Silent Password Length Failures
igb at batten.eu.org
Sun Apr 10 22:06:08 BST 2011
I've had problems with performing some transactions through my bank's online interface of late: which resulted in opening an ISA over the phone on April 4, which was an entertainment. I've tracked down what the issue is. There's an n character limit on your password, but it turns out that the password I use is n+1 characters. It lets you use n+1 characters when changing your password, and type n+1 characters when logging in. But when you have to re-authenticate for things like transfers to new recipients, or opening new accounts, clearly a different piece of code gets used which rather than truncating your password to n characters before processing instead fails it for being the wrong password. Whether this is correct behaviour (because it warns people that they are lulling themselves into a false sense of security with a longer password than is actually processed) or not, it's certainly not right to do it inconsistently...
More information about the ukcrypto