Costco.com truncates password to 16 characters
nightsprol opened this issue · 1 comments
I am using Bitwarden as a password manager. Costco was not recognizing my email and password as stored in Bitwarden, so I resetmy password. I generated a new password and pasted it in twice. Costco shows all green on the checks despite the password being >20 characters and one of the stated limitations being "8 to 16 characters", and I am still able to reset the password with this. I go back to the login page, again use Bitwarden to set the email and password, and again it blocks me from logging in. I then take the same generated password, truncate it to 16 characters, and it successfully logs me in.
The client logic is not actually validating the length of the password, and either the client or server is simply truncating it to the max length of 16 characters and using that. This is worse than the currently stated rules at https://github.com/duffn/dumb-password-rules#costco-com
That's dumb indeed!
I invited you to update the Costco entry to reflect your findings.