My ‘favorite’ password rules are incorrect rules. Recently signed up to a service, which looked like it hasn’t been updated since the 90s. They sent me my password via letter, but hey, I was allowed to change it digitally.
So, I did. I set it to a reasonably long password (probably something like 22 characters), with no problems.
Then I went to login and it refused my login. I copied my password out of my password manager, for both setting it and logging in, so there was no way that it was wrong. I quadruple checked the login name, but no luck.
Eventually, I manually typed the password from my password manager. Then I saw it, their password field stopped accepting inputs after about 20 characters.
Presumably, I was able to set my long password on the registration page, but the login page did not accept this long of a password. Fucking ace.
I had to order another password letter.
As a website developer, it’s easy to just use the ‘maxlength’ attribute on fields you don’t want to exceed a certain length (for valid reasons or not). But then exactly this happens: A user pastes something in there, doesn’t notice that their input got truncated, and something, somewhere breaks.
My ‘favorite’ password rules are incorrect rules. Recently signed up to a service, which looked like it hasn’t been updated since the 90s. They sent me my password via letter, but hey, I was allowed to change it digitally.
So, I did. I set it to a reasonably long password (probably something like 22 characters), with no problems.
Then I went to login and it refused my login. I copied my password out of my password manager, for both setting it and logging in, so there was no way that it was wrong. I quadruple checked the login name, but no luck.
Eventually, I manually typed the password from my password manager. Then I saw it, their password field stopped accepting inputs after about 20 characters.
Presumably, I was able to set my long password on the registration page, but the login page did not accept this long of a password. Fucking ace.
I had to order another password letter.
As a website developer, it’s easy to just use the ‘maxlength’ attribute on fields you don’t want to exceed a certain length (for valid reasons or not). But then exactly this happens: A user pastes something in there, doesn’t notice that their input got truncated, and something, somewhere breaks.
‘maxlength’ is terrible user experience.