Charles Schwab silently truncates passwords to 8 characters. Always a fun surprise to accidentally enter a password you use somewhere else and get logged in anyways.

I complained to them a while ago about the fact that they limit passwords to 8 characters. Must have been two years ago and I got a very generic "sorry, we know this could be better and our engineers are working on it. In the mean time, we'll send you an RSA security token fob for two factor authentication if you'd like". Thanks but no thanks, I'd rather not add another item to my keychain to make up for your website's lackluster password requirements.

I never knew that their website would truncate passwords at 8 characters, but just checked and sure enough it works. This is indicative of the ridiculousness of the 8 char limit, but given the 8 char limit, I don't think it weakens their system at all.

> Thanks but no thanks, I'd rather not add another item to my keychain to make up for your website's lackluster password requirements.

If you care about keeping your money it may be wise to take the fob and/or find a new bank/broker.

Might not want to add another item to your keychain (or desk drawer), but if you know it's lackluster and you keep your money there, it seems like accepting the token fob would be the smart move .

The only situation I could imagine it weakening the system is if your non-dictionary-word password can be turned into a dictionary word by adding several characters on to the end.

That's nothing. Until late 2000, eTrade stored your password, caeser-ciphered, in a cookie in your browser.

As does Citibank. I imagine it's for telling-support-over-the-phone purposes, which isn't great.

...why would you have to tell them your password in the first place?

UNIX historically truncated passwords to eight characters.