In password security, the longer the better. With a password manager, using more than 24 characters is simple. Unless, of course, the secure password is not accepted due to its length. (In this case, through STOVE.)
Possibly indicating cleartext storage of a limited field (which is an absolute no-go), or suboptimal or lacking security practices.
At least they tell you. I signed up with websites that just cut the password after the 12th character. No way of signing in with the password again (not without trying a couple of times, at least)
when you varchar(24) and forget about the hash
I like it that the site says the max length…this is not common. I wish it was.
The problem is a password hash is a fixed length regardless of the password, so if this is implemented correctly there is no need for a maximum password length. These things raise my security flag because it makes me think they are storing the password in plain text instead of doing proper practice and storing the hash only.
One of the accounts that I have to use at my job is like this but much much worse. It only accepts letters and numbers, no capitalization, no symbols and can only be 8 digits long maximum. It’s like they want to account to be easy to compromise.
That sounds like the limitations of an ancient mainframe system. If so, then someone trying to brute force their way in would be more likely to crash the system instead.
i once used 20 for a bank. the website havent told me it was too long just clipped off 2 and accepted the rest. not even the banking support was able to help me. took me a few days to solve this by accident.
This shit always pisses me off. I’ve encountered it in like 2-3 places over the years since I started using a password manager, and every time it’s so frustrating and hard to figure out.
That must have been frustrating. How many times did it lock you out from trying again?
If I have to create a password Ill need to remember and don’t have access to my password manager for whatever reason I have a long phrase that’s my go to but I have a system about adding numbers and characters to it based on the context of the log in. Sites with character limits really fuck that up.
You’ve got to stop all those who put: abcdefghijklmnopqrstuvwxyz
That’s my password for most things, any hackers die of RSI before they get in.
It’ll be caught by a dictionary attack. at least do something to break up their sequential order.
I don’t have it in me
At least they tell you. I’ve had inputs take the full password and then truncate it silently, so you don’t actually know what they saved. Then, you try to login and they tell you wrong password.
I once encountered a system that truncated your submitted password if you logged in through their app, but not through their website. So you would set your password through the website, verify that the login was working (through the website) and then have that same login fail through the app.
Yes I’ve had issues with this as well, since I’m a child I’ve set my password generator length at 69 characters… A small trick I’ve found is to delete and rewrite the last character of one of the two repeated passwords since often the validity check gets triggered on write but not on paste
The password should be hashed anyway, which has a fixed output
But there must be a (long) max length anyway, to prevent some kinds of attacks.
Long here means a 400 page book as a password.
One of the older, but still usable password hash uses only 72 characters iirc.
I think if people have 400 page book long passwords it doesn’t really need a unique hash
My worst experience so far was a webpage that trimmed passwords to 20 characters in length without telling you. Good luck logging in afterwards…
One of my favorite memories of how much Something Awful’s sysadmins were absolutely amateur hour back in the early 2000s was the “lappy” to “laptop” debacle. Apparently Lowtax found the term “lappy” so annoying that he ordered his system administrator to do a find/replace for every instance of “lappy,” replacing them with “laptop.”
Unfortunately this included usernames and passwords, as well as anything that just managed to have the letters “lappy” in that order anywhere in the word. So, there was one user named ‘Clappy’ who woke up one day to find his name changed to ‘Claptop.’ Apparently this is also how people discovered that they were storing password unsalted in plain text in a fucking MySQL database, which if you’re old enough, you probably already remember that the combination of MySQL and PHPmyAdmin were like Swiss cheese when it comes to site defense. :p
Flaptop Bird
That must have done a lot of dawizard to their reputation.
As long as their login page also does that :p
I remember some office software that didn’t accept certain special characters but didn’t tell the user and just accepted the new password. I had to bother IT support many times to reset my password.
Common mistake for amateurs that found a password library and used it without reading the documentation. E. g. bcrypt will tell you to salt and hash the password before digesting it into constant length output for your database.
Salting before doing anything else is basic password security. I assume the webpage in question doesn’t do that, either.
We have a customer, a big international corporation, that has very specific rules for their intranet passwords:
- Must contain letters
- Must contain numbers
- Must contain special characters
- No repeats
- Passwords must be changed every two months
- Not the same password as any of the last seven
- PASSWORDS MUST BE EXACTLY EIGHT CHARACTERS LONG
I can only assume that whoever came up with these rules is either an especially demented BofH, or they have some really really weird legacy infrastructure to deal with.
I am a designer, but I once did a project with a very very major and recognizable tech corporation that, no joke, implemented an 8 character limit on passwords for storage reasons.
This company made in the tune of tens of billions of dollars per year, and they were penny-pinching on literal bytes of data.
I can’t say who it is, but their name begins with ‘M’ and ends in ‘cAfee.’
If password length affects storage size then something has gone very wrong. They should be hashed, not encrypted or in plaintext.
I can’t say who it is, but their name begins with ‘M’ and ends in ‘cAfee.’
Whoever the company is, we have to assume it’s not a security-related company. Because, surely, none of those would do that ever.
I worked in IT for a big national company for a short time. Passwords rules were : at least 8 characters, at least one uppercase letter, at least one number, change password every 2/3 months and different than the 3 previous ones. Several workers had a post-it on the screen with the 4 passwords they use. One of them had name of child and year of birth, I don’t know if it was his children or his relatives’ children too.
No repeats??? Like, you cant have ‘aaaa123@’ as a password?
You’re just making it easier to brute force…
Since the password has to be changed every two months, I would assume that it means no repeating previously used passwords.
It also says “must not be the same as any of the last seven passwords used” so I can only take “no repeats” to mean no repeated characters.
Requiring passwords to be exactly 8 characters is especially ridiculous because even if they’re cheaping out on bytes of storage, that’s completely cancelled out by the fact that they’re storing the last seven passwords used.
You’re right, I didn’t noticed the 7 passwords line.
This seems to be very common still
I once registered an account with a random ~25 characters long password (Keepass PM) for buying tickets on https://uhuu.com.br/
The website allowed me to create the account just fine, but once I verified my e-mail, I couldn’t log into it due to there being a character limit ONLY IN THE LOGIN PASSWORD FIELD. Atrocious.
EDIT: btw, the character limit was 12
PayPal did the same. Registration took 40 characters, login only half of that. Editing the login form didn’t work unfortunately.
It’s pretty stupid because the longer the password the more secure it is.
I understand a cap of like 64 characters or something to keep storage space down for a company with millions of users. other than that it doesn’t make a ton of sense.
That is a huge red flag if ever given as a reason, you never store the password.
You store a hash which is the same length regardless of the password.Youre right lol. I forgot that hash lengths are different from the actually password length.
Although at some point you’ll get collisions, but I don’t think that’s actually an issue. It still equally hard to guess a password from the hash, there will just be some solutions that are much longer than others.
The cap should actually be due to the hashing algorithm. Every password should be the exact same length once it is salted and hashed, so the actual length of the password doesn’t make a difference in regards to database size. The hash will be a set length, so the storage requirements will be the same regardless. Hashing algorithms have a maximum input length. IIRC the most popular ones return a result of 64-255 characters, and cap at 128 characters for input; Even an input of just “a” would return a 64 character hash. But the salt is also counted in that limit. So if they’re using a 32 character salt, then the functional cap would be 96 characters.
Low character caps are a huge red flag, because it means they’re likely not hashing your password at all. They’re just storing them in plaintext and capping the length to save storage space, which is the first mortal sin of password storage.
You can easily get the hash of whole files, there is no input size constraint with most hashing functions.
Special password hashing implementations do have a limit to guarantee constant runtime, as there the algorithm always takes as long as the worst-case longest input. The standard modern password hashing function (bcrypt) only considers the first 72 characters for that reason, though that cutoff is arbitrary and could easily be increased, and in some implementations is. Having differences past the 72nd character makes passwords receive the same hash there, so you could arbitrarily change the password on every login until the page updates their hashes to a longer password hashing function, at which point the password used at next login after the change will be locked in.
You never store passwords. They should be hashed and salted.
I’ve had this exact same thing happen.
I’ve also had it happen where you have the two fields to verify the password is the same. One had a maxlength set in it, and the other didn’t. I was for sure entering the same password and I was so confused until I opened up the dev tools and inspected the inputs.
I’ve seen this behavior too, I forget where. For me it was a bit easier since the fields displayed a different number of stars. I did spend too long trying to figure out how my password manager could be failing that way
Some people even suggest typing a longer password over a simpler one with more special characters. It’s harder to brute force.
I thought the use vocabulary lookup tables effectively nullifies the entropy benefits, if everyone started using phrases as password
I don’t know enough to say how accurate the numbers are, but the sentiment stands - if it’s a password you’re memorizing, longer password will probably be better.
That’s not even the case though. Using a memorized passphrase that can be broken down into individual words is susceptible to dictionary attacks provided you know what the length of the password is. You can algorithmically sort away swathes of the dictionary based on how many likely word combinations exist before searching unusual word combinations. The thing is, passwords suck. It doesn’t matter how long the password is, if someone wants in, they’ll crack the password or steal it via some other means. Instead of relying on a strong password, you need to be relying on additional proof factors for sign in. Proper MFA with actual secure implementation is far more secure than any password scheme. And additionally, hardware key authentication is even more secure. If you are signing into an account and storing important data there, you do not want to rely on passwords to keep that data secure.
The reason for the character limit on passwords is often to prevent malicious attacks via data dumping in the password dialogue box. Longer numbers take more CPU cycles to properly salt and encrypt. Malicious actors may dump as many characters in a password system as they wish if they wanted to take down a service or at least hurt performance.
Additionally, even if you just used lowercase letters, an 18 character password would take 12 RTX 5090s approximately 284 thousand years to crack according to the recent Hive Systems report.
24 characters is more than enough to be secure as far as passwords alone go. Just know that, nobody is out here brute forcing passwords at any length these days, there are infinite more clever ways of hacking accounts than that.
Assuming the attacker knows it’s a phrase: The english language alone apparently has some 800.000 words. 800.000^6 = 2*10^35 combinations in a dictionary attack. That’s comparable to 18 random ASCII characters. We might also be using a different language, or a combination of languages, or we might deliberately misspell words.
A long string of random characters will give you more combinations per password length, but there are some passwords you just need to be able to memorize, and I’d say that’s more likely with the 6 words.
