Good find. I use Gandi for some domains, and was curious how they truncate passwords (wtf?) so I tested it by creating a new account with a spare gmail address. The registration page says your pwd must be between 6 and 16 characters, so I tested what happens if you register with a pwd > 16 chars.
I registered the 26 letters of the alphabet for my password, and then tested re-logging in with the full 26 char version, the 26 char version + 1 char (a), the first 17 characters, the first 16 chars, and the first 15 characters.
abcdefghijklmnopqrstuvwxyza
abcdefghijklmnopqrstuvwxyz
abcdefghijklmnopq
abcdefghijklmnop
abcdefghijklmno
None but the original 26 character password worked, so apparently they don't truncate passwords at all, they're probably just hashing it down to 16 characters or whatever in the database, then comparing hashes on login attempt.
Their support guy is just playing fast and loose with the word truncate.
I registered the 26 letters of the alphabet for my password, and then tested re-logging in with the full 26 char version, the 26 char version + 1 char (a), the first 17 characters, the first 16 chars, and the first 15 characters.
abcdefghijklmnopqrstuvwxyza
abcdefghijklmnopqrstuvwxyz
abcdefghijklmnopq
abcdefghijklmnop
abcdefghijklmno
None but the original 26 character password worked, so apparently they don't truncate passwords at all, they're probably just hashing it down to 16 characters or whatever in the database, then comparing hashes on login attempt.
Their support guy is just playing fast and loose with the word truncate.