ISP's typically provide you a network login and password, and perhaps another pair for accessing the account management pages. After all, protecting access to your account, and potentially your data was, is and always should be important.

Phum S. patronized an ISP that took that security to the next level.

As their customer, you were provided with two logins; one for the administration of your account, and one for internet access. What they did not tell you was that the password had to be the same for both accounts. And by "same", I mean a single password for both logins; not one password for each login, but one password. Period. Thus, if you set your internet password to "Password1" and then set the portal password to "Different", you didn't realize it but you'd just implicitly changed your internet password as well.

For people like me, who tend to use the same password for multiple access points of the same vendor (just to make keeping it straight easier), that would not be a problem. However, some folks actually take the advice that your passwords should all be unique...

Naturally, this was somewhat confusing to a new customer, but once support helped you figure it out, you were able to drink the Kool Aid and deal with it.

Unfortunately, it didn't end there. Some people were leading the charge, and getting these highly sophisticated gizmos called routers for home use. Phum had programmed his internet login and password into his router. Everything was fine until he changed his network password.

Access Denied!


After checking and rechecking his router configurations, Phum succumbed to desperation and contacted technical support.

After the usual scripted conversation with level-1 support:

   Reboot your modem
   Reboot your PC
   Is your router turned on?

...and the usual semi-scripted conversation with level-2 support:

   Reboot your modem
   Reboot your PC
   Is your router turned on? 
   Let me try and ping it from the central office
   Your router appears to be connected
   How long is your password?

That last one caught Phum off guard. My password is secure! he replied.

"Sir, I asked how long is your password?"

Phum replied that it was 14 characters and asked what, if any, password restrictions were in place.

At this point, the tech admitted that the internet access and account maintenance web pages automatically truncated your password to the first 8 characters. Thus, if you changed your password from "Passwd1!" to "Passwd2@", you were fine - 8 characters for each password before and after. Moreover, if you simply mis-typed it (after the eighth character), you'd never know it. So as long as the first eight characters were correct, it would be accepted.

Of course, if you changed your password from "Password12#456" to "Different12#45", and then meticulously typed in your new 14 character password into your router (which did not use the user-GUI access page, but accessed the account directly), the whole 14 characters would be processed, and would never match the 14 character password you had set at the ISP, because only the first 8 characters of that password had been stored.

To sum up, they replicated your password across multiple logins so a change to the password for any of the logins effectively changed it for all of the logins - without telling you. Then, they only stored the first 8 characters of the password that you had entered (for all accounts) - again without telling you, so you had no way of knowing to truncate your password to the first 8 characters in your devices, mail applications, and anything else you used to connect.

When he finally got back online, the first thing Phum did was contact the cable company to sign up for net access.