Hacker News new | past | comments | ask | show | jobs | submit login

the worst of all are those that allow you to paste the password when you setup the account, but not on login.

this leads to a situation where I have a 100 digit hashed password I have to type in by hand.

usually I just create a new account, preferably somewhere else.




I created an account for a 401k vendor that our company recently switched to. During the registration process I used a password manager to generate a 14 digit random password.

Imagine my surprise when I went to login to the newly created account only to find out that the login screen enforced a character limit of 8 characters (both with a textfield attribute and js). This limitation was not enforced during registration!

I had to edit the page in developer tools so I could actually paste my full password to login. The limitation was purely client side.


haha whaat? they had a limit of 8 chars MAXIMUM? that's usually the minimum limitation!

at least they had implemented the first rule of it-security: perform all checks client-side only ;)


Ouch. So the server still accepted the 14-char password, even if the login page didn't allow it?


In macOS I use Keyboard Maestro, which allows you to create a macro that pastes the current clipboard by typing. Very handy for these no-paste text boxes.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: