For those that are saying u can still login with 8 correct password + xyzzzzzzz

The reason for that is probably
1) you urself didnt change the original 8 characters password.
2) the system still need to provide backward compatibility to users who didn't change to a longer password, maybe their implementation is poor, if fail to match full length password, then match 1st eight type of code...
3) in term of the 8 characters password being a problem in the 1st place.... That shouldn't b.. passwords even with 8 characters shld be sufficiently strong if you have it at least randomized, they shld implement blocking of subsequent tries after failure of the first 10 attempts.

Whatever is happening, its more than just a password issue i believe.

Yeah, I think ppl just confused with everything

The 8 password can login is probably not a bug, but a feature, maybe a bad 'user friendly' feature la.
Let's say you now have a mixture of users on 8 chareacter password and 8+ passwords, in their DB, they probably have a column, Over8Chars as true or false, they will know if u have updated ur password or not, in login, they may read this field if it's still 8 characters, to trim off excess characters.... from your password entry...
(Maybe too smart, and too user friendly until cause panic) and this is reported as a hack.

Remember, if they already bruteforce until ur 8 character pass is known, they don't need to add in additional digits anyway.

Also, unless something went horribly wrong, even if you're on 8 character password, the password that's saved inside the database is a combination of your password + randomly generated string of character as a 'SALT' the end password hash that's saved in the database is probably a 30-40 string long, (if not more) brute forcing this hash to decode it for a user, is hard, not to mention decoding it for every individual users.

For example even 2 users same password 123456, the password has saved in database is gonna be different...

I doubt there is a weakness in the DB/Hash itself..
Unless there's a weakness in the UI front, it's also not so likely for the problem to be happening in this area..

Chill guys...

This post has been edited by eltaria: Dec 17 2018, 10:53 AM

Seriously? They don't do account lockout?
I mean, if not 3 times, at least after 50 times login failure la.. I find it hard to believe if this is really true...

Then again, account lockout also a possible DoS attack, if bots keep locking ur account, and legit users can't login.