this post was submitted on 18 Aug 2024
832 points (98.8% liked)

Cybersecurity - Memes

1964 readers
1 users here now

Only the hottest memes in Cybersecurity

founded 1 year ago
MODERATORS
 

Last week, I tried to register for a service and was really surprised by a password limit of 16 characters. Why on earth yould you impose such strict limits? Never heard of correct horse battery staple?

you are viewing a single comment's thread
view the rest of the comments
[–] testfactor@lemmy.world 21 points 2 months ago (3 children)

Tell me about it. USAA has a password policy of "between 8 and 12 characters."

Like, that's not even secure under old understandings of secure. A max of 12 should be, like, an actual offense with sanctions attached if they get hacked at some point. Especially for a financial institution. Ridiculous.

Definitely used a one-off password for that one...

[–] silkroadtraveler@lemmy.today 4 points 2 months ago

Wow that’s true, what a crock.

USAA strikes me as the most Wonder bread Texas Aw Shucks company that smiles to your face while outsourcing as much as possible (and stabbing you in the back in the process). Case in point. USAA only allows TOTP through Symantec’s proprietary app. I’m moving everything away from them except for auto insurance (which will likely go away at some point too as they’re not really that valuable for that anymore either).

[–] Zidane@lemmy.world 2 points 2 months ago (1 children)

I have to change my USAA password every few months because I forget about the 12 character restriction...

[–] x00z@lemmy.world 1 points 2 months ago

12characters is 12 characters long

[–] wreckedcarzz@lemmy.world 1 points 2 months ago (1 children)

Huh? I have had a USAA account for many years and my current password is far beyond 12 characters. I use both the website and the app...

[–] testfactor@lemmy.world 2 points 2 months ago (1 children)

Weird. I had to make up a new one cause all my normal passwords were too long.

Several people on here have had the same issue it seems, and Google agrees thats their limit is 12.

Not sure how you got around it. Maybe you're using a USAA reseller or something? You sure that your password's more than 12 characters?

[–] wreckedcarzz@lemmy.world 3 points 2 months ago (1 children)

Nope, direct account with USAA. I wonder if the way the user/pass is entered into the field, that it doesn't trip the check for length? I don't manually copy/paste, and also use autofill for initial setup/changing credentials. I've seen it before on other websites but it usually truncates on the login auth and yells at me.

...

I just tried it, actually - sonofabitch. It (the change password flow) took the password via pw mgr, (apparently) truncated it, accepted it; this was a while ago but I remember the process. Just now, the login flow takes my username, password, truncates it (50+ chars, 13, or 12, doesn't matter), accepts it. 11 chars throws an 'incorrect login' message, so I don't have a borked account. At no point has it ever complained about password length. Jesus christ.

[–] testfactor@lemmy.world 2 points 2 months ago

Absolutely beautiful. What a company, lol.

The real beauty of it is that I can't fathom the logic. Unless they're storing the passwords as plaintext, it's not like it can be a storage issue. The hashes will be a constant size. I guess it takes longer to hash bigger inputs, but like, that difference should be unnoticeable until thousands of characters.

Did the engineer who made it truly not fathom that people might have passwords longer than 12 characters? That's the kind of mid-90s logic that makes me genuinely worry that the passwords aren't hashed on the backend, or are just MD5'd or something...

Makes absolutely no sense at all.