More likely it’s happening because the password change field silently truncates your input and the login field doesn’t, or vise-versa, because whoever designed the web page or system is stupid.
That is a possibility. But then actually setting a completely new password shouldn’t work, yes? Because when you go to use it, it won’t work.
I doubt that’s the “more likely” scenario.
Tons of people have reset a login more than once, and then forget, which is what leads to this scenario.
When they forget the new password, but re-remember a previous one, they try to use it to log in. When that fails, they go to reset it again, and they try to set it back to the password they remember. Which doesn’t work, because it is a previous password. But at the same time it is also not the current one.
The supposed catch 22 is that if it can’t be their new password, it should work to log in. And if it can’t be used to log in, then they should be able to set it as their password.
In reality the password has already been used, but before a previous reset. So it is neither a valid new password, nor the current password. This does not occur to people.
This can happen in any correctly configured service that prevents password re-use, and is therefore the far more likely scenario.
In my experience though, services will use language along the lines “the password can’t be the same as your last password” but if you set a random password temporarily, you then still can’t set the password to the one you wanted. Meaning they are checking earlier passwords too.
In fact I have yet to come across one where you can re-use password by first setting it to something else. Have you?
I think most developers just assume people aren’t going to even try old passwords, only the most recent one.
I have. My former bank disallowed reusing any of your previous passwords, and also did “clever” things like flagging you for using sequences of characters from your old passwords as well.
All provisos that revealed that they were storing passwords (including old passwords) in plain text, because there’s no way they’d be able to make those determinations if they were irreversibly hashing passwords correctly.
This happens because you’re trying to re-use a previous password, which is not necessarily the current password.
The new password can’t be same as any of your previous ones.
More likely it’s happening because the password change field silently truncates your input and the login field doesn’t, or vise-versa, because whoever designed the web page or system is stupid.
That is a possibility. But then actually setting a completely new password shouldn’t work, yes? Because when you go to use it, it won’t work.
I doubt that’s the “more likely” scenario.
Tons of people have reset a login more than once, and then forget, which is what leads to this scenario.
When they forget the new password, but re-remember a previous one, they try to use it to log in. When that fails, they go to reset it again, and they try to set it back to the password they remember. Which doesn’t work, because it is a previous password. But at the same time it is also not the current one.
The supposed catch 22 is that if it can’t be their new password, it should work to log in. And if it can’t be used to log in, then they should be able to set it as their password.
In reality the password has already been used, but before a previous reset. So it is neither a valid new password, nor the current password. This does not occur to people.
This can happen in any correctly configured service that prevents password re-use, and is therefore the far more likely scenario.
usually it gives a different error, something like “can’t be a password that was used previously”
Sometimes.
In my experience though, services will use language along the lines “the password can’t be the same as your last password” but if you set a random password temporarily, you then still can’t set the password to the one you wanted. Meaning they are checking earlier passwords too.
In fact I have yet to come across one where you can re-use password by first setting it to something else. Have you?
I think most developers just assume people aren’t going to even try old passwords, only the most recent one.
I have. My former bank disallowed reusing any of your previous passwords, and also did “clever” things like flagging you for using sequences of characters from your old passwords as well.
All provisos that revealed that they were storing passwords (including old passwords) in plain text, because there’s no way they’d be able to make those determinations if they were irreversibly hashing passwords correctly.
TL;DR: They’re no longer my bank.
no, that was not my point