this post was submitted on 18 Aug 2024
845 points (98.8% liked)

Cybersecurity - Memes

1893 readers
5 users here now

Only the hottest memes in Cybersecurity

founded 1 year ago
MODERATORS
Sam1232188@lemmy.world
neurohost@lemmy.world
Alphadef@programming.dev
CannaVet@lemmy.world
845
Password length requirement (feddit.org)
submitted 1 month ago* (last edited 1 month ago) by cron@feddit.org to c/cybersecuritymemes@lemmy.world
172 comments fedilink hide all child comments
 

Last week, I tried to register for a service and was really surprised by a password limit of 16 characters. Why on earth yould you impose such strict limits? Never heard of correct horse battery staple?

you are viewing a single comment's thread
view the rest of the comments
[–] lseif@sopuli.xyz 33 points 1 month ago (6 children)

worst i've seen is 8 characters. precisely 8 characters, no more no less........ it was for a bank ....

[–] dwemthy@lemdro.id 16 points 1 month ago (1 children)

A major US bank that I used to use has case insensitive passwords, found that out one day when I noticed caps lock was on after logging in with no trouble

[–] viking@infosec.pub 12 points 1 month ago (2 children)

Makes you wonder if they store the password in plain text, or convert to lower key during your first input so it's at least hashed. I wouldn't be surprised if it's not.

[–] lseif@sopuli.xyz 10 points 1 month ago (1 children)

they store the passwords as filenames on a windows system

[–] subignition@fedia.io 4 points 1 month ago (1 children)

Put a colon in your password and crash the whole system

[–] lseif@sopuli.xyz 2 points 1 month ago

set your password as GodMode.{ED7BA470-8E54-465E-825C-99712043E01C} for infinite money glitch

[–] JustAnotherRando@lemmy.world 4 points 1 month ago* (last edited 1 month ago)

I don't think it could be hashed if it is case insensitive. It's fairly early so I may be misremembering but I'm not aware of any hashing algo that ignores case.

Edit: Ah, actually they could be storing the password as a hash, but they would probably have to do like a password. ToLower() call or something where they morphed the string before checking... The thought of which just makes me shudder.

[–] tiredofsametab@fedia.io 6 points 1 month ago (1 children)

Early 2000s internet banking was a trip.

[–] lseif@sopuli.xyz 2 points 1 month ago

i think this was about a year ago when they changed it....

[–] Revan343@lemmy.ca 3 points 1 month ago* (last edited 1 month ago)

Ha. I had the same thing, with a government-run student loan website

[–] 299792458ms@lemmy.zip 3 points 1 month ago

I had to make a 10 character password for Santander

[–] Donkter@lemmy.world 3 points 1 month ago (2 children)

The fact that it was a power of 2 makes me suspect lazy coding. That bank didn't pay its programmers well enough.

[–] milicent_bystandr@lemm.ee 3 points 1 month ago

Banks don't have much money for paying people, methinks. They're famously poor practically non-profits.

[–] lseif@sopuli.xyz 1 points 1 month ago

maybe they store the entire password as a u64 and bitmask out each character

[–] proton_lynx@lemmy.world 3 points 1 month ago (2 children)

No no, not 8 characters, 8 numerical characters!

[–] JackbyDev@programming.dev 5 points 1 month ago (1 children)

Whoa whoa whoa, did you use two of the same number in a row? Insecure!

[–] proton_lynx@lemmy.world 2 points 1 month ago

Is that a sequence? No way, José!

[–] milicent_bystandr@lemm.ee 3 points 1 month ago

Numerical Chateaubriand*, and total sum must be less than 3.

* okay Google, if that's what you really think I meant to type.