> having a maximum password length of 10, silently truncating passwords, silently replacing non-ASCII with '?', setting default passwords to 6 numbers, not rate-limiting password attempts
Most newly CS students would know better then to do this or at least would know they have to properly look this up.
It's sometimes hard to believe major stupid things like this are done accidentally. (But I know very well how they happen accidentally, it starts with some bug somewhere with non-us-ASCII/to long and similar, then it's constrained "temporary" and put on a must fix list but that list never gets any priority ever, things like this are sadly supper common. As long as companies don't get legally hold responsible for negligence this won't ever go away.)
I believe it's company / business level decision. 6 to 10 length numeric password is easy to remember. And non rate limiting enables older, non tech savvy users to have as many error as they want.
But the password complexity, rate limiting and other security measurements are there for a reason, and whoever cannot learn from history are doomed to repeat it.
Rate-limiting has nothing to do with the older, non-tech savvy users. You're thinking of maximum failed attempts. Rate-limiting is about preventing bots from spamming an API call.
Most newly CS students would know better then to do this or at least would know they have to properly look this up.
It's sometimes hard to believe major stupid things like this are done accidentally. (But I know very well how they happen accidentally, it starts with some bug somewhere with non-us-ASCII/to long and similar, then it's constrained "temporary" and put on a must fix list but that list never gets any priority ever, things like this are sadly supper common. As long as companies don't get legally hold responsible for negligence this won't ever go away.)