Because you entered the wrong password.
I know that seems obvious — it’s what the message says, after all — but I get so much pushback. “No, it’s not! I typed it in correctly!”
No, you didn’t. Whatever it is you typed in isn’t the password.
Clearly, we need to dive deeper and understand exactly why it’s possible the password you think is correct isn’t.
Become a Patron of Ask Leo! and go ad-free!
Invalid password, in a nutshell
Whatever system you’re attempting to sign in to — an online account, a computer, or something else — has a password associated with it. That password was set up when you set up the account. In order to confirm you’re the person who owns and should be allowed access to the account, you need to type the same password you did before. If what you type now matches what the system thinks your password should be, you’re in.
Getting an “invalid password” message simply means the password you entered doesn’t match the password the system expects for the account you’re attempting to access.
I’ll say it again: if you get “invalid password”, then the password you entered doesn’t match what the system expects. Period.
There are several ways that can happen — some benign, some not so much.
“Hard to remember” means error prone
I get “invalid password” all the time, and it’s always due to a typo on my part. Recent experiences include setting up a super-secure 20 character password to an account, and then having to painfully, slowly, and awkwardly enter that password on a device without a keyboard (a streaming device connected to my television).
It’s secure. So secure it’s difficult for me to type it in, much less remember it, when I need to.
Even though I know it’s frustrating, make absolutely certain you’re typing in exactly the right password. Even one character off is enough to make it wrong.
“Hard to see” means error prone
Particularly with the proliferation of small devices with small keyboards, entering the right password can be a real challenge. Add to that the asterisks usually displayed instead of the characters you’ve actually typed, and it can be nearly impossible to not only type the right thing, but even know what it is you’ve typed so far.
Most often the solution is simply to take it slowly and carefully. However, there are some situations where you can click or tap on an “eye” icon that will allow the password you’re entering to be displayed as you enter it.
Even in the example above, I couldn’t type “lastpass” without making a typo.
Obviously, only display passwords when you’re in a secure situation (where no one else can see what you’re typing), but I find this an invaluable tool for getting the password right.
Remembering recent changes
Another scenario I run into myself is simply not recalling that I’ve made a recent password change, and typing in the old, no-longer-valid password.
Generally this happens to me for my most-used accounts. My fingers act on some kind of muscle memory and start typing what they’ve typed so often for so long. It’s not until I’m gently reminded by an “invalid password” message that I recall the change and enter the new, correct password.
Unfortunately, there’s a much more common scenario of password change where your memory — muscle or otherwise — simply can’t help.
Account hacks
When someone hacks into your account, the first thing they often do is change the password.
When this happens, the password you know is no longer your password. No amount of typing it in1 will make your old password work. It’s no longer the password to the account.
This is another case where I get a lot of pushback, but I can’t emphasize it enough. If your account is hacked, your password is no longer your password.
The only recourse is to follow the appropriate account-recovery procedures to regain access to your account, set a new password once you do, and then take additional steps to further secure it from being hacked again.
Additional “invalid password” miscellany
Naturally, there are other, less common things that also contribute to encountering the “invalid password” message.
Many programs will now remind you, but make sure CAPS LOCK is not on. “A” is not the same as “a”; upper/lower case must match.
Occasionally if a service is hacked, it will reset passwords proactively. Most of the time they’ll accept your old password once and force you to change it, but sometimes they’ll invalidate all passwords and you’ll be required to go through a password recovery/lost password process. Usually they’ll email you first.
There are probably other scenarios as well.
“Invalid password” is not invalid
Systems don’t report “invalid password” capriciously or without cause. When you get this message, it’s because the password you entered doesn’t match the password they expect — period.
Understanding why there’s a mismatch is the key to getting back in.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Podcast audio
Footnotes & References
1: Or complaining.
Three other, fairly common, possibilities.
1. Your account is closed! Maybe your card expired, maybe you were flagged as suspicious, etc. etc.
2. There is a tech person somewhere who has access to your account, there are about a million reasons that person may have changed your password… one being that you asked them to and you don’t remember (probably rare on accounts like Google, but common for small businesses.)
3. Something is wrong with the software the account provider is using. Bugs and outages in online services do happen (again, not so common with Google, but regular occurrences for the rest of us.)
Another one I need to add to the list next time I update this: you typo’ed your username. :)
Recently I had to reset my Yahoo password because I got that “invalid password” message. When asked to enter a new password, I typed what I remembered to be my original password. I got the message that I had used that password before and to select a new one. Fair enough, a stupid policy but OK. So I changed a few characters and got the message that the password was too similar to an older password. That worried me because I thought the only way they could determine it was a similar password would be if they stored the passwords plain text. Or is there a way to compare the hashes and determine that the passwords were similar? Anyone have any idea how they could have determined the passwords were similar?
Interesting observation. A hash alone would not be able to determine that.
After a fresh install of Windows, one case is when I remember changing the keyboard settings to English (UK) from Englsih (US). which is the default in most cases.
This caused the @ symbol above letter 2 to change to ” (double quotes) thus invalidating my logins as I generally include the @ symbol in most of my passwords.
Secondly, an improperly typed username can also lead to false messages reporting an invalid password. This happens to me 9 out of 10 times since I happen to type my password correctly most of the times.
Thirdly, an important and often overlooked part is when you try to login to a service that accepts an emailid / password combo and also a service such as gmail to accept logins. Dropbox is one such service. Make sure you select the correct method to login, else you will have issues.
Regards,
Ravi.
One more point is that the Numeric keyboard (part of keyboard consisting only nunber keys) does not work for passwords with some websites or webforms.
You have to use the number keys above the the QWERTY keys to enter your password.
Do you mean that 1 on the numeric keyboard does not send the same code as 1 on the alphabetic keyboard ?
A 1 on the QWERTY keyboard sends 00110000 (030 Hexadecimal).
A 1 on the Numeric keypad sends 00110000 (030 Hexadecimal) same code.
It might be that you have the number keys turned off in the keypad and the key presses are sending navigation information (arrow keys). This behavior can be toggled using the NumLock key
Actually I have encountered this very problem when I have entered the correct password. I am using Windows 8.1 and when this happens, I check Windows Update and invariably, there is some kind of update to install. After the install, my password works fine. Another clue is that one of my CTRL keys does not open a new tab when held down.
I’ve often come across these kinds of messages when it has been a long time — months, perhaps years — since the last time I visited a site. Instead of a message that “your password has expired” it can say “invalid password/username” or “username does not match”, etc. when in fact the correct username and PW were entered.
I write my password in my notes. I test it by copying and pasting it into the password box to make sure it works. The next time I open the password protected website, I again copy and paste the password into the password box so there can be no error. As often as not the password is rejected. This happens most often when I haven’t used the website for a few weeks. I suspect websites automatically reject passwords so we have to change them almost every time we access the site. I am running out of password ideas. I make up random letters, numbers and symbols and the site will often say that I should use a password I have not used before! Sometimes I have to create as many as five random passwords before it will accept one.
Wow, that really shouldn’t happen. Having to change the password nearly everytime you log in? If it isn’t a “necessary” website then I’d just abandon it. Life’s too short to have to change your password to a site every time.
Have you tried contacting the website’s administrator to see if they are aware that this is happening?
And PLEASE, don’t put your password in Notes. If anybody accesses your computer, family, friend, local burglar, then you could be in for some nasty shocks. Get a password manager. One password to enter the program and then each site that you need to log in has a separate entry for each website login. Add a site, enter its name, your username and a password. The password will show up as asterisk symbols (well they do in Keepass anyway) and there is a keyboard combination which will when pressed enter the username and password automatically. Or you can open up the entry and copy and paste. Not such a good idea if there are other people around who could see over your shoulder by the way.
I’d strongly suggest using a password vault instead to keep your passwords safe, and generate random passwords for you.
Another potential scenario just occurred to me. For example, for Gmail’s purposes, my.name[at]gmail.com and myname[at]gmail.com are the same email account. If I try to log in using myname[at]gmail.com, it won’t work because those logins require the exact same email address you signed in with as that is your user name for that account..
Like Lisa above I recently was unable to access an account using my password. I store these on a USB flash drive. When I cut and pasted the pw into the login box it would not work. When I entered the pw one character at a time it worked.
Additionally I have found that websites where I use random character string passwords typically have their own, often very limited, list of acceptable special characters.
Hope you actually meant copy and paste. If you cut and paste then do something else then you have probably overwritten what you actually cut.
Copy paste often (and I do mean often) copies an extra space at the end of whatever it is you’re selecting.
Quite a number of sites won’t accept a password manager’s copy and paste routine.
Sometimes you can get away with typing the username and then pasting the password from your password manager using the keyboard combination for the password only.
For the uninitiated, and using Keepass as my example, you use Ctrl+V to copy your username and password… and with some websites it doesn’t work. Often it just stays blank, or sometimes some websites send a invalid login attempt message.
In Keepass you can use Ctrl+B for the username and Ctrl+C to use the password independently when the Ctrl+V doesn’t work.
And in the worst case scenario you copy the username from the password manager and paste it into the username field on website and then copy the password and paste it into the password field on the website. A bit of a pain but better than using a weak password that gets hacked.
This is related I think, but it is about my new cell phone and it’s voice mail access.
On every cell phone I’ve ever owned, the #1 on the speed dial list is reserved for speedy access to your voice mail, and that is true on this new cell phone’s speed dial list as well.
However when you press and hold the one you get the voice mail greeting asking you to type in your ten digit cell phone number. I’ve followed these directions many many times with the same result:
“This number is not correct. You may hang up and try again if you wish”.
It’s driving me out of my mind. The only thing that does work is not to use the speed dial #1 at all, and to type in the telephone number like any other contact. Weird Huh, but similar to the password not valid message on the internet.
I’d touch base with the provider. The shortcut might well be miss-programmed.
Dear Leo,
Thank you for this ‘ invalid ‘ password example.
I thought at one time that I must be the only one that this happens to ! I found it quite reassuring, that it happens to you (my icon) also.(sorry). Especially with the frustration and mind blowing ‘re- typing over and over again until submission.
However, since I changed from using long strings of numbers and characters to using say, 4 random words+a character space between, I have had better success. Maybe something you would disprove off, but it seems to work for me.
Keep up the good work, I so enjoy your openness.
Four random words w/ spaces is great. Length is important and that makes it easy. I have several of that form myself.
We had issues like this at work. People being told that their machine login password was invalid, when they knew it was the right one.
Turns out the System Admin had assigned one password to log into the machine, a different one to connect to the network, and a third password for the e-mail accounts.
Windows was trying to use the same password for all three credentials on login. Very confusing.
In a password, watch out for the confusion between the numeric zero and the alphabetic “OH”, especially if it’s upper case. On some screens, the zero might be mutilated with a slash through it. On other screens, the alpha might have a slash. On yet other screens, neither would have the slash, but one might be elongated and the other more round. Here is an example, the first character is a zero and the second is upper case “OH” : 0O . How do those look on your screen?
I use Roboform and I routinely get invalid password problems. I don’t think Roboform types my passwords incorrectly. One think that happens across the web is sites making changes without telling you. You drop by and try to login but it doesn’t work. It’s NOT always your fault.
The other day I got the “Invalid password” message and was invited to change my password after answering security questions. I attempted to change it to the one I knew it to be and was told my new password couldn’t be the same as the old one. So it wouldn’t accept the old one as accurate but it told me the new one was the same as the old one. That still baffles me.
One of my email services allows me to stay logged in for two weeks. At the end of the two weeks, I often can’t get in first thing in the morning. “Incorrect user name or password” An hour later it works. I’m guessing the servers are overloaded early.
I have seen websites with this very vicious behaviour : you will be able to register with, say, a 30-character password, but behind the scenes, it only really accepts 25-character passwords max.
You log off, then you try to log in again immediately afterwards, and your 30-character password is now deemed “invalid”.
This being done with a password manager, of course, so there could not be any mistyping. You then need to ask for a password reset, or open a fresh account.
I suppose what happens is, the password is truncated when you first register it, and they don’t tell you.
I use a Local Account with no password to login to Windows 10.
I tried out the Lock by using Windows Key + L.
Yep, that locked the system. When I went to attempt Unlock, it wanted my Password.
It would not accept Enter with an empty field. There was a Power icon on the lock screen. I selected Restart and after the restart, I was in. How secure is that? Anyway, how do I handle request for old password when I don’t have one?
Supposedly when changing your password if there is no “old” password, an empty field should work.
The lock scenario is both ambiguous and confusing. You asked the computer to lock, but without a password there is no “lock”. I would have preferred it to tell you that it cannot lock without a password, but apparently locking, even without a password, is more important. If you have a separate administrator account on that machine it would be interesting to see if its password works in that scenario.