Password being truncated when filled on USAA site [length limitation; use shorter password]
I recently changed the password for my bank's website. Previously, I used an 8 character long password. The new password is 13 characters long and, it appears, that only 12 characters are being filled by 1Password for this website which results in an error. If I open 1Password mini and manually Copy and Paste the username and password, that works. I deleted the original 1Password entry for this bank and recreated it fresh. It made no difference. The URL is https://www.usaa.com and this is the only website for which I have any issues. Problem occurs in all browsers that I use,
OSX 10.9.4 Mavericks, 1Password 4.4.1, Safari 7.0.5, Firefox 30.0, Chrome 35.0.1916.153
The problem exists with 1Password for IOS under 1Browser as well.
Comments
-
I had the same trouble with USAA. It turns out that they limit passwords to 12 characters, even though they don't say so. When 1Password auto fills your 13 character password, it passes all characters, but if you copy and paste manually, the USAA site truncates at 12 characters and your login succeeds because they only recorded the first 12 characters of your longer password, but didn't notify you.
You'll be fine if you redo your password with no more than 12 characters.
I once complained to them about this, but the person who answered wasn't very interested. And obviously, nothing changed.
0 -
Thanks for your feedback.
Well, that's annoying. I developed some "rules" for how I create passwords and now I'll have to rethink them. Bummer. Perhaps I'll complain as well. Been a member of USAA over 40 years since I was on active duty in the Navy.
0 -
Hi @jbthomson2
I'm sorry to hear that this site is using some hidden restrictions to complicate your password rules. I certainly do recommend bringing this to your bank's attention - better, stronger, longer passwords are in everyone's best interest!
Have you considered using our strong password generator to do the hard work of creating passwords for you? There's all sorts of great customizable options so you can set the number of digits, if there are symbols, and even select pronounceable if you'd like your password to kind-of sound like a word. Since 1Password is remembering all your passwords for you anyway, there's no harm in creating random ones that will be even harder to crack. :)
0 -
Yeah, @Megan, but even your illustration shows a 13 character password that USAA's site will truncate to 12 characters before recording, but won't let you know it did so. 1Password will then dutifully save the 13 character version, and then will submit to the site when the user next tries to login. And that user will fail to login successfully because the site receives more characters than it's own rules permit. The password accordingly isn't seen as valid. In the case of misbehaving sites like this, it doesn't matter what tool you use to generate the password, it is restricted to recording only the first 12 characters, no matter what. And if you generate a longer password in 1Password, you'll be stymied when you try to auto-submit credentials from 1Password later.
This isn't really a 1Password problem. It's a problem of the web sites that don't fully describe their password rules and also fail to adequately test the user's input to see if it meets the undisclosed restrictions. But if you folks could design a process to protect us from sites that do things like this, it would be very welcome. I can't figure how you could do that, though.
0 -
Hi @hawkmoth,
Oops, I used a general screenshot of the password generator that I had saved without considering the length shown. I've edited that now.
You are correct, the password generator tool doesn't change the issue with sites that have hidden password restrictions. My mention of the tool was only because @jbthomson2 mentioned using rules to create passwords. Depending on what those rules are, using the password generator to create a truly random 12 digit password will likely result in a more secure password.
But if you folks could design a process to protect us from sites that do things like this, it would be very welcome. I can't figure how you could do that, though.
The tricky thing is here is that there would need to be a way for us to find those hidden password restrictions somewhere within the website's code. And due to the infinite variety of web design, that's likely not a simple task. (I'm not a developer, so I'm sure there are plenty of other hurdles I'm not considering.) I would much prefer to educate banks and other sites on the importance of longer, more secure passwords and have these restrictions done away with altogether. (Perhaps just as simple a task!)
Your feedback here is much appreciated - we've been hearing a lot about hidden password restrictions in the last few days and I'd sure love to come up with some sort of a solution.
0 -
@Megan - I understood what you were doing. I was mainly trying to reinforce my earlier points about USAA for anyone else who stumbles into this. It took me quite bit of time and aggravation when I first figured out what was happening with this site some months ago. The key for me then was counting the dots that hide the password when you try to log in. I wonder it sites alway show the same number of dots or asterisks as there are characters in the submitted password.
0 -
Thanks for your reinforcement effort with this, @hawkmoth, Along the same lines, I updated the topic title the other day… within its enforced length limit. :)
The key for me then was counting the dots that hide the password when you try to log in.
Browser extensions that temporarily reveal passwords can come in handy for basic troubleshooting of filling issues, e.g. for Safari: ShowPass - Canisbos
0
