Last week, I tried to register for a service and was really surprised by a password limit of 16 characters. Why on earth yould you impose such strict limits? Never heard of correct horse battery staple?

  • Dwemthy (he/him)@lemdro.id
    link
    fedilink
    English
    arrow-up
    16
    ·
    3 months ago

    A major US bank that I used to use has case insensitive passwords, found that out one day when I noticed caps lock was on after logging in with no trouble

    • viking@infosec.pub
      link
      fedilink
      arrow-up
      12
      ·
      3 months ago

      Makes you wonder if they store the password in plain text, or convert to lower key during your first input so it’s at least hashed. I wouldn’t be surprised if it’s not.

      • JustAnotherRando@lemmy.world
        link
        fedilink
        arrow-up
        4
        ·
        edit-2
        3 months ago

        I don’t think it could be hashed if it is case insensitive. It’s fairly early so I may be misremembering but I’m not aware of any hashing algo that ignores case.

        Edit: Ah, actually they could be storing the password as a hash, but they would probably have to do like a password. ToLower() call or something where they morphed the string before checking… The thought of which just makes me shudder.