Beware of long passwords on poorly written sites

Just a user problem I've encountered, and nothing to do with 1Password ... BUT perhaps worth sharing in a forum/FAQ somewhere?

Some (quite a few) sites don't tell you what password configuration they'll accept - ie characters and length - until it fails their test - and sometimes not even then.
I have found that some sites with a password length restriction accept the (say) 42 character length password, truncates it so (say) 20 characters but say nothing.
Having, as one thinks, successfully registered, on subsequently logging in, the script which accepts the 42 character password you think you've registered with, compares it to the (say) 20 character password that the site has stored, and not surprisingly says your password (and username) doesn't match! I speak from (bitter) experience!
Work around:
1) the generated password is in the clipboard - save to a text editor.
2) having completed the registration phase, then log in immediately (having logged out if necessary)
3) If the error message "password and username" don't match appears, go to the text editor and (guess) a likely limit, 12, 20, 32 etc and truncate (a copy) of the stored password and copy and paste that in.
4) If you lose the will to live doing this you'll just have to use the "forgot password" option most sites have and then guess a shorter password that might be accepted!

In the hope this helps and might explain a few frustrations.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • ag_yaron
    ag_yaron
    1Password Alumni
    edited March 2021

    Hey @AlphonseJohns ,
    Thank you for reporting this.

    We have encountered such instances before. 1Password bypasses the website's truncation when you autofill so then the website will claim you have the wrong username/password. However, if you simply copy-paste the password from 1Password, the website will again automatically truncate it correctly and will allow you to sign in.

    That leaves you with a login item that doesn't autofill correctly, but does work when you copy-paste. A simple solution would be to just save a new login on that page after copy-pasting the username and password fields into the page. That will create a new login with the correct (truncated) password.

    The harder path would be to right click the password field, select "Inspect" to see its HTML code and read what is the maxlength restriction of the field, then count the characters in your password and remove all the excess characters.

    The extremely difficult path is the one you listed above :chuffed:

    We've had internal discussions on if we can (and should?) intervene here somehow. The conclusion was that we should not do anything because we do not want to truncate or change users passwords without them knowing about it. That is a big no-no. We'd rather have users contacting our support and we'll help them figure this out.

    Luckily, this is not a very common issue, though as you mentioned, sometimes we get unlocky and encounter several websites with this issue in a relatively short period of time.

    If you have a list of such websites, please feel free to share it with us and we'll see how we can improve upon it.

    ref: dev/core/core#6078

This discussion has been closed.