There appear to be some hidden password requirements for user accounts that aren't validated on password change.
Unable to log in to my account, I used the password reset link sent to me in an email (which is reusable, btw, and probably shouldn't be), and set a few different passwords before I found one that worked. For ones that didn't work, the password reset completed successfully, but logging in using the newly-set password failed.
Passwords of 80 characters failed, even when only alphanumeric. Alphanumeric passwords of 20 characters are usable. I haven't experimented more to find the exact breaking conditions.
In case it isn't obvious, I use extremely long passwords because they're stored in a password manager; if I'm not going to be remembering or typing them, I figure I might as well make brute-forcing impossible for many years to come.
Log in to post a comment.