Silent Password Length Failures

Ian Batten igb at
Sun Apr 10 22:06:08 BST 2011

I've had problems with performing some transactions through my bank's online interface of late: which resulted in opening an ISA over the phone on April 4, which was an entertainment.  I've tracked down what the issue is.  There's an n character limit on your password, but it turns out that the password I use is n+1 characters.  It lets you use n+1 characters when changing your password, and type n+1 characters when logging in.  But when you have to re-authenticate for things like transfers to new recipients, or opening new accounts, clearly a different piece of code gets used which rather than truncating your password to n characters before processing instead fails it for being the wrong password.  Whether this is correct behaviour (because it warns people that they are lulling themselves into a false sense of security with a longer password than is actually processed) or not, it's certainly not right to do it inconsistently...


More information about the ukcrypto mailing list