Please Don't Do This With Your Passwords

The school district we live in, like most around here, uses Skyward for their school management software. It is where we get class schedules, test scores, and grades.


I'm not sure if this is a Skyward thing or a District config thing, but I have to reset my Skyward password all the time (okay maybe a couple times a year). This is where the fun begins. I use a password manager to create long, complex, random passwords and then store them for me. I never ever know what they are and rarely even see them. This works great just about everywhere but Skyward.

The process goes like this:

  1. I login to Skyward and get the notice to change my password.

  2. My password manager create a password which is always 20+ characters long.

  3. Skyward logs me in as if everything is hunky dory.

  4. I try to login to Skyward later and my login fails.

Here's why. In hidden step 2.5 Skyward is actually truncating my password to 16 characters before it submits it and stores it. This happens silently. There is no notification that it is just grabbing the first 16 characters. When I try to login I am of course sending the whole 20+ character password and so my password doesn't match.

I then groan, curse them a little, and remember this utterly stupid setup. Then I spend time truncating my password until it lets me in. Then I manually update my password manager.

This post serves two purposes:

  1. To beg everyone working as a web developer to never do something this stupid and anti-user.

  2. To remind myself that my password will only be the first 16 characters I entered.


Comments powered by Disqus