> mthadley_

My Password is Bad

The other day I needed to reset the password for the online account of one of my home utilities. It seems like every month one of them is merging with another, getting acquired, or just migrating their system such that yet again I’m locked out.

No problem, I’ll just reset the password. Cool, got the reset email, so now I’ll click the link and enter a new randomly generated sequence from 1Password

Sorry, something went wrong. Please try again later.

Being an experienced web developer, I of course responded by arbitrarily clicking the button ten more times out of frustration, expecting the same inputs to produce a different output. It did not.

Fine, I can at least attempt to debug this. I opened my browser’s network inspector, resubmitted the password reset form, and saw the actual error message:

{ "error": "Password cannot contain username." }

Uhh, okay. How could my randomly generated password contain my username? Wait, what even is my “username”? Well, the only identifier they have is my email address which is [email protected].1 There’s no way 1Password randomly produced that. Let’s take a closer look at the password that was generated:

Axjt1RNmPmAafX5Xd1QX 2

Is the username they are referring to the one from my email address? Let’s try removing all of the m’s then. Yep, that was exactly it.

I guess I can’t be too mad. Maybe it’s my fault for both using my own email domain and choosing the shortest possible address. I’m assuming they don’t get many support tickets from me and the 26 other users who managed to snag single letter usernames on gmail.com.

  1. I know it looks like I’m doxxing myself here, but I already list my email address on my website, so spam away! 

  2. Before you get any ideas, this is not an actual password of mine.