Because they wanted, for "customers' convenience", the same passwords to work both on the web portal and as their AS/400 passwords. (Customers could also access to the AS/400 terminals.)
Which were limited to 10 EBCDIC characters. 😩
This actually had a glimpse of sense. Because it wasn't like that before. I've just left the passwords unconstrained and happily hashed them into the DB.
"Wait, limit the number of characters to... say, 20."
"What?! Why?"
"Our customers aren't used to passwords that long."
I'm not making this up.
Thinking about that now, there were so many security issues that make my stomach churn. And I'm no security expert!
Because they wanted, for "customers' convenience", the same passwords to work both on the web portal and as their AS/400 passwords. (Customers could also access to the AS/400 terminals.)
Which were limited to 10 EBCDIC characters. 😩
This actually had a glimpse of sense. Because it wasn't like that before. I've just left the passwords unconstrained and happily hashed them into the DB.
"Wait, limit the number of characters to... say, 20."
"What?! Why?"
"Our customers aren't used to passwords that long."
I'm not making this up.
Thinking about that now, there were so many security issues that make my stomach churn. And I'm no security expert!
Wait, what?! Why in the heck does that matter? They set their own passwords. They don't have to enter 100-character passwords if they don't want to.
You're assuming I was talking with people that had an idea of what that was all about. 😵
I think I've learnt that people can be that clueless. Even in IT!