Hacker News new | past | comments | ask | show | jobs | submit login

I discovered that's the way my banking app actually worked until only a few updates ago. The password was originally limited to 8 characters (why this was the case for an online bank password is beyond me) but the app would allow you to enter more characters into the password input. It only accepted the first 8 characters though so anything you entered after those was ignored. I discoveres this when I mistyped my password adding an extra.character at the end and hitting submit without thinking and was amazed and kind of worried to find it still worked.





I’ve had the goddamn Citibank _require_ that I use a password 6 or 7 characters long on one of their systems. This year (2019).

What system is this? I had used a 20+ character password on their website using my password manager to enter it every time. One day they said the password was wrong, which was unlikely since the password manager was entering it. I ended up doing a password reset and set it to something shorter like 15 characters, and then it worked. I don't know if they truncate or not, but they've definitely allowed much longer passwords than 6 or 7 characters. I've hit this issue with their website more than once so I know they've fixed it and re-broken it a few times in the past.

I think it was the one for showing you the pin of a corporate credit card.

Another bank I had around 3 years ago used only the 5 first characters, and these 5 first had to be numbers.

I guess anyone can just hack a password in like 1 second on a phone or something?


When I was living in Puerto Rico for work, the local credit union I was using had this same problem. Although the tooltip and messaging on the page said 8-16 chars, only the first 8 were used, and from my testing it had to be case insensitive.

I promptly updated my direct deposit with my employer and used my more secure off-island bank as the destination for the majority of my pay, and had only the minimum required to avoid fees and act as spending money put in that acct.


This was the case for Vanguard for a long time... also, it wasn't case sensitive. I'm not sure when it changed, but I think it was in the last couple years.

It's more fun when they limit you to X characters (no special characters!) while choosing the password but let you input any number of characters when logging in, and failing you when you typed too many.



Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: