[lysp]

Funny story - I had an old short-length insecure password on a website that I hadn't used for years.

I decided to log in and change it to a randomly generated secure password. However, they had upgraded their off the shelf software some time over the last 4-5 years to a newer version.

The problem was, on their password change page the "new password" field had a minimum length of 8 characters, however the "OLD password" field also had that exact same requirement.

So I put in:

* Old: 12345

* New: 717&t!1XFCWJWk!q@ut3B

* Confirm: 717&t!1XFCWJWk!q@ut3B

And got an error "your password must be 8 characters or greater".

After swearing a few times, I breakpointed and edited the javascript validation to remove the length requirement and submitted the change again - this time got a server-side error saying the same thing.

I ended up beating it by logging out, clicking "I've forgot my password" and resetting it via email.

[bitL]

> edited the javascript validation

You probably broke law there O_O

[RugnirViking]

How can there be a law that prevents running abritary code on my own box?

[foobarchu]

I had a similar experience with a city bill pay website, except in this situation it was a new account and they simply didn't prevent me from setting the password to something long in the first place, so once my account was created I wasn't allowed in. And because you need to log in once to verify your email, I couldn't reset the damn thing either.