Hacker News new | ask | show | jobs
by arkitaip 2546 days ago
Some time ago I tried registering an account on a site where the password policy was that you couldn't use special characters and that it would discard any characters you entered after the first 15 ones.

But you know what the worst part was?

They never bothered informing you about these limitations. The site just returned a generic error.

Not supporting special characters I can kinda understand but silently discarding characters from the password the user has picked is just evil. It took me LOTS of registration attempts and password resets before I figured out what the hell was going on.
5 comments
ben509 2546 days ago
I registered an account for some software company that was acquiring some other services, so the left hand wasn't talking to the right.

Sure enough, different parts of the site had different password requirements, and they enforced them on password change. So you could create an account on a sub-site that wasn't accepted on the main site, which was the only site with the password change page, but you couldn't enter the old password to fix it.

I think password reset did work, but I wound up creating another password that worked in one place but not another...

link
rmidthun 2546 days ago
I once registered a password using a special character, but I could not get in. It turned out that they url encoded it, if I used %21 instead of "!" I could get into the site.
link
joegahona 2544 days ago
I'm guessing you're the only user who figured that out. I would definitely request a password reset.

I saw a screenshot of an error dialogue on Reddit once (so possibly fake, but still hilarious) that said something like:

"You cannot use that password, because it's already in use by user Kegstand360"

link
iamthepieman 2545 days ago
The discover card (As in discover credit cards) had a limitation of 15 characters for the password back when I first signed up for one out of college. Even back then I was using long complicated passwords. The "clever" thing is that they never told you about this. They just truncated it at 15 characters on both the sign up page and the login page. I didn't realize this for several years because their password entry field was so small.
link
penagwin 2546 days ago
> Not supporting special characters I can kinda understand

IIRC this is mostly done to prevent SQL injection attacks. In a modern system there is 0 reason not to allow any characters in the password (within whatever encoding you support).

link
v4n4d1s 2546 days ago
My Bank has a password character limit of 32, which actually is a 31 character limit and I was the first person to notice.
link
penagwin 2546 days ago
Ha, bet somebody wrote < 32 instead of <=32
link