How on earth can you both not accept the password I copied from my password safe and tell me that I cannot use the same pasaword again?
How on earth can you both not accept the password I copied from my password safe and tell me that I cannot use the same pasaword again?
I once had to reset my password as the new one got truncated without telling me.
Yes. It was deemed too long.
It was for an company that got plenty of my personal data
Why on earth would someone truncate a password? I could make at least 10 more memea about bad handling of passwords
Why? Probably some wild row length limit being hit where a table storing user data was storing an asinine amount of data, just terrible DB organization in an org where someone said “who even needs a DBA.”
How? If you can truncate user passwords, you should never handle user passwords again, unless you’re a student or hobbyist learning a valuable lesson.
Yeah. The real reason to be alarmed is worse than the obvious one.
If a partial version of what was originally set actually works later, it implies a scary chance they’re not even hashing the password before storing it.
I think it’s a nonzero chance they’re not hashing it. Pretty much every hashing function, in the interest of preventing collisions, provides vastly different responses on small amounts of input. Even if they were hashing it, it would just appear to be the same password in a situation where they somehow got a collision, but again, the column length for passwords would always be fixed since a hash function always outputs the same data length.
Also suggests the user may be reusing the same prefix if only the changed bits are getting truncated.
Should use different random passwords every time. Completely random or a random string of words. While it doesn’t solve the cleartext password storage issue, a data breach won’t compromise all your other accounts to same degree.
Doesn’t hurt to also randomize usernames, emails, and even security question answers.
edit: or my new favorite passkeys, just make sure you trust whatever tool is managing your private keys.
There’s no good reason. Whoever did it, did it for a bad reason. (Oh, well, there’s no good reason until you reach several thousand characters.)
That said, it could be worse. Some sites do not truncate your password at the creation form, and only truncate it on the login screen. (Yeah, that happened to me, in 2 different sites.)
Why is it always the one’s for whom security is of utmost importance?
Login to meme account to share shitposting on the internet: top notch up to date security.
Login to the bank who actually handle my money: Clown ass security practices on obsolete infrastructure.
Yep, one of mine was the federal government’s bounds buying portal…
They improved since then, but it’s always the entity that holds your money or oversees your health…