Read on Twitter
A well known online bank in Italy, @FinecoLive, is:
a) limiting the max password length to 8 chars (a red flag as hashes have consistent length)
b) suggesting you should google your password to ensure it's unique
@troyhunt we need you 
(Thanks @gvarisco and @Clodo76)
a) limiting the max password length to 8 chars (a red flag as hashes have consistent length)
b) suggesting you should google your password to ensure it's unique
@troyhunt we need you (Thanks @gvarisco and @Clodo76)
someone ( @empijei) is suggesting they are doing this so you can use your browser history as password manager. smart. https://twitter.com/empijei/status/1194169321913749504
They are also suggesting a couple of secure passwords (no, they are not randomly generated, they're the same for everyone) in case you don't want to google.
I wish I never started going down the rabbit hole.
Changing your password is 0.95 EUR. And you can change it only once every 7 days.
Changing your password is 0.95 EUR. And you can change it only once every 7 days.
In terms of ref. for 8 chars making poor passwords, turns out NIST has some guidelines: https://pages.nist.gov/800-63-3/sp800-63b.html
"require subscriber-chosen memorized secrets to be at least 8 characters in length. Verifiers SHOULD permit memorized secrets at least 64 characters in length"
"require subscriber-chosen memorized secrets to be at least 8 characters in length. Verifiers SHOULD permit memorized secrets at least 64 characters in length"
