Today we had an issue filing our PAYE via the HMRCs own PAYE Tools.  OK, it doesn't work on Linux (even though they say it does - too many build dependencies which are impossible to satisfy - perhaps would be better to put it on Java).  So we settled on having to use Windows, but it still wouldn't work.

We kept getting a password error.

Now, we file our VAT each quarter without a problem, so I logged in via the browser.  No problem at all.  But the PAYE Tool wouldn't have any of it.  What to do but phone up the help line and spend 20 minutes listening to a half-friendly voice saying "By the way, did you know you can do all of this online."  "By the way," I explained to the machine, "go away, I want to speak to a person."  Finally, a person came on the line.

Now, remember, this is a technical help line we were calling and the first question we were asked was whether we'd cleared our password cache on the browser.

"But I'm not logging in via the browser," I explained ever so patiently, "I'm trying to login via your PAYE tool."

"Ah, but you still need to clear your browser password cache," came the reply.

I wasn't going to do it without a fight.  Nothing, absolutely nothing should have permission to access a browsers password cache without it being inside the browser and having authority to do so (which usually means you giving specific permission to your browser to do so).  If HMRC had figured how to do this in Internet Explorer, then they would have opened the ever so biggest gaping security hole ever.

"Look," I said, "what platform is the PAYE Tool built on.  Because I don't see it running inside a browser, and if it isn't running inside a browser then it has nothing to do with the password cache."

There was a silent pause and a "I'll come back to you."  So I went on hold yet again.

Just to humour them I made the most of this additional time (and to keep my mind off the 5p per minute this was costing me) by clearing the browser cache and resubmitting the form.  As expected it wouldn't go.

Finally, the operator came on the line.  "Could you tell me," they asked, "how long your password is?"

"13 characters," I replied.

"Well, that's your problem.  You're only allowed 12."

"*W*T&*F*$&***"...

"Only 12?", I said.  "Wait a minute, I get in quite happily on the browser with 13."

"That's because that system ignores anything above 12."

"So you mean you're taking my strong password and then just truncating it - on one system only?"  I asked incredulously.

"Yes," came the reply - as if I was the stupid one.

So now I'm all the wiser.  HMRC only allows passwords of 8 to 12 characters in length for a system used by millions of users with multiple entry points.  And if your password is too long, they discard the rest of it - however strong you think you've made it.  I've never heard of anything so ridiculously dum in my IT life.