I had to call my bank (Fidelity) for something and when I get on the phone, their automated voice menu thing says "please enter your online username".
What? My username is alpha-numeric, but all I have here is a 9-digit phone pad. But I did it, just spelling out the word (which does include numbers, which I just typed).
Then it says "enter your password"!?! WTF? Enter my password? That has mixed case?!? HTF do I do that? But I just entered it.
"Thank you" it says, and it connects me.
HTF does that work?!?
So thinking about it for a minute, I suspected that their whole back-end just converts your username and password to the equivalent phone keys and just stores them as a number. Like if your password is "LoVe" it just stores it as 5683. So I tried it - I converted my username and password to a whole bunch of other random things that have the same phone keys and voila! It worked! I was able to log-in online!
That's seriously messed up. You give people usernames and passwords with seemingly 62^n combinations and then you convert it to decimal, which is only 10^n?!? That cuts the length of their password by almost a factor of 2. For example, if you have a seemingly-secure 9-character mixed-case alpha-numeric password, then when converted to decimal that's actually only got the same security as a 5-character mixed-case alpha-numeric password. Most banks don't even allow you to enter a 5-character password because it's so insecure.