Security through lying
I had forgotten the userid I had used to generate one of my online accounts. I thought I had used an underscore, but I couldn’t get the site to accept it. It did yell at me, though. “Userids must begin with a letter and may consist only of letters, digits, and hyphens.”
Okay, I tried it with a hyphen. No luck.
Fine, use the userid recovery system.
The recovery email arrived. It say “Your userid is
Apparently, when they said that underscores were not legal characters, they were lying.
Another site asked me to create a password, and it said that the password must contain a special character “for example ! @ # $ % ^ & *”.
I tried all sorts of passwords and it kept telling me that the password needs a special character, even though I tried [, ~, \, =, :, you name it.
Turns out that the only special characters the site recognizes as special characters are ! @ # $ % ^ & and *. In other words, the “for example” was not a list of examples. It was a comprehensive list of acceptable values.