
This has to be the best one here. The sheer lack of understanding of how to authenticate an account by the dev.
Sounds like the initial part of password testing, and then they either forgot to complete it, or someone came along to fix the later parts, commented them out for testing and never got around to fixing/uncommenting. Surprising how often things that ‘work’ are set aside and no one is in charge of reviewing.