Hey – continuing on our theme, here is another fun article from Shark Tank.
No Good Password Goes Unpunished
Consultant pilot fish is paying his bills online, but for some reason his health insurance company’s website won’t let him log in.“I tried twice, and it rejected either my user name or my password both times,” fish says. “It also warned me I’d be locked out after a third try, so I waited a few hours and tried again. Still no luck.”
Fortunately, fish is able to find a website-support number on the incurance company’s public website. After a few minutes on hold, he gets a support rep who requests his policy number and then asks what the problem is.
Fish explains that he’s trying to log in with the same user name and password that worked when he paid his bill the month before, but now it’s not working. Is there a known issue on your system, or is there a problem with my account? he asks.
There is an issue that might be causing the problem, support rep tells fish. It seems that at the start of the month, security was switched from supporting passwords between six and eight characters long to supporting passwords that are up to 15 characters, and customers with the longer passwords are now having problems.
Fish assures the rep that his password is more than eight characters long.
“Try logging in with just the first eight characters,” rep says.
Fish does. It works. Then, once he’s logged in, the support rep walks him through changing his password from that eight-character version to his full password.
And before he hangs up to finish paying his bill, fish thanks the support rep and wishes her luck dealing with all the other customers who chose long passwords because they thought they’d be more secure.
“But they were throwing away anything in a password beyond eight characters,” grumbles fish. “And then after the security upgrade, the people who had longer, better passwords were the ones who were punished for it.
“At least they used bounds checking to confirm input length…”