At least that’s better than when the site accepts the password but doesn’t actually let you log in with it.
My old college was like that with their SSO. It would accept any type of password you threw at it. But then you just wouldn’t be able to sign into anything, so you’d be forced to reset your password again, but it doesn’t tell you that’s what the problem is, so you just have to sorta guess what it was.
I got to discover that one program at work let’s you change your password as expected but silently drops everything after character 16 entered while doing so. Of course that’s not mentioned in any documentation I have access to.
Been there. It’s somewhat ok if they do it consistently. E.g. registration and login form both allow more than 16 chars and then just truncate the password silently.
Worse is if the registration form does it, but the login form uses the full password you entered (or vice versa) and then the login fails because the password doesn’t match…
At least that’s better than when the site accepts the password but doesn’t actually let you log in with it.
My old college was like that with their SSO. It would accept any type of password you threw at it. But then you just wouldn’t be able to sign into anything, so you’d be forced to reset your password again, but it doesn’t tell you that’s what the problem is, so you just have to sorta guess what it was.
I got to discover that one program at work let’s you change your password as expected but silently drops everything after character 16 entered while doing so. Of course that’s not mentioned in any documentation I have access to.
Been there. It’s somewhat ok if they do it consistently. E.g. registration and login form both allow more than 16 chars and then just truncate the password silently.
Worse is if the registration form does it, but the login form uses the full password you entered (or vice versa) and then the login fails because the password doesn’t match…