My e-mail provider does this. I wanted to change my password to some 64 character long generated string. It accepted, but I could not log in after that. After a few tries, I found the reason and, after another few tries, also the limit at which it gets truncated: 16 characters! God, how I hate them for this…
Perhaps even worse than this is when the hash allows you to enter what you think is your full password, but as long as the first characters are a match then it will succeed.
16 characters is probably fine as far as passwords go, but if the site is secretly truncating from 16 down to, say, 7 and still allows you to sign in, you don’t even realize that your password isn’t nearly as secure as you thought it was.
Or alternatively, it allows you to enter a password as long as you like, but on their end it gets truncated.
My e-mail provider does this. I wanted to change my password to some 64 character long generated string. It accepted, but I could not log in after that. After a few tries, I found the reason and, after another few tries, also the limit at which it gets truncated: 16 characters! God, how I hate them for this…
Perhaps even worse than this is when the hash allows you to enter what you think is your full password, but as long as the first characters are a match then it will succeed.
16 characters is probably fine as far as passwords go, but if the site is secretly truncating from 16 down to, say, 7 and still allows you to sign in, you don’t even realize that your password isn’t nearly as secure as you thought it was.