Home Forums Tech talk Do Websites Deliberately Reject Your Correct Password Once?

  • This topic is empty.
Viewing 15 posts - 1 through 15 (of 19 total)
  • Author
    Posts
  • #993166
    GuestMember
    Member
    • Total posts: 318

    On a few well-known websites, e.g., LinkedIn and Google, I’m finding I enter the correct password and it is rejected. I enter it again and it is accepted. For ages, I believed it was me but it was happening all too often so I started to monitor it very carefully.

    It got me wondering whether they are deliberately using this to thwart attempts by hackers, in the belief that automated attempts to crack the password would move on and try something else immediately, while a person would persist because they know it is correct?

    Can anyone confirm this? Any other reasons it might happen?

    #1190040
    Jake Gardner
    Member
    • Total posts: 44

    I have never had this issue.

    #1190041
    sam_leader
    Member
    • Total posts: 660

    Hi Paul,

    This has happened to me, but I hadn’t thought to analyse it. I will watch it closely from now on and report back.

    Sam

    #1190042
    natedamman
    Member
    • Total posts: 16

    I’m not sure about the issue you’ve had but here is an interesting tactic hackers use:

    Lets suppose you have a twitter account and the hacker knows what your Twitter handle is. What they can do is send you an email saying something like your security settings have been changed or something to get you worried about your account. then in the email they will add a cloaked hyper link so you don’t see the URL or a bit.ly site. when you click on the website you are taken to a site that looks (if they have done a good job on it) identical to the twitter site. (here’s where this ties into this question) now depending on how they have set things up. when you enter your credentials on their fake twitter site they get all of your info. now sometimes they will make you log in twice to verify your credentials were correct (keep in mind they don’t know if your username and password are correct because they don’t have access to the twitter data base so by logging in 2 times they can be sure you haven’t made an error with your password. )
    This is called phishing and is common on the web.( I used twitter in this example but can apply to any website.)

    So i hope you haven’t fallen victim to one of these attacks. but if you enter your details into a website and it’s correct it won’t not let you in. chances are YOU are being hacked or your not entering the details correctly (or their database could have sent back an error)

    make sure that when your on websites like facebook or twitter you check to see if in the address bar it says https and not http. And if you need to be sure check the certificate of the website in your browser it will let you know who the true owner of the site is.

    hope this helps :)

    Nate

    #1190043
    GuestMember
    Member
    • Total posts: 318

    Good heads up for people and interesting that they would care to check – spammers are not usually that bothered because they’re interested in massive numbers rather than quality engagement with individual cases – we’re disposable. In my case, they’re definitely the genuine sites.

    #1190044
    natedamman
    Member
    • Total posts: 16

    yeah cool, it’s not just spammers who will take control of your accounts. hackers will do it to sell your information via TOR or other means. but if it was the genuine sites then i would suggest, that if your 100% positive that you have typed your info in correctly it may be a server issue. it’s not a way of filtering hackers though. hackers use software to gain access into a site like facebook. and chances are they won’t go through the same front end as a usual user. they will almost always find a vulnerability via the back end and exploit it.

    Hope this helps :)

    edit: also the reason they would double check your info is because if they get the wrong account details they can’t sell your information.

    #1190045
    Byron Trzeciak
    Member
    • Total posts: 422

    Definitely not happening for me. Easy thing to do is fine a computer or mobile with a different internet connection and test it and see if you have the same problem.

    I’d say that it’s more a plugin or virus on your computer that’s affecting it. As someone that’s secured banks and criticial infrastructure of Australia you’d be shocked to see how may viruses are undetected by standard antivirus.

    I’d even trying using a different browser for a week and see if you notice the same problems. I presume it’s not happening all the time but if you are able to repeat it consistently then you should be able to test.

    I’ve also seen computers do strange things are years of usage without a rebuild. Sometimes it’s as simple as backing everything up, rebuild and start fresh again rather than troubleshooting where the issue is coming from.

    #1190046
    JohnTranter
    Member
    • Total posts: 842
    Paul Peace, post: 223040, member: 54653 wrote:
    It got me wondering whether they are deliberately using this to thwart attempts by hackers, in the belief that automated attempts to crack the password would move on and try something else immediately, while a person would persist because they know it is correct?

    I suspect this would break most Password Managers (LastPass, KeePass, RoboForm et al.), so it’s not the best idea for them to pursue.

    #1190047
    compassweb
    Member
    • Total posts: 6

    I use 1Password for all my passwords and I haven’t experienced this issue. What site is the biggest culprit for you?

    #1190048
    GuestMember
    Member
    • Total posts: 318

    Good point John. Also, making life difficult seems unlikely when companies spend most of their time trying to reduce friction.

    Incidentally, I use different passwords for every account to contain any hack. They are not stored anywhere except my head and they’re very strong.

    I’m never complacent but I’ve not had a virus (knowingly, anyway) get any further than my AV since 1996 and I only get one of those alerts about every 2 years. A virus or rootkit is possible but it would have to only be causing a second sign-in on LinkedIn, FB, Google and stock photo sites (very selective), and it would be causing this as an intermittent problem. As well, the problem has gone on for the best part of a year (I just kept doubting myself because you only think retrospectively and can’t provide what you entered). Yet in that time, there are no signs of any malicious activity in the accounts themselves or elsewhere in my life. All seems well.

    So I’m not going on panic alert and big dramas with fresh installs etc!! I’ve learnt to be very parsimonious with these things, having wasted so much time over the years doing big actions on what turn out to be tiny issues!

    I can confirm it isn’t browser-specific. I’ve had it in Chrome, Firefox and Opera.

    The only other idea I’ve had is a keyboard key sticking, so I typed correctly, but the output was missing a character. Not seen that while writing, though.

    #1190049
    JohnTranter
    Member
    • Total posts: 842
    Paul Peace, post: 223108, member: 54653 wrote:
    The only other idea I’ve had is a keyboard key sticking, so I typed correctly, but the output was missing a character. Not seen that while writing, though.

    Hey Paul, if you’re anything like me then sometimes my brain doesn’t quite engage when I first sit down. Occasionally I’ve had to retype the same password 2 or 3 times before it was correct.
    These kind of intermittent issues are usually user related rather than technical issues. (sorry)

    #1190050
    GuestMember
    Member
    • Total posts: 318

    Yes, I thought that for a year John. I’ve since paid far closer attention to it during the process rather than reflecting afterwards. I can confirm the passwords have been entered correctly.

    It is possible it is an website error. When you said that it was user error, you reminded me of a memory of developing our platform and how the developers wouldn’t believe me that passwords weren’t working. I was so frustrated with the developers, I videoed myself typing the password in on my keyboard slowly, character by character, and then showing them the submit not working. I just had a look at our records but we didn’t have a reason for it, we were just glad to see it sorted. Must be difficult for developers because a lot of time can go on human error. I always assume customers are right in the first instance and ask for more info but we have been on some wild goose chases.

    I think I’ll get in touch with the service providers when I have time. I don’t expect any joy, though.

    #1190051
    JohnTranter
    Member
    • Total posts: 842
    Paul Peace, post: 223117, member: 54653 wrote:
    I was so frustrated with the developers, I videoed myself typing the password in on my keyboard slowly, character by character, and then showing them the submit not working.

    Interesting way of demonstrating the issue! :)

    An easier proof would be a screen capture video. Type the password into a Text Editor, then copy and paste it into the password field. If it fails first time but passes the second time, that would be enough for me.

    Devs really want to be able to reproduce the error and if they can’t, they’ll often put it down as user error. I’ve been guilty of this myself, it’s because we’ve all had so much time wasted when someone wasn’t connected to the internet, they’ve disabled images or installed some weird plugin on their browser for example.

    #1190052
    GuestMember
    Member
    • Total posts: 318

    Yes, I used screen capture on the screen and me typing on the keyboard. Good idea with the text editor. Copying and pasting (when it’s asterisks) leads to further questions about whether it really is what’s on the clipboard, though! Or whether we introduced a space, etc.

    I completely understand the dev side John. I’ve had it with my blog and platform. The other side of it is not being believed as a customer. It all has to be handled very sensitively because they are also often right in my experience even after we’ve tested ad nauseum.

    User error has to be considered, though. When the RACQ turn up to people’s
    ‘broken down’ cars, I bet it really is often the ‘obvious’, no fuel in the tank!

    #1190053
    Gizmo
    Member
    • Total posts: 731

    I would never code something to reject a correct password.
    That would just cause unwanted support headaches.

Viewing 15 posts - 1 through 15 (of 19 total)
  • You must be logged in to reply to this topic.