Edit: @[email protected] solved it. It says “one special character”. Not “at least one”.

  • @[email protected]
    link
    fedilink
    2212 months ago

    It’s fucking insane that an internet banking portal has such a low cap on max characters and such shitty rule enforcement.

    • @[email protected]OP
      link
      fedilink
      892 months ago

      Their desktop site is even more shitty. It won’t allow right click or paste actions. There goes compatibility with password managers.

      • @[email protected]
        link
        fedilink
        582 months ago

        Bitwarden has a function where it types in (not pastes) the password and shows the prompt for it without right-click.

          • @[email protected]
            link
            fedilink
            32 months ago

            On Mac you can use Hammerspoon and just create a shortcut to hs.eventtap.keyStrokes(hs.pasteboard.getContents())

          • @[email protected]
            link
            fedilink
            12 months ago

            Nice find, thanks for sharing.

            For Macs (only Macs, I believe), there is StopTheMadness, which, uh well, stops the madness (test page here for some examples it can re-enable).

      • @[email protected]
        link
        fedilink
        382 months ago

        As a super secret dev hack may I introduce you to shift + insert a fair few sites specifically block ctrl + v instead of properly disabling the clipboard action and, of course, if you read this and then submit a Jira ticket to block shift + insert… well… h8u

        • Pasta Dental
          link
          fedilink
          142 months ago

          I usually to in the developer tools and manually disable the thing preventing the paste action. It’s usually a string to remove some JS or something or an Event that you need to uncheck

        • @[email protected]OP
          link
          fedilink
          62 months ago

          Aah… I completely forgot about that. Will try next time. Also yesterday I saw Shift + F10 will show the context menu. Yet to test it on this site.

      • @[email protected]
        link
        fedilink
        172 months ago

        Any password manager should be able to “type in” the password. Or be a browser plugin that doesn’t rely on copy pasting, but use other mechanisms to inject it directly into the field.

        But yes, if that’s their online portal, I am not kidding I would change banks.

    • @[email protected]
      link
      fedilink
      332 months ago

      My bank’s password used to have to be exactly 6 characters, no special characters and you could use numbers and letters interchangeably because it was also your phone banking password.

      • @[email protected]
        link
        fedilink
        41
        edit-2
        2 months ago

        a previous bank used to have a max password length of 8 characters, then proudly announced that they will increase it to 32

        Then I made a typo at the end of my password and it let me in anyway, and I realised they were just trimming the first 8 characters to give the illusion of security

        • WIZARD POPE💫
          link
          fedilink
          152 months ago

          That is so insane. To think they would rather just clip the passwords instead of habing it be longer.

          Did you try out your hypothesis by using the first 8 letters than just random junk until you hit your password length?

          • @[email protected]
            link
            fedilink
            162 months ago

            I tried then first N characters of my password until I found out the threshold was at 8, then I tried with the first 8 chartacters of my password and then random junk and it worked.

            I also had two friends in the same bank to validate

    • @[email protected]
      link
      fedilink
      272 months ago

      Visa has a hard limit of 8 and requires the first 4 to be numbers because the phone tree might require it as a password

      The whole banking industry is ridiculous and is ridiculously legislated

      • @[email protected]
        link
        fedilink
        62 months ago

        USAA has 8-12 ONLY. My smallest memorized password algorithm is 13 characters, that I typically use for throwaways, doesn’t even fit.

    • @[email protected]
      link
      fedilink
      192 months ago

      The ERP software I have to use has a strict limit of 6 characters as password. Only alphabet and numbers allowed.

      Maybe when I leave I try an SQL injection.

    • @[email protected]
      link
      fedilink
      122 months ago

      I had to create an account on a government website. The website didn’t list a character limit so I used a password manager to generate a 32 character password. My account was created but I couldn’t log in. I used the “forgot my password” option and I received an email of my password in plain text. I also noticed why I couldn’t log in. The password was truncated to just 20 characters. Brilliant website! Tax dollars at work!

    • @[email protected]
      link
      fedilink
      92 months ago

      seriously, I’ve never seen a bank with password login to begin with. Every bank i know of uses physical devices that you type a code into

        • @[email protected]
          link
          fedilink
          92 months ago

          Sweden. The little keyfob thingies have been the thing for many decades here, I would guess ever since the dawn of internet banking, but I’d have to ask my parents instead of just assuming. I used to assume that was just normal for banks in the world at large. When you want to log in, the website gives you a code, you type the code into the fob and it responds with another code you type in to the website.

          Nowadays they additionally offer login via BankID, a mobile app used throughout Sweden for personal online identification.

          • @[email protected]
            link
            fedilink
            8
            edit-2
            2 months ago

            As a German, when living in Sweden, I was (and still am) very impressed, how widespread the use of (Mobile) Bank ID, beside the use of the personal ID number (As a male German, the state has assigned me at least three different ones without requiring any interaction.) for basically everything, is.

            In Germany, before introducing a second electronic way of authentication for online (or phone) banking, it was done by a chosen password and a TAN (transaction number) from a list that you regularly got sent by mail in a special envelope. Later it was replaced by that “thingy”, a mobile TAN generator, or push TAN via SMS.

            • @[email protected]
              link
              fedilink
              42 months ago

              OMG the special envelope seems to make it specially easier for people to steal just the right mail

              • @[email protected]
                link
                fedilink
                52 months ago

                It was not special from the outside, but from the inside. It was either the envelope or the TAN list that was printed with a special pattern to prevent reading the list by using a flashlight.

          • OTP for 2FA has just started becoming common here (US) within the last decade I think. Each bank has its own separate app and many banks seem to limit password lengths to less than other websites.

    • @[email protected]
      link
      fedilink
      82 months ago

      Some internet banking sites give access after only asking for login password. They will only ask for transaction password and OTP (that will only come on phone) later on. Asking for two passwords isn’t necessarily more secure since many people will just reuse their original one again. And OTP instead of offering something like hardware security key is insane.

      • @[email protected]
        link
        fedilink
        English
        52 months ago

        My bank uses 6 digit ‘customer number’ (which is set by the bank) and that’s verified with an app and a personal PIN (app shows ‘login attempt ABCD at mm.dd. hh:mm’ where ABCD is shown on login page too) or via SMS OTP (again with ‘ABCD’ verification). And again with personal pin + app or OTP to confirm transactions. The app itself can be protected with a fingerprint or phone pin and every new installation needs to be registered to the system, so I can’t just use my phone app to access my wifes account (or anyone elses) but I still can map multiple accounts (like corporate ones) to the same installation.

        I think that’s pretty reasonable approach.

      • @[email protected]
        link
        fedilink
        32 months ago

        Reason why I took a hardware tan generator versus using the OTP function of one of their other apps.
        Thanks but no, I will use the old crusty method as I know how easy that’s hacked.

    • Ech
      link
      fedilink
      English
      52 months ago

      They can’t even properly check their copy on critical infrastructure. Top notch work over there, top to bottom.

    • @[email protected]OP
      link
      fedilink
      1072 months ago

      Holy shit!! You did it. I would never expect a banking password to max special characters. I have been scratching my head with Bitwarden and this shitty app for an hour.

    • whoareu
      link
      fedilink
      102 months ago

      You solved the puzzle! here is a cookie for you :D 🍪

    • @[email protected]
      link
      fedilink
      English
      3
      edit-2
      2 months ago

      I love how the acceptance/rejection status is messed up.

      If it’s only one special character, then that should be unchecked not check, and the combination of “letters, numbers and special characters” should be check marked.

      • @[email protected]
        link
        fedilink
        192 months ago

        problem is the late stages of the game the password requirements change when your password’s emojis start catching fire.

      • @[email protected]
        link
        fedilink
        32 months ago

        Last time I got pretty deep in, but it became impossible when the chess notation rule required Cs and Ds, making it impossible to stay below the roman numberal sum limit.

      • Veloxization
        link
        fedilink
        22 months ago

        I got past it because it happened to throw a place from my country. And there was also a flagpole with a flag on it to really drive it home. XD

      • @[email protected]
        link
        fedilink
        22 months ago

        I used Google lens. Got stuck afterwards on a chess rule. The captcha rule used the notation for the chess one to complicate it further haha

  • @[email protected]
    link
    fedilink
    English
    482 months ago

    If >1 special character is not allowed the last check should be failed . The second check is literally satisfied even if there are 2+ specials.

    I’d not be using that bank.

  • @[email protected]
    link
    fedilink
    282 months ago

    Now imagine how many services just silently cut off your password at 8 characters and people never notice.

    UltraVNC is very guilty of this.

    • @[email protected]
      link
      fedilink
      162 months ago

      Wells Fargo cuts to 14 on their sign in page but not on their change password page, ask me how I know

    • @[email protected]
      link
      fedilink
      122 months ago

      Once upon a time, battle.net passwords weren’t case sensitive. I used upper and lower case letters in my password then one day realized I didn’t hit shift for one of the caps as I hit enter out of habit, but then it still let me in instead of asking for the password again.

      It was disappointing because it takes more work to remove case-sensitivity than to leave it. I can’t think of any good reason to remove it. At least the character limit had a technical reason behind it: having a set size for fields means your database can be more efficient. Better to use the size of a hash and not store the password in plaintext, so it’s not a good reason, but at least it’s a reason.

      • @[email protected]
        link
        fedilink
        12
        edit-2
        2 months ago

        It’s possible that the passwords want through an old ass cobalt system or something that forced everything to be capitalized so to solve that they made everything non case sensitive.

        But even that sounds insane as the passwords should have been hashed.

      • NotAnOnionAtAll
        link
        fedilink
        72 months ago

        At least the character limit had a technical reason behind it: having a set size for fields means your database can be more efficient.

        If that is the actual technical reason behind it, that is a huge red flag. When you hash a password, the hash is a fixed size. The size of the original password does not matter, because it should not be stored anyway.

        • @[email protected]
          link
          fedilink
          32 months ago

          Correct, hence the sentence after the one you quoted :)

          If any service can recover your password and send it back to you rather than just resetting it for you to set a new one, don’t rely on that service for anything you want to keep secure. And certainly don’t reuse a password there, though you shouldn’t be reusing passwords anyways because who knows what they are and aren’t storing, even if they don’t offer password recovery.

          • NotAnOnionAtAll
            link
            fedilink
            32 months ago

            Sorry, didn’t want this to look like an attack or disagreement. Just wanted to highlight that point, because arbitrary maximum sizes for passwords are a pet peeve of mine.

            • @[email protected]
              link
              fedilink
              32 months ago

              Yeah no worries and agreed. I hate seeing commercial sites using worse password sanitization practices than I used for my first development website that wasn’t even really intended for anyone else to log in to and any max length suggests the password is either stored or processed in plaintext.

              IMO it should even be hashed on the client side before being sent so that it doesn’t show up as plaintext in any http requests or logs. Then salted and hashed again server side before being stored (or checked for login).

              • @[email protected]
                link
                fedilink
                22 months ago

                IMO it should even be hashed on the client side before being sent so that it doesn’t show up as plaintext in any http requests or logs. Then salted and hashed again server side before being stored (or checked for login).

                But if someone got that hashed version they could hack the client to have client side hashing code just send that hashed value to the server. You’d want to have the server to send a rotating token of some sort to use for encrypting the password on the client and then validate it on the server side that it was encrypted with the same token the server sent.

                Seems complicated to me… https is probably has good enough encryption, so eh, whatever.

                • @[email protected]
                  link
                  fedilink
                  12 months ago

                  Yeah, if they are able to intercept traffic or access the logs, they probably already have other access to the account without needing the password. If you don’t reuse passwords, then your other accounts will be safe from that.

  • @[email protected]
    link
    fedilink
    232 months ago

    Your Internet Banking Password should one special character (~!@#%^&*)

    Great grammar on their part.

  • @robdor
    link
    English
    172 months ago

    Maybe you accidentally did a permutation instead of a combination.

  • @[email protected]
    link
    fedilink
    16
    edit-2
    2 months ago

    This was a new one for me:

    this was a new one for me

    Translation: Password strength: weak. Please don’t use any special characters.

    It was a generated 14 char password… (╯°□°)╯︵ ┻━┻)

  • @[email protected]
    link
    fedilink
    142 months ago

    Noone should of aloud this code to go out the door. Atleast alot of other people people probably complained aswell, so your apart of a bigger group, incase you were worried.

    spoiler

    And yes, this was painful to type.

    • Malgas
      link
      fedilink
      English
      72 months ago

      I used to use a system that was perfectly happy to let you use a semicolon when setting the password, but then login would fail if you did.

    • @[email protected]
      link
      fedilink
      62 months ago

      When you enter an apostrophe, and the site returns a 500 response stating you are trying to attack it. (And yeah, it’s always 500, not 400.)

  • @[email protected]
    link
    fedilink
    English
    10
    edit-2
    2 months ago

    Please tell me someone didn’t buy software with ‘atleast’ spelled like that in there. Please, tell me someone tested the web app and had the brains God gave a douglas fir and knew that wasn’t a word; that it was never a word; that the writer’s spell check should have picked that up; that it’s not been over-ruled by stupid so much that it just takes it.

  • @[email protected]
    link
    fedilink
    72 months ago

    If you have to try really hard to meet their password requirements, that’s how you know it’s super secure.