Missing the whole point of a password

1 minute read

(Off topic)

I opened a new account in an investment company. They gave me the user name and password , I logged in , and the first thing I wanted to do was naturally - change the password.

So I tried my regular password scheme (which is long and has capitals and symbols in it) , and I got a”Not compatible with password security requirements”

So I started to look around the page for the requirments . None was found . I tried again , with a simpler password , just in case.

Same error.

So after wasting 10 minutes trying to figure out what exactly are the magnificent password requirments , I sent their help desk a message asking if they would please reveal the oh-so-secret password requirements that I was somehow supposed to guess .  Few minutes later I got a call from a very nice representative that was nice enough to indulge me with this valuable info.

Do you know what those requirements are?

The password can only be 8 chars long , where the chars can be only couples of Capital letter and a digit.

Read that again.

All their passwords are of this structure : A1B2C3D4 . I would bet my life 10% of their users are using this password.

When I pointed out to the representative on the line that this is very easily crackable , she responded with “It’s not THAT easy , besides , what are you , a hacker or something? “ .”No”  , I said , “ but since you Are an investment company , it’s very likely someone would have the incentive to break into your website , as there’s a significant  gain to be made of it!” - To which she answered with the all time classical”That’s a system constraint” .

Or as “Little Britian” so well said : “Computer says no”.