At least that’s better than when the site accepts the password but doesn’t actually let you log in with it.
My old college was like that with their SSO. It would accept any type of password you threw at it. But then you just wouldn’t be able to sign into anything, so you’d be forced to reset your password again, but it doesn’t tell you that’s what the problem is, so you just have to sorta guess what it was.
I got to discover that one program at work let’s you change your password as expected but silently drops everything after character 16 entered while doing so. Of course that’s not mentioned in any documentation I have access to.
Been there. It’s somewhat ok if they do it consistently. E.g. registration and login form both allow more than 16 chars and then just truncate the password silently.
Worse is if the registration form does it, but the login form uses the full password you entered (or vice versa) and then the login fails because the password doesn’t match…
I feel like work passwords are just always the worst security you will ever see, which sucks because you would think they would be the most important security.
I had a job once that you could put a password in and it was across multiple intranet services
Some services wanted the password case sensitive. Some wanted the password either as all caps or all lowercase.
So anytime you put your password in, you essentially had to put the password in up to three times unless you knew how that service had it.
Documentation would have please put password in as all caps or please have password completely lowercase
Honestly, there was an unwritten rule that when you put your password in, you just did it in all caps. That way you only had to try two different passwords instead of three different passwords if you couldn’t remember what service it was.
Very concerning for comp sec. Fortune 100 company as well.
At least that’s better than when the site accepts the password but doesn’t actually let you log in with it.
My old college was like that with their SSO. It would accept any type of password you threw at it. But then you just wouldn’t be able to sign into anything, so you’d be forced to reset your password again, but it doesn’t tell you that’s what the problem is, so you just have to sorta guess what it was.
I got to discover that one program at work let’s you change your password as expected but silently drops everything after character 16 entered while doing so. Of course that’s not mentioned in any documentation I have access to.
Been there. It’s somewhat ok if they do it consistently. E.g. registration and login form both allow more than 16 chars and then just truncate the password silently.
Worse is if the registration form does it, but the login form uses the full password you entered (or vice versa) and then the login fails because the password doesn’t match…
I feel like work passwords are just always the worst security you will ever see, which sucks because you would think they would be the most important security.
I had a job once that you could put a password in and it was across multiple intranet services
Some services wanted the password case sensitive. Some wanted the password either as all caps or all lowercase.
So anytime you put your password in, you essentially had to put the password in up to three times unless you knew how that service had it.
Documentation would have please put password in as all caps or please have password completely lowercase
Honestly, there was an unwritten rule that when you put your password in, you just did it in all caps. That way you only had to try two different passwords instead of three different passwords if you couldn’t remember what service it was.
Very concerning for comp sec. Fortune 100 company as well.