1. Forgot my password.
2. Clicked "Forgot" password button.
3. Received my forgotten password as plain text in my email

And here comes the last part of my story so far.
After deploying the domain, configuring PCs, configuring the server, configuring the switch, installing software, checking that the correct settings have been applied, configuring MS Outlook (don't ask) and giving each and every user a d e t a i l e d tutorial on using the PC like a modern human and not as a Homo Erectus, I had to lock my door, put down my phone and disconnect the ship's announcement system's speaker in my room. The reasons?
- No one could use USB storage media, or any storage media. As per security policy I emailed and told them about.
- No one could use the ship's computers to connect to the internet. Again, as per policy.
- No one had any games on their Windows 10 Pro machines. As per policy.
- Everyone had to use a 10-character password, valid for 3 months, with certain restrictions. As per policy.
For reasons mentioned above, I had to (almost) blackmail the CO to draft an order enforcing those policies in writing (I know it's standard procedure for you, but for the military where I am it was a truly alien experience). Also, because I never trusted the users to actually backup their data locally, I had UrBackup clone their entire home folder, and a scheduled task execute a script storing them to the old online drive. Soon it became apparent why: (for every sysadmin this is routine, but this was my first experience)
- People kept deleting their files, whining to me to restore them
- People kept getting locked out because they kept entering their password WRONG for FIVE times IN a ROW because THEY had FORGOTTEN the CAPS lock KEY on. Had to enter three or four times during weekend for that.
- People kept whining about the no-USB policy, despite offering e-mail and shared folders.
The final straw was the updates. The CO insisted that I set the updates to manual because some PCs must not restart on their own. The problem is, some users barely ever checked. One particular user, when I asked him to check and do the updates, claimed he did that yesterday. Meanwhile, on the WSUS console: PC inactive for over 90 days.
I blocked the ship's phone when I got reassigned.
Phiew, finally I got all those off my chest! Thanks, guys. All of the rants so far remind me of one quote from Dave Barry:

Client just informed our support that they solved their own forgotten password problem by clicking the "forgot password" button in our app. They say they are now awaiting the email with the password recovery details.

One problem: we don't have a forgot password button in our app.

I wonder why banks are always so terribly insecure, given how much money there's for grabs in there for hackers.

Just a while ago I got a new prepaid credit card from bpost, our local postal service that for some reason also does banking. The reason for that being that - thank you 'Murica! - a lot of websites out there don't accept anything but credit cards and PayPal. Because who in their right mind wouldn't use credit cards, right?! As it turns out, it's pretty much every European I've spoken to so far.

That aside, I got that card, all fine and dandy, it's part of the Mastercard network so at least I can get my purchases from those shitty American sites that don't accept anything else now. Looked into the manual of it because bpost's FAQ isn't very clear about what my login data for their online customer area now actually is. Not that their instruction manual was either.

I noticed in that manual that apparently the PIN code can't be changed (for "security reasons", totally not the alternative that probably they didn't want to implement it), and that requesting a forgotten PIN code can be done with as little as calling them up, and they'll then send the password - not a reset form, the password itself! IN THE FUCKING MAIL.

Because that's apparently how financial institutions manage their passwords. The fact that they know your password means that they're storing it in plain text, probably in a database with all the card numbers and CVC's next to it. Wouldn't that be a treasure trove for cybercriminals, I wonder? But YOU the customer can't change your password, because obviously YOU wouldn't be able to maintain a secure password, yet THEY are obviously the ones with all the security and should be the ones to take out of YOUR hands the responsibility to maintain YOUR OWN password.

Banking logic. I fucking love it.

As for their database.. I reckon that that's probably written in COBOL too. Because why wouldn't you.

'Incorrect password.'

"I must've forgotten the password. Let me change it".

'Old and new passwords cannot be same'

o_O

A website just emailed me my forgotten password in PLAINTEXT.

I'm out of breath from running for the hills so fast.

Today in train programming:
Pushed a new build before pulling into station
Battery dies
Test on tablet
Build is broken, files missing
Upload files manually to Azure (WHY)
try to log in to my sure to treat, forgotten password
Try to reset password, smtp details in DB are wrong...

I'm doing well

Thinking of auto adding ‘you dumb fuck’ to every email I send to a client. Fucking useless time wasting bastards.
Example: I’ve forgotten my password for the cms can you send me a link to reset it.

The login page has a link clearly labelled ‘forgot password?’.

I send a screen grab with a big red circle around the link and some polite text, which I was desperate to add ‘you dumb fuck’

Biggest GTFO moment of the year;

While applying for colleges, I created an account with a username and variant of my usual password (I know, bad move, sorry). I came back to finish the application but had forgotten what variant I had used. So I clicked the forgot password button and got an email with...

MY PASSWORD IN IT!!!!

Plain text password! Just as part of the email! WTF do these people think they are doing?!?!

I immediately changed my password to a random string and deleted my account, so hopefully when someone gets into this database my stuff with be overwritten... stupid programmers...

Customer: can you set my forgotten password to "1"?

Me: there's a six signs limit in your domain. You have to use upper case letters, lower case letters and at least one symbol

Customer: "123Aa+"?

We have to set such passwords to avoid customers cancelling contracts....

So I Bought this bio metric pad lock for my daughter. She excitedly tried to set it up without following the directions( they actually have good directions on line) first thing you do is set the "master print" she buggered that up setting her print. So when I got home I was thinking, no problem I'll just do a reset and then we cant start again.

NOPE !!! you only have one chance to set the master print! after that if you want to reset the thing you need to use the master print along with a physical key that comes with it.

What sort if Moron designs hardware / software that is unable to be reset. Imagine how much fun it would be if once you set your router admin password it was permanent unless you can long back in to change it. Yea nobody has ever forgotten a password.

Well they are about to learn a valuable financial lesson about how user friendly design will influence your bottom line. people (me) will just return the lock to the store where they bought it, and it will have to be shipped back to the factory and will be very expensive for them paying for all of the shipping to and from and resetting and repackaging of the locks and finally shipping again to another store. Meanwhile I'll keep getting new locks until at no cost until she gets it right.

poor design

I can understand one variable . . . But all of them?

A guy who's parked next to me in the RV asked me today if I know anything about computers. Sure, what's it about?

He has forgotten his password for a Word .doc file, already installed all possible tools for password cracking, but none of them worked, and now
he can't find his vacation photos and surfing the internet suddenly doesn't work anymore.

Okay, no problem, I'll take a look at it. Windows 7 Home Edition, completely covered with malware, everywhere popups with pr0n ads.

I told him that I can't do much more than trying to recover the data and reinstall the OS. But before that, I'll make a image of the hard drive (thank god, only a 250 GB hdd). Then we'll see.

Unfortunately neither he nor I have a Windows DVD, so he will probably become a proud user of Antergos tomorrow.

Am I the only guy using the GDPR emails as a to-do list? For each email I either delete the account with that service OR I take the opportunity to change the password. Tedious? Yeah. Satisfying? You bet!

I see all these people complaining about their inbox blowing up with "spam" but how many of those accounts or services do you still use? I bet over half of them were only signed up for to try their demo and then forgotten about.

Sharing your password with your coleagues is like sharing your underwear or your GF with them. It's not right and unless you're into some weird fetish you won't really want them back...

I've been asked to help in my previous project and I'm fairly certain my credentials are expired/locked/forgotten there. Guess whose managers will be encouraging sharing current dev's on that project passwords...

My password manager!!
I use passwords I can never remember, stay logged in, next time I need to log_in I use the passqord forgotten button, reset it with my e-mail or better phone

Let's talk about the cargo cult of N-factor authentication. It's not some magic security dust you can just sprinkle onto your app "for security purposes".

I once had a client who had a client who I did server maintenance for. Every month I was scheduled to go to the site, stick my fingerprint in their scanner, which would then display my recorded face prominently on their screens, have my name and purpose verified by the contact person, and only then would the guards let me in.

HAHA no of course not. On top of all of that, they ask for a company ID and will not let me in without one.

Because after all, I can easily forge my face, fingerprints, on-site client contact, appointment, and approval. But printing out and laminating a company ID is impossible.

---

With apologies to my "first best friend" in High School, I've forgotten which of the dozens of canonicalisations of which of your nicknames I've put in as my answer to your security question. I've also forgotten if I actually listed you as my first best friend, or my dog - which would actually be more accurate - and actually which dog, as there are times in my High School life that there were more tails than humans in the house.

I have not forgotten these out of spite, but simply because I have also forgotten which of the dozen services of this prominent bullshit computer company I actually signed up for way back in college, which itself has been more than a decade ago. That I actually apparently already signed up for the service before actually eludes me, because in fact, I have no love for their myriad products.

What I have NOT forgotten is my "end of the universe"-grade password, or email, or full legal name and the ability to demonstrate a clear line of continuity of my identity from wherever that was to now.

Because of previous security screwups in the past, this prominent bullshit company has forced its users to activate its second, third, and Nth factors. A possibly decade-old security question; a phone number long lost; whatever - before you can use your account.

Note: not "view sensitive data" about the account, like full name, billing address, and contact info. Not "change settings" of the account, such as changing account info, email, etc. Apparently all those are the lowest tier of security meant to be protected by mere "end of the universe"-grade passwords and a second factor such as email, which itself is likely to be sold by a company that also cargo cults N-factor auth. For REAL hard info, let's ask the guy who we just showed the address to "What street he lived in" and a couple others.

Explaining this to the company's support hotline is an exercise in...

"It's for your security."

"It's not. You're just locking me out of my account. I can show you a government ID corroborating all the other account info."

"But we can't, for security."

"It's not security. Get me your boss."

...

"It's for security."

*leaning back in the story chair*

One night, a long time ago, I was playing computer games with my closest friends through the night. We would meet for a whole weekend extended through some holiday to excessively celebrate our collaborative and competitive gaming skills. In other words we would definitely kick our asses all the time. Laughing at each other for every kill we made and game we won. Crying for every kill received and game lost. A great fun that was.

Sleep level through the first 48 hours was around 0 hours. After some fresh air I thought it would be a very good idea to sit down, taking the time to eventually change all my accounts passwords including the password safe master password. Of course I also had to generate a new key file. You can't be too serious about security these days.

One additional 48 hours, including 13 hours of sleep, some good rounds Call of Duty, Counter Strike and Crashday plus an insane Star Wars Marathon in between later...

I woke up. A tiereing but fun weekend was over again. After I got the usual cereals for breakfast I set down to work on one of my theory magic decks. I opened the browser, navigated to the Web page and opened my password manager. I type in the password as usual.

Error: incorrect password.

I retry about 20 times. Each time getting more and more terrified.

WTF? Did I change my password or what?...

Fuck.

Ffuck fuck fuck FUCKK.

I've reset and now forgotten my master password. I completely lost memory of that moment. I'm screwed.

---

Disclaimer: sure it's in my brain, but it's still data right?

I remembered the situation but until today I can't remember which password I set.

Fun fact. I also could not remember the contents of episode 6 by the time we started the movie although I'd seen the movie about 10 - 15 times up to that point. Just brain afk.

Forgotten password was sending the password in plain text to email.

So, a new web project came for some small layout changes, nothing to fancy.
It was on the hands of another company and the client didn't want to work with them anymore. Basic Magento with a custom theme.

As I was wondering through files, I found out that the old devs echoed, in ".phtml" files, contents from ".txt" files located in base directory. I was shocked and went forward with it. The core of Magento had tons of this "echo"s. Several minutes later I found out that they "coded" another administration panel besides Magento, that had "authentication" with hard-coded user/pass inside index.php and a session start. That admin panel just rewrote the contents of .txt files using textareas. Why/what/when the fuck..they've forgotten the admin password?!?!!!!

This was like 3-4 years ago.
Worst project i've seen, ever...

I swear I get multiple emails every week from a person who's forgotten their password but instead insists our software is broken. "Account Broken, Can't Login!"

I've started just replying to these emails without even checking their accounts anymore -- or even opening up the system.

I'll say, "I'm sorry to hear that! I've looked into your account and it should work now."

I always get a reply back "THANKS! It works great now!"

Then I facepalm.

The university I used to study CSE, they had some OLD computers with Windows XP in them. Also, all those computers had TWO user accounts. One with the admin access and another one with normal access. Until this, it was fine.
But the browsers installed there were so old, even normal website struggles to load properly. and so many outdated apps, kept bugging us for update, but every time we click on UPDATE, they ask for the admin password, which we didn't have. So, most of the students were frustrated about this, but nobody took any action! :/
So, I hacked one of the computers' admin password. the password was "BRIGHT". I'm like, these people are never gonna set different passwords in different computers and remember them for eternity. Definitely all passwords have to be the same, and they were! Which saved my time.
So, I shared the password with everyone in my class and now they can install any apps they want. Which made me so happy!
But You know, words travel fast! Just one day after the hacking incident, the Seniors ( & the juniors ) came to me with their laptops to find their forgotten password, which made me earn some money & eat some delicious foods, also got to meet some beautiful girls of our campus ^_^
& I used to go to other classes to hack those Admin passwords for fun ^_^ But I never told them the password until they pay me or feed me something delicious! ^_^

I miss those good old days! ^_^

I had to do a double take... Needless to say I can't sign in for shit, fucknows what mental finger dance I did on the shift key when signing up to these guys...

Also: forgotten password is "please type your email, if there's an account associated to this email address we'll fucking email it with password reset instructions"...

Fucking arsehole fucks, I just wanna pay my fucking energy bill.

When to log into an encrypted vm that I set up for finances, and realized I had forgotten my password, to decrypt it. Well after a few min I gave up and wrote a short program with all my sees, and rules for altering the seeds and combinations there of.

Got back a few thousand and plugged it into a macro script and went to do chores for my wife. Came back and was in.

To be honest I check on it somewhere in the middle and thought oh crap did I use my dogs name? I didn't but now I am switching to a password manager.

just saying, NO ONE who has forgotten their username should be expected to remember their password.

have a nice day.

Varies wildly, depending on location and company.

Find yourself in the right location (London, for instance, and some other big cities) and there's heaps of companies all competing for good devs - willing to pay great salaries, great pensions, free food, offer working from home, healthy training budgets, etc.

Find yourself in the wrong place, or not willing to travel, and you may have to settle for being the "IT guy" at Bob's budget consulting co. where your main job is resetting Lauren from HR's password every few days, even though she "definitely hasn't forgotten it, it's the computer's fault."

So I still have my very first email account, a hotmail account as a secondary, kinda spam account.

i signed up around 2000 i guess.

someone tried to get in, i got loads of mails of failed login attempts so i wanned to go and change my pw. But because of that bastard i cant login with just pw anymore, i need my phone. THAT ACCOUNT IS 20 FUCKING YEARS OLD. I never even provided a phone.
spent the last 20 minutes providing personal details to microsoft which are probably not the ones i used for signing up anyway.

you know how careful we were whem signing up for something online back them? I probably signed up as Thomas anderson from zion...

anyway, done now and bow it will take 24h for them to review it..

all of this only to reset my forgotten pw for my epic games account for with i signed up with that mail..,

holy guacamole.. I should start to trust password managers...

Pulled my hair out over one today (and a week ago when I first saw the issue)

Setting up development environment. Created test user and test database and used mysqldump to copy data over.

MySQL was executing a function as the wrong user. Checked my config files, checked my config reader, checked my database connection, checked checked checked. Checked everything twice, I felt like Santa.

Changed the password in the config file to make sure it was logging in right. It threw an error still but not one I had expected so I figured the login still worked (My bias was that I thought the config file was not working or the mysql library was caching authentication. Both were wrong but this blinded my debugging. Foolish, I have forgotten my training)

Logged into the database directly via client. *didn't bother executing the function because I was only testing auth*

Think
Think
Think

Search entire project for database username. It's gotta be hard coded by accident SOMEWHERE.

It's not.

Why
Why
Why

Wait.

-- Flashback to how the test db was created -- What's actually in this damn script?

DEFINER `production_user` CREATE PROCEDURE `old_db`.`procedure_name`

Two issues: definer is old user (this is the error I was seeing) and its creating the procedure on the old db (this would be the next error I would have found if I kept going)

Fuck mysqldump. Install mysqldbcopy. Works

Put hair back in head.

You know what's worse than having to come up with a new password every time you create an account? Forgetting your password every time you try to log in!

I swear, it's like my brain has a selective memory when it comes to passwords. I can remember every lyric to a song from 10 years ago, but I can't remember the password I created yesterday.

And don't even get me started on password manager software. You would think that having all of your passwords stored in one place would make things easier, but nope. I've forgotten my password for my password manager so many times that I'm starting to think I need a password manager for my password manager.

But seriously, why do we even need passwords in the first place? Why isn’t there an easier one stone kills all solution to all these password authentication nonsense?

I could remember when it was all letters, then forced to use letters + numbers…

then later forced to include symbols…

and then forced to make it lengthier…

and then solve puzzles after getting it right…

and after all the stress now we are forced to find nemo from a set of images.

I thought the misery would end there but nope. Now some platform forces 2FA like dude seriously?

For God’s sake we built self driving cars already! Why can’t one just exist without a password? Why do we always end up in a password cycle?

And please don’t say shit about oauth because if your password master (i.e: google) fucks you in the ass then all your oauth accounts are gone for good!

I'm currently having an existential crisis about the meaning of passwords in our modern society. Shit is crazy when I ponder about it I get worried.

When the company running my student accommodation not only stores the passwords for their resident portal in plain text and emails them straight to you in the case of a forgotten password. But also generates your password at sign up according to a specific general pattern...

Just realised that devRant doesn't give me the option to change my password - I had to go through the forgotten password routine to do it.

I've been working here for a little under a month keep hearing about them not remembering passwords, or not being able to access something due to a rarely used forgotten password, so I decided to Set up a shared password manager for the team using keepass and a generic intranet setup, pulled a password csv from one random on the floor person's chrome to start with. Turns out they ALL sync data from the owners account, and the owners saved passwords include HER payroll login info, and the accounts for ebay, amazon, etsy, basically anywhere you can buy anything....
yeah I think this is gonna need to be a conversation with her soon.