While many online portals are embracing two-factor authentication and other security best practice, our telecoms utility eir seems determined to stop us using good quality passwords.
As you can see from the screenshot below, the self-service portal my.eir.ie doesn’t allow users to set passwords longer than 10 characters.
The error message on screen also notifies anyone (including potential hackers) that all passwords for the system are between 6 and 10 characters – which would be a massive help to anyone attempting a brute-force attack on the site, as it would reduce the number of password combinations they need to try.
This is a shocking example of bad security by design, and is a carryover from the old Meteor self-service portal. Someone at some time in the past chose to limit password length, which forces people to use short insecure passwords.