this post was submitted on 18 Aug 2024
843 points (98.7% liked)

Cybersecurity - Memes

3093 readers
1 users here now

Only the hottest memes in Cybersecurity

founded 2 years ago
MODERATORS
Sam1232188@lemmy.world
neurohost@lemmy.world
Alphadef@programming.dev
CannaVet@lemmy.world
843
Password length requirement (feddit.org)
submitted 11 months ago* (last edited 11 months ago) by cron@feddit.org to c/cybersecuritymemes@lemmy.world
170 comments fedilink hide all child comments
 

Last week, I tried to register for a service and was really surprised by a password limit of 16 characters. Why on earth yould you impose such strict limits? Never heard of correct horse battery staple?

you are viewing a single comment's thread
view the rest of the comments
[–] lseif@sopuli.xyz 33 points 11 months ago (6 children)

worst i've seen is 8 characters. precisely 8 characters, no more no less........ it was for a bank ....

[–] dwemthy@lemdro.id 16 points 11 months ago (1 children)

A major US bank that I used to use has case insensitive passwords, found that out one day when I noticed caps lock was on after logging in with no trouble

[–] viking@infosec.pub 13 points 11 months ago (2 children)

Makes you wonder if they store the password in plain text, or convert to lower key during your first input so it's at least hashed. I wouldn't be surprised if it's not.

[–] lseif@sopuli.xyz 12 points 11 months ago (1 children)

they store the passwords as filenames on a windows system

[–] subignition@fedia.io 4 points 11 months ago (1 children)

Put a colon in your password and crash the whole system

[–] lseif@sopuli.xyz 2 points 11 months ago

set your password as GodMode.{ED7BA470-8E54-465E-825C-99712043E01C} for infinite money glitch

[–] JustAnotherRando@lemmy.world 4 points 11 months ago* (last edited 11 months ago)

I don't think it could be hashed if it is case insensitive. It's fairly early so I may be misremembering but I'm not aware of any hashing algo that ignores case.

Edit: Ah, actually they could be storing the password as a hash, but they would probably have to do like a password. ToLower() call or something where they morphed the string before checking... The thought of which just makes me shudder.

[–] tiredofsametab@fedia.io 6 points 11 months ago (1 children)

Early 2000s internet banking was a trip.

[–] lseif@sopuli.xyz 2 points 11 months ago

i think this was about a year ago when they changed it....

[–] Donkter@lemmy.world 3 points 11 months ago (2 children)

The fact that it was a power of 2 makes me suspect lazy coding. That bank didn't pay its programmers well enough.

[–] milicent_bystandr@lemm.ee 4 points 11 months ago

Banks don't have much money for paying people, methinks. They're famously poor practically non-profits.

[–] lseif@sopuli.xyz 1 points 11 months ago

maybe they store the entire password as a u64 and bitmask out each character

[–] 299792458ms@lemmy.zip 3 points 11 months ago

I had to make a 10 character password for Santander

[–] proton_lynx@lemmy.world 3 points 11 months ago (2 children)

No no, not 8 characters, 8 numerical characters!

[–] JackbyDev@programming.dev 6 points 11 months ago (1 children)

Whoa whoa whoa, did you use two of the same number in a row? Insecure!

[–] proton_lynx@lemmy.world 2 points 11 months ago

Is that a sequence? No way, José!

[–] milicent_bystandr@lemm.ee 3 points 11 months ago

Numerical Chateaubriand*, and total sum must be less than 3.

* okay Google, if that's what you really think I meant to type.

[–] Revan343@lemmy.ca 3 points 11 months ago* (last edited 11 months ago)

Ha. I had the same thing, with a government-run student loan website