I had this happen once where input validation on login and password change were different. I was allowed to set my password to a string containing a special character not accepted by the login form. Top men.

[–] JustAnotherKay 2 points 1 month ago (1 children)

I've had a similar experience with a service that automatically truncated passwords if they were too long

[–] dual_sport_dork 1 points 1 month ago* (last edited 1 month ago) (1 children)

Note that for others reading this, what normal people think of as too long probably doesn't signify. Some asshat somewhere may have decided greater than something like 8 characters is "too long." Without telling you. Said asshat may indeed even be on the database side, and concluded somehow that varchar(8) should be sufficient for storing passwords. Right???

It is not only easy for flagrantly badly designed web systems to display this behavior, but also depressingly common. And more closely the page or system you're using is related to your local government, the probability of it being hilariously incompetently designed moves ever closer to becoming 1.

[–] JustAnotherKay 2 points 1 month ago (2 children)

Ya know what's actually even more absurd? The password was truncated on creation. The webpage allowed me to type 36 characters into the field, then only saved the first 30 of them.

I verified the full 36 character password before creating the account, and was immediately met with "wrong password." Noticed the 30 character limit when looking at the password change form, and tried cutting the last 6 characters off my existing password, which unfortunately was successful.

[–] dual_sport_dork 1 points 1 month ago

So not only did somebody forget a maxlength=30 on the field, but their validation on the server side was also crap. Genius!

[–] [email protected] 1 points 1 month ago

They must have been storing your password in plaintext on their end in order for that to work.