Hornbach has some very “special” limitations to “special characters” in passwords. I wonder why.
Posted by jpluimers on 2022/02/01
[Wayback] Jeroen Wiert Pluimers on Twitter: “”Too special” password character password woos at @HORNBACH_NL : [ Het wachtwoord moet minstens acht tekens lang zijn, en minstens een getal en een letter (a-zA-Z) bevatten. De volgende speciale tekens zijn toegestaan: !”#$%&'()*+,.:;?@_|} ] 1/”
I wonder what kind of parser they use, as these printable special ASCII characters are forbidden:
- \-/[\]^`{~
- space (0x20)
- tab (0x9)
- line feed (0xa)
- carriage return (0xb
- vertical tab (0xb)
- form feed (0xc)
Seems no JSON or SQL to me: there I would expect other limitations.
What would break if you use them in other fields or pass them in an HTML POST-request?
I mean: these passwords should be salted and hashed immediately when the HTML-POST request is received, so certainly they would not be stored somewhere or passed many layers into code, right?
Oh, in order to activate an account there, you need to accept some 40+ A4 sized pages of legal stuff. Brave Dutch judge that will put these all in favour of Hornbach.
- [Wayback] Herroepingsrecht bij HORNBACH (no PDF)
- [Wayback] Modelformulier voor herroeping PDF (1 page)
- [Wayback] Privacyverklaring HORNBACH Bouwmarkt (Nederland) B.V. [Wayback] PDF (23 pages)
- [Wayback] Reglement cameratoezicht (only as PDF): 3 pages
–jeroen
The Wiert Corner - irregular stream of stuff 
Leave a Reply