• Your Name (unregistered)


  • RLB (unregistered)

    That's not the only, and probably not the frist, bank to do that. Mine is almost equally dumb.

  • Senior Dev Robot (unregistered)

    Passwords bigger that 9 characters take too much space when stored as plain text.

  • Junior Dev Robot (unregistered)

    Longer passwords will be truncated without warning.

  • Little Bobby Tables (unregistered)

    I suppose Carl C could always change his first name to Ctrl, and then he would fit into Dell's general human interaction philosophy a whole lot better.

  • (nodebb) in reply to Senior Dev Robot

    You got that right, this is the first hint that things are stored plain text. If they were encrypted they would all be the same length, much longer than 9 characters. Actually pisses me off we are still seeing things like this. I bet it was written by someone that does OSS in their free time and refuses to learn from the past because our field constantly makes the same mistakes again and again, or is it business keeps asking for the same stupid stuff and overrides us every times we tell them no, that's the wrong way.

  • Kabi (unregistered)

    Come on guys. Nowadays everyone uses long passwords and/or password managers. Of course evil hackers know that and start to brute force a password beginning with 9 characters; omitting 1 to 8 character long passwords, saving thousands of milliseconds in the process.

    As smaller passwords aren't tested anymore, they are intrinsically more secure. That is basic knowledge...

  • WTFGuy (unregistered)

    My favorite are the sites or mobile apps (usually from banks) that let you set an elaborate 20+ character actually secure password. And also encourage you to set a 4-digit PIN that you can use to bypass the password. For your "convenience and security" they say. Usually in all caps with a ! or two on the end.

    Can you say "screen door on vault"?

  • Carl Witthoft (google)

    Gillette is just copying WIndows 10 -- where if you enter an incorrect password, first you get the "Welcome, [username]" splash, quickly replaced with the failed login notice.

  • BernieTheBernie (unregistered) in reply to Junior Dev Robot

    Hi, did you work for S*****s Medical Solutions? They used to do so...

  • FormalWare (unregistered) in reply to Little Bobby Tables

    Ctrl-C?! Stop that! Gimme a Break!

  • Pjrz (unregistered) in reply to Senior Dev Robot

    You just have to store them in a smaller font. Duh.

  • (nodebb)

    It doesn’t say IFNAME, it says |FNAME|.

    Addendum 2018-06-08 13:26: … but with asterisks around the |FNAME| that, instead of showing up, make it display in italics here …

  • User of HSBC Digital Secure Key (unregistered)

    I'm no expert, but the password for the Digital Secure key is not actually a password. You enter it to get a security code, but: Firstly, you can enter the password incorrectly, and still end up getting a code - that code would just be wrong and useless. Secondly, the password works even if your device is offline, meaning that the algorithm that generates the code runs entirely offline. It is used to replace old physical secure keys that only accepted passwords of a couple of digits. Much of the security is delegated to how your phone/physical key device is something you and only you have, so that hackers can't simply brute-force your password without also getting your phone and the secret stored inside the app's data.

  • PasswordToLon (unregistered) in reply to Senior Dev Robot

    I was so mad at this, I just set there in incandescent rage, that they forced me to move from a 2FA solution to a 9 character max solution. The sheer announce off moving bank has forced me to forget this for a bit....this article reminded me to get it sorted. HSBCYouSuck.....Dammit password to long?!

  • Aetol (unregistered) in reply to KattMan

    There can be a good reason to limit the length of password - you don't want users to be able to make you encrypt/hash the entirety of War & Peace. But a limit of 8 characters is, of course, ridiculous.

  • SplinyJoe (unregistered) in reply to KattMan

    I seem to recall the American Express web site limited you to an 8-character password.

  • Senior Dev Robot (unregistered) in reply to SplinyJoe

    8-character password + terminator = 9 chars

  • A Guest Robot (unregistered)

    Stupid Smarch weather.

Leave a comment on “Try Again (but with More Errors)”

Log In or post as a guest

Replying to comment #:

« Return to Article