conrad.de: How to drive business to other shops
Intro
I wanted to buy something from conrad.de, a German electronics supplier.
The Item in question is for business only, so I'm unable to buy the item
unless I'm registered and logged in as a business customer.
So far no harm.
Lets hit the registration button.
The registration
First annoying thing: The form looks like mobile only, very narrow, 350px wide to be exact.
The remaining part of the shop does not work properly on mobile phones (at least on mine), so yeah, it makes total sense to have a mobile only registration.
But those tiny things aside, let's fill it out anyway.
But what happened after the click on the registration button blew my socks off:
Translation: "The password length is greater than the maximum allowed length".
WTF?
I do understand some minimum length also some other things like mandatory classes of characters. But a maximum length?
They aren't storing the plain password in a database, right? RIGHT?
State of the art is to take the password, run it through some cryptographic one-way function (with some extras like salts) and store the result. The result is always the same length, depending on the algorithm. No matter if you use a 5 character or 5000 character password.
This is also how it is done here on Content Nation.
My Conclusion
Well, I didn't change the password (which was completely random, but obviously too long with 27 chars),
I changed the shop I'm buying this article from. Even if it costs 3€ more.
So my advise if someone from conrad.de reads this: Please allow unlimited lengths of passwords and if you really store the original password, please, for everything that is holy, change this ASAP.