this post was submitted on 20 Sep 2023
40 points (95.5% liked)
graybeard
239 readers
2 users here now
Stories, links, experiences from calculator manipulators with a few grays in their beard
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I had a problem once logging in at my insurance website. A simple copy paste from KeePass, but it said wrong password, it didn't make sense to me. Until I tried to only copy 8 characters into the PW field and it worked :/
But 60 seems reasonable long.
It is reasonable, but I can't shake off this dislike towards such arbitrary feeling limits. I know some algorithms have issues with certain lengths, but why bother preventing me from logging in? Truncate it at the hashing step and let me move on with my life. Or at least state it beforehand.
The worst offenders are the ones who allow signing up without a limit but the login form starts enforcing it and you can never pass through it.
This is one of the most annoying things I regularly encounter in life, and it's reassuring that I'm not the only one so irritated by it.
THANK YOU
In this same vein, I used to work as tech support for a bank that had a key fob token rotator for 2fa. The implementation was you put the token in the password field after the password.
The website did not tell you it truncated after 8 characters. There was also no real indicator that the actual activation of the token was the first attempted use after it was received.
Many customers had passwords longer than 8 characters (or so they thought) and tokens that never activated because the longer password resulted in the token being truncated as well.