You want a good one? Silent password truncation on account creation without a required relogin so on return my saved password doesn’t work and I need to reset it.
Making a throwaway for this since my main is linked to my real identity.
I worked for the online investment banking arm of one of the big Canadian banks a few years ago. Their passwords could only be eight characters long. At one point, I was tasked to do some work on their IVR system and discovered that your phone password was entered by pressing the corresponding letter key on your phone keypad. But they didn't say "2 for A, 22 for B, etc." which really confused me. How did it know the passwords were correct?
And that's when I had a terrifying realization and tested it out on the website - they weren't magically converting your phone presses into ascii characters. No, they were converting your password into the corresponding numerics and saving that. Every single user password was a 6-8-digit number.
They upgraded their whole login system around the time I left that company, including implementing 2FA. Though their 2FA was SMS-based rather than using an known authenticator app system, so it still wasn't perfect.
I've absolutely had this happen with some US bank in the last 4 years. I can't remember which one, but they had me essentially type in my password over the phone in the same way, with * being the button for any non alphanumeric character.
I had a bank that did this and it took me months to figure out WTH every time I tried to logon it failed, but when you reset the password it accepted longer length passwords while silently truncating them and getting you back into the account. I finally figured out their max password length was 8 characters anything longer would result in failures past the initial logon after a reset.
My bank used to do this too, but they were nice enough to silently truncate the password input on the login form as well, so you wouldn’t ever notice unless you accidentally did something to reveal the truncation.
It annoyed the hell out of me though when I was trying to put the required special character on the end of my too-long password after a required password change, and the only error message I got was that the special character was missing.
I had something similar happen with an HP Ethernet switch years ago. I was looking at a factory reset (and had no backup of the config... ugh...). I started re-entering the password with 1 fewer character on each attempt and finally got in. Maddening.
Yep I ran into this with an Oracle OpenAir. Needed to reset my password so I fire up 1Password, generate a 50 char PW and set that. It works for the first login but when I logout and log back in it tells me I have an incorrect password. Go through a password reset a few more times before I finally realize that they are just taking the first 12 characters of my PW and using that, and not telling me that they are doing that.
ugh this one is by the worst and the only way to discover is knowing your password is 100% correct. I usually will drop the password length from 24 -> 12 to sort it out.
AnonBanking|1 year ago
I worked for the online investment banking arm of one of the big Canadian banks a few years ago. Their passwords could only be eight characters long. At one point, I was tasked to do some work on their IVR system and discovered that your phone password was entered by pressing the corresponding letter key on your phone keypad. But they didn't say "2 for A, 22 for B, etc." which really confused me. How did it know the passwords were correct?
And that's when I had a terrifying realization and tested it out on the website - they weren't magically converting your phone presses into ascii characters. No, they were converting your password into the corresponding numerics and saving that. Every single user password was a 6-8-digit number.
They upgraded their whole login system around the time I left that company, including implementing 2FA. Though their 2FA was SMS-based rather than using an known authenticator app system, so it still wasn't perfect.
noirbot|1 year ago
Sylamore|1 year ago
AmericanChopper|1 year ago
It annoyed the hell out of me though when I was trying to put the required special character on the end of my too-long password after a required password change, and the only error message I got was that the special character was missing.
EvanAnderson|1 year ago
_fat_santa|1 year ago
pylua|1 year ago
broknbottle|1 year ago