It’s fucking insane that an internet banking portal has such a low cap on max characters and such shitty rule enforcement.
Their desktop site is even more shitty. It won’t allow right click or paste actions. There goes compatibility with password managers.
Bitwarden has a function where it types in (not pastes) the password and shows the prompt for it without right-click.
And even if theres an app for Windows (https://github.com/jlaundry/TypeClipboard) that can type it for you and even has a shortcut.
I am sure someone in the linux world knows an equivalent tool.
We use it at work to paste long passwords when remoting in.Nice find, thanks for sharing.
For Macs (only Macs, I believe), there is StopTheMadness, which, uh well, stops the madness (test page here for some examples it can re-enable).
On Mac you can use Hammerspoon and just create a shortcut to
hs.eventtap.keyStrokes(hs.pasteboard.getContents())
As a super secret dev hack may I introduce you to
shift + insert
a fair few sites specifically blockctrl + v
instead of properly disabling the clipboard action and, of course, if you read this and then submit a Jira ticket to blockshift + insert
… well… h8uYou can also drag the password in from another text field instead of pasting
I usually to in the developer tools and manually disable the thing preventing the paste action. It’s usually a string to remove some JS or something or an Event that you need to uncheck
If you’re opening up the dev tools you can also paste your string directly into
<input value="" />
unless something weird is going on.
Aah… I completely forgot about that. Will try next time. Also yesterday I saw Shift + F10 will show the context menu. Yet to test it on this site.
Any password manager should be able to “type in” the password. Or be a browser plugin that doesn’t rely on copy pasting, but use other mechanisms to inject it directly into the field.
But yes, if that’s their online portal, I am not kidding I would change banks.
Visa has a hard limit of 8 and requires the first 4 to be numbers because the phone tree might require it as a password
The whole banking industry is ridiculous and is ridiculously legislated
USAA has 8-12 ONLY. My smallest memorized password algorithm is 13 characters, that I typically use for throwaways, doesn’t even fit.
I had to create an account on a government website. The website didn’t list a character limit so I used a password manager to generate a 32 character password. My account was created but I couldn’t log in. I used the “forgot my password” option and I received an email of my password in plain text. I also noticed why I couldn’t log in. The password was truncated to just 20 characters. Brilliant website! Tax dollars at work!
Some internet banking sites give access after only asking for login password. They will only ask for transaction password and OTP (that will only come on phone) later on. Asking for two passwords isn’t necessarily more secure since many people will just reuse their original one again. And OTP instead of offering something like hardware security key is insane.
The ERP software I have to use has a strict limit of 6 characters as password. Only alphabet and numbers allowed.
Maybe when I leave I try an SQL injection.
Bobby tables, noooooooo!
It is insane that any internet banking portal still uses a static password.
wdym? What’s a dynamic password?
A rotating code key - a lot of banks these days will give you a fob to enter a rotating proof of ownership off of along with your password.
Time-based one-time passwords. It’s been used for years for multi-factor authentication.
Yeah, multi factor, that means you still have a regular password as well as the totp.
that was one example of where they are used lol
seriously, I’ve never seen a bank with password login to begin with. Every bank i know of uses physical devices that you type a code into
Never heard of this. Where is this at? :o
Sweden. The little keyfob thingies have been the thing for many decades here, I would guess ever since the dawn of internet banking, but I’d have to ask my parents instead of just assuming. I used to assume that was just normal for banks in the world at large. When you want to log in, the website gives you a code, you type the code into the fob and it responds with another code you type in to the website.
Nowadays they additionally offer login via BankID, a mobile app used throughout Sweden for personal online identification.
As a German, when living in Sweden, I was (and still am) very impressed, how widespread the use of (Mobile) Bank ID, beside the use of the personal ID number (As a male German, the state has assigned me at least three different ones without requiring any interaction.) for basically everything, is.
In Germany, before introducing a second electronic way of authentication for online (or phone) banking, it was done by a chosen password and a TAN (transaction number) from a list that you regularly got sent by mail in a special envelope. Later it was replaced by that “thingy”, a mobile TAN generator, or push TAN via SMS.
OMG the special envelope seems to make it specially easier for people to steal just the right mail
It was not special from the outside, but from the inside. It was either the envelope or the TAN list that was printed with a special pattern to prevent reading the list by using a flashlight.
My bank’s password used to have to be exactly 6 characters, no special characters and you could use numbers and letters interchangeably because it was also your phone banking password.
a previous bank used to have a max password length of 8 characters, then proudly announced that they will increase it to 32
Then I made a typo at the end of my password and it let me in anyway, and I realised they were just trimming the first 8 characters to give the illusion of security
That is so insane. To think they would rather just clip the passwords instead of habing it be longer.
Did you try out your hypothesis by using the first 8 letters than just random junk until you hit your password length?
I tried then first N characters of my password until I found out the threshold was at 8, then I tried with the first 8 chartacters of my password and then random junk and it worked.
I also had two friends in the same bank to validate
Unbelievable.
It says one special character, not at least one. Maybe the password has more than one.
Holy shit!! You did it. I would never expect a banking password to max special characters. I have been scratching my head with Bitwarden and this shitty app for an hour.
Yeah but It still states “A combination of letters, digits and special charaters”
It should then be spelled as “A combination of letters digits, and one special character”
But wouldn’t that mean the bottom checkbox should be cleared and the 2nd one should be checked?
Still doesn’t make sense.
Yeah that’s true. The UI does not accurately represent the validation conditions.
And the wording is fucking terrible as well
i have to wonder if banks actively don’t want us to use them
You solved the puzzle! here is a cookie for you :D 🍪
Yay!
Good catch.
Also psh, there’s no verb, suggesting the password should be exactly one special character and nothing else.
That programmer has obviously been playing https://neal.fun/password-game/
I remember seeing the most optimal password for this game but now I can’t find it
problem is the late stages of the game the password requirements change when your password’s emojis start catching fire.
I can never get past the geoguesser part
Last time I got pretty deep in, but it became impossible when the chess notation rule required Cs and Ds, making it impossible to stay below the roman numberal sum limit.
Your Internet Banking Password should one special character (~!@#%^&*)
Great grammar on their part.
atleast a 5/10 in effort
Yeah, they noticed their mistake too late, hence the expletive.
Please tell me someone didn’t buy software with ‘atleast’ spelled like that in there. Please, tell me someone tested the web app and had the brains God gave a douglas fir and knew that wasn’t a word; that it was never a word; that the writer’s spell check should have picked that up; that it’s not been over-ruled by stupid so much that it just takes it.
“Atleast”?
it’s British. they also do “aswell”
No we don’t.
The USCIS site makes it clear that your CAN use emojis in your password.
ETA: but not required.
It says “one special character”. Not “at least one”.
oh. oh god. what the fuck.
You are using a special character that is likely reserved internally
This was a new one for me:
Translation: Password strength: weak. Please don’t use any special characters.
It was a generated 14 char password… (╯°□°)╯︵ ┻━┻)
When you enter an apostrophe, and the site returns a 500 response stating you are trying to attack it. (And yeah, it’s always 500, not 400.)
I used to use a system that was perfectly happy to let you use a semicolon when setting the password, but then login would fail if you did.
My guess is they mean, one capital letter, one lower case letter, a number, and a special character
what’s always amused me about these rules is that they exist because people are dumb. Technically, they lower the difficulty of the passwords slightly. ( for example, knowning that one character is a number reduces it to 10 options in stead of 10+26+26+whatever set of special characters)
anyhow. people should use password managers. just saying.
If you have to try really hard to meet their password requirements, that’s how you know it’s super secure.
Now imagine how many services just silently cut off your password at 8 characters and people never notice.
UltraVNC is very guilty of this.
Once upon a time, battle.net passwords weren’t case sensitive. I used upper and lower case letters in my password then one day realized I didn’t hit shift for one of the caps as I hit enter out of habit, but then it still let me in instead of asking for the password again.
It was disappointing because it takes more work to remove case-sensitivity than to leave it. I can’t think of any good reason to remove it. At least the character limit had a technical reason behind it: having a set size for fields means your database can be more efficient. Better to use the size of a hash and not store the password in plaintext, so it’s not a good reason, but at least it’s a reason.
At least the character limit had a technical reason behind it: having a set size for fields means your database can be more efficient.
If that is the actual technical reason behind it, that is a huge red flag. When you hash a password, the hash is a fixed size. The size of the original password does not matter, because it should not be stored anyway.
Correct, hence the sentence after the one you quoted :)
If any service can recover your password and send it back to you rather than just resetting it for you to set a new one, don’t rely on that service for anything you want to keep secure. And certainly don’t reuse a password there, though you shouldn’t be reusing passwords anyways because who knows what they are and aren’t storing, even if they don’t offer password recovery.
Sorry, didn’t want this to look like an attack or disagreement. Just wanted to highlight that point, because arbitrary maximum sizes for passwords are a pet peeve of mine.
It’s possible that the passwords want through an old ass cobalt system or something that forced everything to be capitalized so to solve that they made everything non case sensitive.
But even that sounds insane as the passwords should have been hashed.
Wells Fargo cuts to 14 on their sign in page but not on their change password page, ask me how I know
Since when is “atleast” a word?