3
I've been using generated passwords for a while now. I generate a salt, then some input information, and generate something in return. On a large banking website, I used such a password schema and recently noticed I was unable to login. Apparently they truncated the length of passwords from 32 characters to 31 and now 30 characters.
My question is, if they truncated the passwords, the only way it would be possible for them to truncate your password properly is if they did not run it through a one-way hash algorithm to securely store the password. Meaning, they're either storing the password in plain text, or using a weak schema to encode the password.
I'm considering dropping my account with them for obvious security reasons and general negligence to obvious security practices.
Am I incorrect in my assumptions, I am not a math nor a computer science major.
Walter
Yes, I got in simply by removing 2 characters. – None – 2010-02-11T14:06:23.600
Yes, this is just one instance of bad practices. If I noticed this, what else am I not privy to that they're doing? I wasn't even looking for this, I just noticed it when I couldn't log in. Chances are, if they do something like this, they're doing other bad things as well. – None – 2010-02-11T14:07:56.030
Also, if they are really practicing bad security, sometimes the only way they will get the message is when customers talk with their feet (so to say) and go elsewhere explaining why. – Dan McGrath – 2010-02-11T21:27:52.740