DEV Community

Discussion on: What are the worst security practices you've ever witnessed?

Collapse
 
ben profile image
Ben Halpern

Yes, I had to implement that πŸ€¦β€β™‚οΈ

What was the reasoning here?

Collapse
 
maxart2501 profile image
Massimo Artizzu

Because they wanted, for "customers' convenience", the same passwords to work both on the web portal and as their AS/400 passwords. (Customers could also access to the AS/400 terminals.)

Which were limited to 10 EBCDIC characters. 😩

This actually had a glimpse of sense. Because it wasn't like that before. I've just left the passwords unconstrained and happily hashed them into the DB.
"Wait, limit the number of characters to... say, 20."
"What?! Why?"
"Our customers aren't used to passwords that long."

I'm not making this up.

Thinking about that now, there were so many security issues that make my stomach churn. And I'm no security expert!

Thread Thread
 
jsn1nj4 profile image
Elliot Derhay

"Our customers aren't used to passwords that long."

Wait, what?! Why in the heck does that matter? They set their own passwords. They don't have to enter 100-character passwords if they don't want to.

Thread Thread
 
maxart2501 profile image
Massimo Artizzu

You're assuming I was talking with people that had an idea of what that was all about. 😡

I think I've learnt that people can be that clueless. Even in IT!