Be care with that! I've created accounts in the past with a 40+ random character password and everything went swimmingly. Until I tried to log in. Bzzzt! Couldn't get in.
Apparently the password had a character limit that wasn't mentioned when signing up and was silently truncated server-side. A bit of investigation showed the <input> had maxlength="20" which is only enforced when typing characters. When using Javascript to fill a form will just ignore this attribute. https://codepen.io/jspash/pen/XWerVzY
I've noticed my bank doing shenanigans in order to prevent password managers from working well. It appears to be JS scripts that uppercase or lowercase the input field after posting but before the browser saves it. So it perpetually looks like I'm updating my password when I'm not. It literally just got populated by the browser.
What is the deal with banks being actively hostile to password managers?
One bank specifically I have to deal with will:
- Not allow you to paste a username/password (ctr+c/ctrl+v, right click disabled)
- Lastpass autofill doesn't work
- If the page loses focus, both user/password inputs are cleared, you get to start all over.
There is also a very small subset of special characters that are allowed.
If you do not reset your password as often as they'd like, you have to agree to waive any responsibility for any issues with your account before logging in.
SMS 2FA required, there's no other 2FA option.
After entering your 2FA code, the "proceed" and "cancel" buttons are the exact same shape and color and I've hit the wrong one multiple times, in which case there is also SMS 2FA cool down and you have to wait 15 mins to start all over again.
It's absolute insanity and every time I have to login its an adventure.
