[jandrew]

I used to create passwords which were about 8 or 9 characters long, and rarely had any problems with them. And when, occasionally, I had to re-enter my BBO password I had no problems.

HOWEVER – Recently I upped the anti and started making my passwords between 12 and 15 characters long in order to confound the dark forces. Of course, I changed my BBO password (to one of 12 characters). BBO remembers my passwords, so all was well for weeks and weeks – I was able to login without entering my password.

BUT THEN, DISASTER. I needed to re-enter my password and it was rejected again and again – I could not log in.

I ASKED FOR HELP AND WORKED OUT THE SURPRISING ANSWER. My password had been silently truncated to only 10 characters when I had first changed it and, because only those 10 characters were remembered on the BBO server, my subsequent automatic logins were accepted without demure. That is – until I needed to re-renter the password. Then, my entry of 12 characters was not truncated and did not match the 10 characters on the BBO server.

WOW. Surely, I can’t be the only one caught out by this mis-management of my password.

HOW SECURE is a server which limits passwords to only 10 characters – especially if it does not tell you if you exceed that limit but allows you to do so.

INCIDENTALLY, I was only able to solve this puzzle because BBO were able to give me the saved password in plain text. ??????? When did servers start to save their clients’ passwords in plain text or be able to convert the encoded password?

[pescetom]

jandrew, on 2018-August-06, 13:20, said:

INCIDENTALLY, I was only able to solve this puzzle because BBO were able to give me the saved password in plain text. ??????? When did servers start to save their clients’ passwords in plain text or be able to convert the encoded password?

I would ask when did servers STOP saving their clients' passwords in plain text... once it was the norm, outside of Unix and other enlightened realms.
But luckily BBO is only a game.
Perhaps a more critical problem is that (from what you say) BBO seems to be inconsistent in it's handling of lost passwords.
When I forgot mine (after years of automatic logons), they were incapable of or unwilling to give me the saved password and I had to re-register with a different username, losing the right to use the windows client.

[hrothgar]

Get a password vault

[helene_t]

hrothgar, on 2018-August-06, 15:31, said:

Get a password vault

This would only make this problem worse, wouldn't it? If I know that my password is AVeryLongPassword but the system truncates it to AVeryLongP, then at least there is a chance that I can guess what password the system expects from me. If it is only the vault that knows the password, it can't construct the abbreviated password.

[FelicityR]

helene_t, on 2018-August-06, 15:42, said:

AVeryLongP

Now that's the sort of password my husband would use.

[ahydra]

Reminds me of the time my bank upgraded their system and told me that I should no longer type the special characters in my password... I sincerely hope that was being done client-side and they weren't storing the passwords in plain text on the backend!

I wouldn't be surprised if 10 chars is the limit - it is for usernames and display names on vugraph. But it's silly, for sure. Storing passwords in plain text is worse, and the one time I wanted a BB$ refund I had to send my password in plain text in an e-mail - it was many years ago, so not sure if BBO still request that, but if they do then that's about as bad as ruffing your partner's Ace, returning the same suit to him and then ruffing his King as well .

Any BBO dev care to comment on the above?

ahydra

[barmar]

Unfortunately, this is a very old design, and there are many different components of the system that need to input or verify passwords: 4 different clients (including the old download client that's not being updated), the main server, BB$ purchase app, myhands, the forum, and a number of internal applications.

So changing the way they're stored and validated would require updating a number of different components simultaneously. We know that our current mechanism is poor, but with our limited resources it has been hard to find the time to redo everything that depends on it.

[jandrew]

pescetom, on 2018-August-06, 15:23, said:

...
But luckily BBO is only a game.
...

I agree.
My post was the result of my surprise - certainly not a complaint. I was only being blocked from the forum - not losing a fist-full of money.
I shall revert to my original password (less than 10 characters) for BBO.

I have no experience of encrypting passwords in Windows systems. All me experience was in Unix (many years ago) and it never occurred to me that there would be much difference. I learn something every day.

[barmar]

jandrew, on 2018-August-07, 03:34, said:

I have no experience of encrypting passwords in Windows systems. All me experience was in Unix (many years ago) and it never occurred to me that there would be much difference. I learn something every day.

This has nothing to do with Windows vs. Unix. Password storage and validation is done by BBO-specific software.