> Silent truncation of the the password without telling you
Bonus points for truncating the password differently in the login form and the password change form. Now you can't login anymore!
> Failure because the password is too long, but the error says something else (like missing symbol)
A few years ago the local City government in Paris put out some new app to pay for parking. You'd have to create an account and give them your credit card[0]. When I say they had some ridiculous maximum password length, something like 8 characters, I decided that I could actually take the five minutes to pay in person.
I haven't tried the app ever since, so no idea if this crazy limitation is still in effect.
---
[0] There was no option to give the credit card on each payment, they had to save it on file. Of course, they weren't aware that local banks were rolling out credit cards with changing verification codes, so some cards would've had to be re-entered anyway...
> Bonus points for truncating the password differently in the login form and the password change form. Now you can't login anymore!
Yes, when I setup my first password manager one of my banks said "max length 32" so I updated to a 32-character password. Then, when I next went to login, I found the login form had an off-by-one error and Javascript would truncate the password down to 31 characters.
I was lucky and knew just enough to be able to use the console to patch the Javascript on the fly. I complained to them and they said they'd look into it; a month later I went down to a 30-character password, to stay far away from any further off-by-one issues.
A big EU bank that I have my account (and an online account) with, cannot change customers OTP mobile phone number if they no longer have access to the old number (they require to send an OTP when number is being changed). The reason I know this is after several visits and calls over many months, all with a lot of effort put in. I am assuming they have zero CRUD that doesn't send OTP to the old number. A bank with billions should know better.
A bank with billions should have a manual process that may involve checking your identity in 20 different ways and maybe even pre-registering your whereabouts with the police, but ultimately resulting in giving you access to your account back.
I'm guessing it might take sending them a strongly-worded legal letter to make further progress.
But then it's in a single-sign-on system with some other services... Where that same maximum length is also the minimum length for at least one sub-system.
(I mean, hey, that's if you're lucky -- otherwise System A maximum allowed PW length is less than System B minimum required PW length.)
Bonus points for truncating the password differently in the login form and the password change form. Now you can't login anymore!
> Failure because the password is too long, but the error says something else (like missing symbol)
A few years ago the local City government in Paris put out some new app to pay for parking. You'd have to create an account and give them your credit card[0]. When I say they had some ridiculous maximum password length, something like 8 characters, I decided that I could actually take the five minutes to pay in person.
I haven't tried the app ever since, so no idea if this crazy limitation is still in effect.
---
[0] There was no option to give the credit card on each payment, they had to save it on file. Of course, they weren't aware that local banks were rolling out credit cards with changing verification codes, so some cards would've had to be re-entered anyway...