Hacker News new | past | comments | ask | show | jobs | submit login

Notably, SwissPass did not allow me to set a randomly generated, very long (>20 character) password.

It also didn't notify me that it didn't allow such passwords, it just went right ahead and created an account it was impossible to log in to.

Thankfully, I was able to reset the password to one which is far unsafer.

Well done everyone.




India Government's official Website for managing public retirement fund, NPS, eNPS does this. Password need to be changed every 90 days, of max 14 characters length, but no where documented. On password change page, it will silently accept your any 14+ length password & will truncate it to 14. Then you try to login with your actual password, it gives error, Wrong Password.


That's just stunningly bad (both the 90 days reset, and the silent (!) truncation to 14 characters...)


In the U. S., Washington state's initial rollout of their ACA site did that. Gave it a big, long >20 char password, it created the account, go to log in and...

How did I figure out what was going on? They would happily email your password in plain text. </facepalm>


The first thing I would try in that situation is to input the first 16 characters of that randomly generated password.

I've stumbled upon login fields that just dismissed everything after the 16th character a few times.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: