0

There is a website my company uses for personal data provided by a second party. In the password creation page it is possible to create a 30-character password, but attempting to login with this password throws an invalid password error. Using shorter passwords are possible.

Should my company be concerned? Is this indicative of deeper flaws in their security?

Joe
  • 2,754
  • 2
  • 12
  • 22
jebob
  • 1
  • 1
  • 1
    Have you tried using the password up to the password limit? I.e. its possibly just discarding the last characters of the password. – Hector Dec 07 '17 at 09:41
  • @Hector I haven't tried to find the exact password limit yet, it's less than 30 and more than 8. I bet it's 16? – jebob Dec 07 '17 at 10:59
  • 1
    @jebob I believe Hector's suggestion was to enter your password (which exceeds the allow length during login) as much as possible. E.g. if you created a password `thisismyspecialpassword` during registration, but it only allows 4 characters during login, enter `this`. –  Dec 07 '17 at 14:07

2 Answers2

8

Obviously whoever built this was not very good at what they were doing and/or not really paying much attention to detail. When working with security critical things like authentication, that's not great.

Think of it like this: If you found that your electricity guy had accidentally installed the outlet sockets upside down, that in itself isn't the end of the world. But wouldn't it make you a little bit worried that he messed up something else more critical and your house will burn down?

Also, short limits to password length might be an indicator of a legasy system with no or bad hashing. Even worse, as jrtapsell highlights, the fact that the password is accepted when set but not at logg in could be a sign that it is truncated when inserted into the database and hence stored in plaintext.

So while this is proof of nothing, it should still set off your alarm bells.

Anders
  • 65,052
  • 24
  • 180
  • 218
  • 3
    It may be that the passwords are being truncated to fit in a database table plaintext, which would explain the lack of an error while the password does not work when used – jrtapsell Dec 07 '17 at 10:36
  • nit picky: correct orientation of electric sockets is not a settled issue in the US. Ground up, ground down and doesn't matter are each argued actively. –  Dec 07 '17 at 18:11
0

I dont believe it is possible to draw conclusions about the whole system from this error. I do think this is an issue that can be solved and should be solved.

It might be wise to do some research on the security, but I think you can't draw good conclusions with just this information.

johan vd Pluijm
  • 211
  • 2
  • 10