- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Frist
Admin
That's not the only, and probably not the frist, bank to do that. Mine is almost equally dumb.
Admin
Passwords bigger that 9 characters take too much space when stored as plain text.
Admin
Longer passwords will be truncated without warning.
Admin
I suppose Carl C could always change his first name to Ctrl, and then he would fit into Dell's general human interaction philosophy a whole lot better.
Admin
You got that right, this is the first hint that things are stored plain text. If they were encrypted they would all be the same length, much longer than 9 characters. Actually pisses me off we are still seeing things like this. I bet it was written by someone that does OSS in their free time and refuses to learn from the past because our field constantly makes the same mistakes again and again, or is it business keeps asking for the same stupid stuff and overrides us every times we tell them no, that's the wrong way.
Admin
Come on guys. Nowadays everyone uses long passwords and/or password managers. Of course evil hackers know that and start to brute force a password beginning with 9 characters; omitting 1 to 8 character long passwords, saving thousands of milliseconds in the process.
As smaller passwords aren't tested anymore, they are intrinsically more secure. That is basic knowledge...
Admin
My favorite are the sites or mobile apps (usually from banks) that let you set an elaborate 20+ character actually secure password. And also encourage you to set a 4-digit PIN that you can use to bypass the password. For your "convenience and security" they say. Usually in all caps with a ! or two on the end.
Can you say "screen door on vault"?
Admin
Gillette is just copying WIndows 10 -- where if you enter an incorrect password, first you get the "Welcome, [username]" splash, quickly replaced with the failed login notice.
Admin
Hi, did you work for S*****s Medical Solutions? They used to do so...
Admin
Ctrl-C?! Stop that! Gimme a Break!
Admin
You just have to store them in a smaller font. Duh.
Admin
It doesn’t say IFNAME, it says |FNAME|.
Addendum 2018-06-08 13:26: … but with asterisks around the |FNAME| that, instead of showing up, make it display in italics here …
Admin
I'm no expert, but the password for the Digital Secure key is not actually a password. You enter it to get a security code, but: Firstly, you can enter the password incorrectly, and still end up getting a code - that code would just be wrong and useless. Secondly, the password works even if your device is offline, meaning that the algorithm that generates the code runs entirely offline. It is used to replace old physical secure keys that only accepted passwords of a couple of digits. Much of the security is delegated to how your phone/physical key device is something you and only you have, so that hackers can't simply brute-force your password without also getting your phone and the secret stored inside the app's data.
Admin
I was so mad at this, I just set there in incandescent rage, that they forced me to move from a 2FA solution to a 9 character max solution. The sheer announce off moving bank has forced me to forget this for a bit....this article reminded me to get it sorted. HSBCYouSuck.....Dammit password to long?!
Admin
There can be a good reason to limit the length of password - you don't want users to be able to make you encrypt/hash the entirety of War & Peace. But a limit of 8 characters is, of course, ridiculous.
Admin
I seem to recall the American Express web site limited you to an 8-character password.
Admin
8-character password + terminator = 9 chars
Admin
Stupid Smarch weather.