It's honestly a crapshoot. I've seen as low as 8 (a sibling poster says 6), but 10, 12, 15, 16, and 20 are not unusual. It's usually an even number, so you can just knock 2 characters off your password at a time (after making it an even number) until you're down to the maximum to figure it out.
Lots and lots of legacy systems do this, very low limit, case insensitive, numbers and letters only. I know of a major retailer with 10 character, case insensitive, alpha numeric for All their systems. Why? Because that’s the lowest common denominator (as400).
That's how my dentist's billing website works. Except it's limited to 8 alphanumeric characters, not 10, and they were quite happy to accept my pasting a 16-character generated password into the field. Unfortunately, they don't have a password reset link; instead, the you call the receptionist and they read out your password to you over the phone. This isn't a legacy system, either. I can only imagine the backend is written in QBasic or something.
Try changing the last two characters and see if it still lets you in. It's not that uncommon that people mix up when to filter input and when to validate it.
Passwords for Blizzard accounts are also case-insensitive, as they are converted to upper case before hashing. Try it!
I first found this while working on a WoW server emulator in around 2009, but I believe it's been the case since Battle.net 1.0 was launched in 1996. In order to preserve backwards compatibility, it's never been changed.
Lots of sites have a limit of 72 characters, maybe even without the developers knowing about it. Bcrypt has a limit of 72
It's honestly a crapshoot. I've seen as low as 8 (a sibling poster says 6), but 10, 12, 15, 16, and 20 are not unusual. It's usually an even number, so you can just knock 2 characters off your password at a time (after making it an even number) until you're down to the maximum to figure it out.
Wells Fargo’s is 12 IIRC.
Lots and lots of legacy systems do this, very low limit, case insensitive, numbers and letters only. I know of a major retailer with 10 character, case insensitive, alpha numeric for All their systems. Why? Because that’s the lowest common denominator (as400).
That's how my dentist's billing website works. Except it's limited to 8 alphanumeric characters, not 10, and they were quite happy to accept my pasting a 16-character generated password into the field. Unfortunately, they don't have a password reset link; instead, the you call the receptionist and they read out your password to you over the phone. This isn't a legacy system, either. I can only imagine the backend is written in QBasic or something.
I have a 14 character WFC password, seemingly works fine.
Try changing the last two characters and see if it still lets you in. It's not that uncommon that people mix up when to filter input and when to validate it.
1 reply →
I believe that Blizzard had a limit of ~20 until recently for battle.net accounts (don't know if that's still the case).
Passwords for Blizzard accounts are also case-insensitive, as they are converted to upper case before hashing. Try it!
I first found this while working on a WoW server emulator in around 2009, but I believe it's been the case since Battle.net 1.0 was launched in 1996. In order to preserve backwards compatibility, it's never been changed.
I remember that Microsoft got stuck with a 16 character limit for a while thanks to hotmail.
"for a while"
You mean until May of 2019?
https://techcommunity.microsoft.com/t5/Azure-Active-Director...
Often it's 20. Not sure why 20 is so common.
Someone somewhere probably posted a code sample with a 20 character limit...
I've seen 6 characters and 16.