There's also some weird, non-determinism in the beginning where the 'c' after a long chain of failed 'b's overwrites the previous 'a', which he is later unable to replicate. Not to mention preventing arrow-key navigation of the password field is the most annoying UI decision they could make. What an absolute mess.
So I am able to replicate this reliably but at first I misunderstood what was happening.
What happens is this:
1. Type some stuff in
2. Turn on “reveal password”
3. Type one of the “banned” characters
4. Switch “reveal password” back off
5. Type another character
6. The whole existing password is deleted and replaced by the letter you just typed.
So the reason I end up with two Cs in a row at the beginning is because I actually typed in another. After I type in the C that causes the field to reset, I erroneously believed that it had deleted both the B and C, leaving only the A, so I say “C” again out loud and type another C, believing the text entered is now “ac”.
In reality, it had cleared the field, replacing both the A and B with a C. So when I typed in that second C there were then two in a row.
The reason I didn’t understand what was going on was because I was just counting dots and assuming which letters were deleted at first.
Oddly, when this field-clearing behavior happens, it also hides the “reveal password” button until you add a second character to the field. That should be visible with only one character but in this particular situation it hides instead.
Aha! I missed that. How long did it take you to work out the bug here? How did you stumble on to this originally? Was it an organic error, or do you do this kind of thing for a living?
I was typing in a password (which I have since changed, lol) that contained one of these letters and it kept rejecting it. Assuming I was typing it wrong (I’m prone to that), I very deliberately typed in every letter one at a time and noticed that no dot appeared when I got to that character. I was gonna tweet about that one letter but then I started wondering how many other letters would do the same. So I tried them all.
My day job used to be internal technical support at a software company, and now it’s engineering.
Before that I was at 9to5Mac reviewing apps, and even before that I was a pretty prolific beta tester for stuff like iOS jailbreak tweaks, so I’ve got a LOT of troubleshooting and debugging experience that comes in handy here haha. I live to break things.
You can sometimes "inspect element" and then paste into the markup representation of the page ... but often then scripts will break on the sort of sites that prevent pasting.
