Hacker News new | ask | show | jobs
by jedediah 6105 days ago
It could be that the bank was hashing the passwords all along, but just truncating the user's input before hashing it and comparing it to the saved value. Not that I think this is what happened, but I'm just saying it could be.
2 comments
euccastro 6105 days ago
If they did that, his old password would still work. His use of "no longer" implies that the password used to work before the policy change.

Unless at some point they started rejecting long passwords just for being long, without checking them against the database. And this is just not plausible.

link
RobKohr 6105 days ago
Then would would the newly entered shorter value match to?

123456 -> hash code 1

123 -> hash code 2 (which doesn't exist in their db)

link