Air Canada’s online account system required a 6 character password, which was secretly converted via T9 to 6 numbers on the back end, meaning “aaaaaa” and “bbbbbb” were effectively the same password, and this was only fixed in 2018
My personal theory is that it’s a remnant of an old system that was only accessible by phone (hence the 6 digit pin), and they simply grafted an online component on top of it
Any service that limits maximum length of the password means they are not hashing them. Which is a scary proposition, especially for such a huge service.
It’s possible that limit is either gone or vestige from a bygone age and they are hashing passwords properly now. Either way they do seem like they take security seriously.
Unless they’ve changed it very recently, Paypal still limits your password to 20 characters
Unless they’ve changed it very recently, Wells Fargo’s passwords are case insensitive
Air Canada’s online account system required a 6 character password, which was secretly converted via T9 to 6 numbers on the back end, meaning “aaaaaa” and “bbbbbb” were effectively the same password, and this was only fixed in 2018
That sounds like someone who topped out with highschool level programming tried to implement a hash algorithm.
My personal theory is that it’s a remnant of an old system that was only accessible by phone (hence the 6 digit pin), and they simply grafted an online component on top of it
Any service that limits maximum length of the password means they are not hashing them. Which is a scary proposition, especially for such a huge service.
That’s normally my assumption too but surely PayPal has proper security, right? Right??
It’s possible that limit is either gone or vestige from a bygone age and they are hashing passwords properly now. Either way they do seem like they take security seriously.