this post was submitted on 09 Sep 2024
587 points (99.5% liked)

Programmer Humor

19623 readers
3 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 1 year ago
MODERATORS
 

Edit: @Successful_Try543@feddit.org solved it. It says "one special character". Not "at least one".

you are viewing a single comment's thread
view the rest of the comments
[–] xmunk@sh.itjust.works 221 points 2 months ago (9 children)

It's fucking insane that an internet banking portal has such a low cap on max characters and such shitty rule enforcement.

[–] sorter_plainview@lemmy.today 89 points 2 months ago (3 children)

Their desktop site is even more shitty. It won't allow right click or paste actions. There goes compatibility with password managers.

[–] superkret 57 points 2 months ago (1 children)

Bitwarden has a function where it types in (not pastes) the password and shows the prompt for it without right-click.

[–] Appoxo@lemmy.dbzer0.com 17 points 2 months ago (2 children)

And even if theres an app for Windows (https://github.com/jlaundry/TypeClipboard) that can type it for you and even has a shortcut.
I am sure someone in the linux world knows an equivalent tool.
We use it at work to paste long passwords when remoting in.

[–] tyler@programming.dev 3 points 2 months ago

On Mac you can use Hammerspoon and just create a shortcut to hs.eventtap.keyStrokes(hs.pasteboard.getContents())

[–] stetech@lemmy.world 1 points 2 months ago

Nice find, thanks for sharing.

For Macs (only Macs, I believe), there is StopTheMadness, which, uh well, stops the madness (test page here for some examples it can re-enable).

[–] xmunk@sh.itjust.works 37 points 2 months ago (3 children)

As a super secret dev hack may I introduce you to shift + insert a fair few sites specifically block ctrl + v instead of properly disabling the clipboard action and, of course, if you read this and then submit a Jira ticket to block shift + insert... well... h8u

[–] LuycYQ2uUiTjR3yLri@sh.itjust.works 21 points 2 months ago

You can also drag the password in from another text field instead of pasting

[–] independantiste@sh.itjust.works 14 points 2 months ago (1 children)

I usually to in the developer tools and manually disable the thing preventing the paste action. It's usually a string to remove some JS or something or an Event that you need to uncheck

[–] xmunk@sh.itjust.works 18 points 2 months ago (1 children)

If you're opening up the dev tools you can also paste your string directly into <input value="" /> unless something weird is going on.

[–] KairuByte@lemmy.dbzer0.com 0 points 2 months ago

*Laughs in blazor*

[–] sorter_plainview@lemmy.today 6 points 2 months ago

Aah.. I completely forgot about that. Will try next time. Also yesterday I saw Shift + F10 will show the context menu. Yet to test it on this site.

[–] Creat@discuss.tchncs.de 17 points 2 months ago

Any password manager should be able to "type in" the password. Or be a browser plugin that doesn't rely on copy pasting, but use other mechanisms to inject it directly into the field.

But yes, if that's their online portal, I am not kidding I would change banks.

[–] stealth_cookies@lemmy.world 32 points 2 months ago (1 children)

My bank's password used to have to be exactly 6 characters, no special characters and you could use numbers and letters interchangeably because it was also your phone banking password.

[–] hushable@lemmy.world 43 points 2 months ago* (last edited 2 months ago) (1 children)

a previous bank used to have a max password length of 8 characters, then proudly announced that they will increase it to 32

Then I made a typo at the end of my password and it let me in anyway, and I realised they were just trimming the first 8 characters to give the illusion of security

[–] Wizard_Pope@lemmy.world 15 points 2 months ago (1 children)

That is so insane. To think they would rather just clip the passwords instead of habing it be longer.

Did you try out your hypothesis by using the first 8 letters than just random junk until you hit your password length?

[–] hushable@lemmy.world 16 points 2 months ago (2 children)

I tried then first N characters of my password until I found out the threshold was at 8, then I tried with the first 8 chartacters of my password and then random junk and it worked.

I also had two friends in the same bank to validate

[–] Wizard_Pope@lemmy.world 12 points 2 months ago
[–] Pandantic@midwest.social 4 points 2 months ago

And I’m honestly surprised they let you do that many password tries. I would seriously consider changing banks.

[–] DudeDudenson@lemmings.world 26 points 2 months ago (1 children)

Visa has a hard limit of 8 and requires the first 4 to be numbers because the phone tree might require it as a password

The whole banking industry is ridiculous and is ridiculously legislated

[–] funkless_eck@sh.itjust.works 6 points 2 months ago

USAA has 8-12 ONLY. My smallest memorized password algorithm is 13 characters, that I typically use for throwaways, doesn't even fit.

[–] Flipper 19 points 2 months ago (1 children)

The ERP software I have to use has a strict limit of 6 characters as password. Only alphabet and numbers allowed.

Maybe when I leave I try an SQL injection.

[–] ICastFist@programming.dev 9 points 2 months ago

Bobby tables, noooooooo!

[–] ImplyingImplications@lemmy.ca 12 points 2 months ago

I had to create an account on a government website. The website didn't list a character limit so I used a password manager to generate a 32 character password. My account was created but I couldn't log in. I used the "forgot my password" option and I received an email of my password in plain text. I also noticed why I couldn't log in. The password was truncated to just 20 characters. Brilliant website! Tax dollars at work!

[–] kirk781@discuss.tchncs.de 8 points 2 months ago (2 children)

Some internet banking sites give access after only asking for login password. They will only ask for transaction password and OTP (that will only come on phone) later on. Asking for two passwords isn't necessarily more secure since many people will just reuse their original one again. And OTP instead of offering something like hardware security key is insane.

[–] IsoKiero@sopuli.xyz 5 points 2 months ago

My bank uses 6 digit 'customer number' (which is set by the bank) and that's verified with an app and a personal PIN (app shows 'login attempt ABCD at mm.dd. hh:mm' where ABCD is shown on login page too) or via SMS OTP (again with 'ABCD' verification). And again with personal pin + app or OTP to confirm transactions. The app itself can be protected with a fingerprint or phone pin and every new installation needs to be registered to the system, so I can't just use my phone app to access my wifes account (or anyone elses) but I still can map multiple accounts (like corporate ones) to the same installation.

I think that's pretty reasonable approach.

[–] Appoxo@lemmy.dbzer0.com 3 points 2 months ago

Reason why I took a hardware tan generator versus using the OTP function of one of their other apps.
Thanks but no, I will use the old crusty method as I know how easy that's hacked.

[–] ech@lemm.ee 5 points 2 months ago

They can't even properly check their copy on critical infrastructure. Top notch work over there, top to bottom.

[–] stoy@lemmy.zip 3 points 2 months ago (2 children)

It is insane that any internet banking portal still uses a static password.

[–] morrowind@lemmy.ml 10 points 2 months ago (3 children)

wdym? What's a dynamic password?

[–] xmunk@sh.itjust.works 9 points 2 months ago

A rotating code key - a lot of banks these days will give you a fob to enter a rotating proof of ownership off of along with your password.

[–] rtxn@lemmy.world 5 points 2 months ago (1 children)

Time-based one-time passwords. It's been used for years for multi-factor authentication.

https://en.wikipedia.org/wiki/Time-based_one-time_password

[–] morrowind@lemmy.ml 6 points 2 months ago (1 children)

Yeah, multi factor, that means you still have a regular password as well as the totp.

[–] Swedneck@discuss.tchncs.de 1 points 2 months ago

that was one example of where they are used lol

[–] stoy@lemmy.zip 2 points 2 months ago
[–] Successful_Try543 4 points 2 months ago* (last edited 2 months ago) (1 children)

At least it should not, in many countries must not, be the only measure.
I once encountered an OR in the requirements: Capital letters, small letters and digits OR special characters.

[–] alcoholicorn@lemmy.ml 2 points 2 months ago (1 children)
[–] Successful_Try543 1 points 2 months ago* (last edited 2 months ago) (1 children)

No, I had to use either digits or special characters, not both. It took me a while to figure out, why it didn't like my password.

[–] alcoholicorn@lemmy.ml 2 points 2 months ago (1 children)

Putting xor logic in there sounds like the software engineer was just trying to fuck with end users or hated whoever was writing requirements. Like in every language, or means one, the other, or both.

[–] Successful_Try543 1 points 2 months ago* (last edited 2 months ago) (1 children)

Do you like a cup of coffee or tea? :-p
I also can't think of a scenario where that makes technically sense to limit the choice of passwords in that way.
As far as I remember, it was for Deutsche Telekom De-Mail, a specially secure authenticated e-mail service which was discontinued some years ago.

[–] alcoholicorn@lemmy.ml 2 points 2 months ago (1 children)
[–] Successful_Try543 1 points 2 months ago* (last edited 2 months ago)

Yes, of course you are right.
I was thinking of the text on the web page, like the one in the OP, stating the requirements for the password to the end user: "The password must contain at least one digit or special character." So several digits were allowed, also one or more special character, but not mixing digits and special characters.

[–] FiskFisk33@startrek.website 3 points 2 months ago (1 children)

seriously, I've never seen a bank with password login to begin with. Every bank i know of uses physical devices that you type a code into

[–] WalrusDragonOnABike@lemmy.today 7 points 2 months ago (1 children)

Never heard of this. Where is this at? :o

[–] FiskFisk33@startrek.website 9 points 2 months ago (3 children)

Sweden. The little keyfob thingies have been the thing for many decades here, I would guess ever since the dawn of internet banking, but I'd have to ask my parents instead of just assuming. I used to assume that was just normal for banks in the world at large. When you want to log in, the website gives you a code, you type the code into the fob and it responds with another code you type in to the website.

Nowadays they additionally offer login via BankID, a mobile app used throughout Sweden for personal online identification.

[–] Successful_Try543 8 points 2 months ago* (last edited 2 months ago) (1 children)

As a German, when living in Sweden, I was (and still am) very impressed, how widespread the use of (Mobile) Bank ID, beside the use of the personal ID number (As a male German, the state has assigned me at least three different ones without requiring any interaction.) for basically everything, is.

In Germany, before introducing a second electronic way of authentication for online (or phone) banking, it was done by a chosen password and a TAN (transaction number) from a list that you regularly got sent by mail in a special envelope. Later it was replaced by that "thingy", a mobile TAN generator, or push TAN via SMS.

[–] trolololol@lemmy.world 4 points 2 months ago (1 children)

OMG the special envelope seems to make it specially easier for people to steal just the right mail

[–] Successful_Try543 5 points 2 months ago

It was not special from the outside, but from the inside. It was either the envelope or the TAN list that was printed with a special pattern to prevent reading the list by using a flashlight.

[–] Wizard_Pope@lemmy.world 4 points 2 months ago

I want this so bad now.

[–] WalrusDragonOnABike@lemmy.today 3 points 2 months ago

OTP for 2FA has just started becoming common here (US) within the last decade I think. Each bank has its own separate app and many banks seem to limit password lengths to less than other websites.