Step 1: create a 20 character password, store it in your password manager
Step 2: the account creation process keeps the first 16 characters
Step 3: attempt to log in with the 20 character password, fail.
I found the 16 character maximum in the password rules in their FAQ, so tried the first 16 chars of my password and it worked, so the above must be how it worked
The text boxes shouldn’t have a character limit on them for this very reason. If they need to configure a limit they should allow the form to be submitted but return an error telling it’s too many characters. Truncating the user’s input is really bad for the exact reason you mention.
There’s a lot of sites with bad ways of handling credentials. I really hate sites that stop you from pasting in passwords.
I’ve had that happen a couple of times too. In the most striking example, I was able to log in by typing html escape tags instead of the special characters in the password. … … That’s a very bad sign for the website security for several obvious reasons.
Walmart’s internal systems used to do this, if you used a special char in your password (such as an % or &) on newer devices you couldn’t log in anymore, only solution was having HR reset your login lol
None of these possibilities have any effect on their password handling security since all of that is usually handled on the frontend (on your computer).
What? No. No matter where it happens (and it could be on either side, depending on the whims of the programmers), passwords shouldn’t be fiddled with this way. They should be passed through to the password hashing algorithm unchanged. There is no reason to ever fuck with them, and doing so will reduce security.
I swear I’ve had this happen even with password managers, where there’s no way it’s being typed incorrectly. Some possibilities:
None of which bode well for that company’s password handling security.
My electric and gas utility truncates passwords, but lets you type hundreds of chars when setting a new password
To log in, you need to intuit how much of your password they’re using, if you enter too many chars it fails like in the op image
excuse me, what?!
Step 1: create a 20 character password, store it in your password manager
Step 2: the account creation process keeps the first 16 characters
Step 3: attempt to log in with the 20 character password, fail.
I found the 16 character maximum in the password rules in their FAQ, so tried the first 16 chars of my password and it worked, so the above must be how it worked
The text boxes shouldn’t have a character limit on them for this very reason. If they need to configure a limit they should allow the form to be submitted but return an error telling it’s too many characters. Truncating the user’s input is really bad for the exact reason you mention.
There’s a lot of sites with bad ways of handling credentials. I really hate sites that stop you from pasting in passwords.
My bank used to block pasting, so I used a browser extension version of KeePass to auto type
Luckily they changed that policy when password managers became the main recommended method of handling passwords
So I no longer know my bank password, I saw it once when I accepted what KeePass generated
KeePass Auto-type is an amazing feature. One that many KeePass users also don’t seem to know about!
I’ve had that happen a couple of times too. In the most striking example, I was able to log in by typing html escape tags instead of the special characters in the password. … … That’s a very bad sign for the website security for several obvious reasons.
I hit the truncation thing just yesterday. People seriously have a password input clipped at like 16 characters. A big company too.
Walmart’s internal systems used to do this, if you used a special char in your password (such as an % or &) on newer devices you couldn’t log in anymore, only solution was having HR reset your login lol
None of these possibilities have any effect on their password handling security since all of that is usually handled on the frontend (on your computer).
What? No. No matter where it happens (and it could be on either side, depending on the whims of the programmers), passwords shouldn’t be fiddled with this way. They should be passed through to the password hashing algorithm unchanged. There is no reason to ever fuck with them, and doing so will reduce security.