Last week, I tried to register for a service and was really surprised by a password limit of 16 characters. Why on earth yould you impose such strict limits? Never heard of correct horse battery staple?
You must log in or register to comment.
The answer is always a poorly coded database. :(
What? The password should only receive the hashed password, and that’s gonna have a fixed length. What’s stored in the db should have the exact same length whether the password is 2 characters long or 300. If the length of the password is in any way a consideration for your database, you’ve royally fucked up long before you got to that point.
You are expecting a lot from someone who thinks a password needs a low maximum length. It makes sense to limit password length to avoid dos attacks, but certainly to something longer than 16.
There are going to be very few hashing algorithms that can take a certain byte value and hash it down into a unique smaller byte value. If you miscoded the database and stored the hashed passwords into a value of a fixed length, you have to abide by that length without some trickery or cleaveriness. Is that not the case? Every time I’ve seen this limitation in wild code that has been the case.
That’s true. But fortunately even the most basic hashing algorithms are more than enough to make worrying about these things pointless when it comes to passwords. You have to poorly implement everything by hand and make a series of bad calls to run into any issues.
The answer is always a poorly coded everything.
“Your password may not contain any quotes or backslashes”
A prominent Australian bank has these requirements:
For Internet Banking, your password must be six to eight characters long.
To improve security, it should:
contain both numbers and letters.
include upper and lower-case letters (your password is case sensitive).8??? For banking? I haven’t used less than like 16 in at least 5, maybe 10 years. Jeez.
8 character max means they’re running it on a mainframe I think, though I don’t know enough about mainframes to know if this is a normal level of bad or really bad
Could be (probably still is) running COBOL. It’s a combination of “if it works and costs money to upgrade, why change” but mostly “if we migrate one thing it will break five other things”.
Yep, that sounds like old bank tech to me
I used to have to use a government-run website that required passwords to be exactly 8 characters
A lot of older systems I worked on had password requirement of exactly 7 characters, no special characters, no numbers and no upper case. Must have been interesting times in security when those systems were made.
How about a bank app that requires 6 numbers password (not the app PIN, but the user account’s password).
Dammit, I just spent 5 minutes rolling dice and flipping through a binder. One of us takes this shit seriously.
How to properly set password requirements on your website. Accept any utf8 string. Have a nice day.
It’s all fun and games until someone realizes they can just create lots of accounts with large passwords and fill your space.
Not a problem because passwords are hashed, which means they take up a fixed size, and you should have form upload size limits anyway.
hashed, which means they take up a fixed size
One would hope so anyway,
you should have form upload size limits
The above conflicts directly with OP’s
Accept any utf8 stringOk. Take up to 65,536 bytes of utf8 string. Or better yet. Accept any password length. I mean any. But instead of transmitting it you bcyrpt on their machine and then use the resulting key to hmac sign a recent timestamp that can’t be reused.
I opened an account in 2014 and I’m still uploading my password.
If you aren’t required to use an upload manager, are you really setting a solid password :thinking:
Can’t trust an upload manager not to be hacked. I employ a team of typists in India.
This one time I got this catch22 situation with a service… Turned out password reset in the Android app accepted 32 characters but in the browser less.
Happened to me a couple days ago when resetting a password for Paypal. The browser limit was 20 characters for the 2nd password box but had a higher limit for the first password box.
Though, it appears they recently modified the form to pop up with an “Enter a shorter password” message. With that being said, PayPal has apparently always had shitty password policies.
This is my biggest pet peeve. Password policies are largely mired in inaccurate conventional wisdom, even though we have good guidance docs from NIST on this.
Frustrating poor policy configs aside, this max length is a huge red flag, basically they are admitting that they store your password in plan text and aren’t hashing like they should be.
If a company tells you your password has a maximum length, they are untrustable with anything important.
I am now very concerned about a certain medical implant device company
“If a company tells you your password has a maximum length…”
Uhhh no. Not at all. What so ever. Period. Many have a limit for technical reasons because hashing passwords expands their character count greatly. Many websites store their passwords in specific database columns that themselves have a limit that the hashing algorithm quickly expands passwords out to.
If you plan your DB schema with a column limit in mind for fast processing, some limits produce effectively shorter password limits than you might expect. EVERYONE has column limits at least to prevent attacks via huge passwords, so a limit on a password can be a good sign they’re doing things correctly and aren’t going to be DDOS’d via login calls that can easily crush CPUs of nonspecialized servers.
Why not just store the first X characters of the hashed password?
The hash isn’t at all secure when you do that, but don’t worry too much about it. GP’s thinking about how things work is laughably bad and can’t be buried in enough downvotes.
Where can I read more about how it’s not secure?
The Wikipedia article is probably a good place to start: https://en.wikipedia.org/wiki/Cryptographic_hash_function
Though I’d say this isn’t something you read directly, but rather understand by going through cryptographic security as a whole.
To keep it short, cryptographic hashes make a few guarantees. A single bit change in the input will cause a drastic change in the output. Due to the birthday problem, the length needs to be double the length of a block cipher key to provide equivalent security. And a few others. When you chop it down, you potentially undermine all the security guarantees that academics worked very hard to analyze.
Even a small change would require going to a lot of work to make sure you didn’t break something. And when you’ve read up on cryptography in general and understand it, this tends to be an automatic reflex.
None of which really matters. GP’s big assumption is that the hash size grows with input size, which is not true. Hash size stays fixed no matter the input.
Can you not simply have a hashing algorithm that results in a fixed length hash?
That would be all of them, yes.
It doesn’t matter the input size, it hashes down to the same length. It does increase the CPU time, but not the storage space. If the hashing is done on the client side (pre-transmission), then the server has no extra cost.
For example, the hash of a Linux ISO isn’t 10 pages long. If you SHA-256 something, it always results in 256 bits of output.
On the other hand, base 64-ing something does get longer as the input grows.
Hashing on the client side is as secure as not hashing at all, an attacker can just send the hashes, since they control the client code.
Then you can salt+hash it again on the server.
Hashing is more about obscuring the password if the database gets compromised. I guess they could send 2^256 or 2^512 passwords guesses, but at that point you probably have bigger issues.
It’s more about when a database gets leaked. They then don’t even have to put in the effort of trying to match hashes to passwords. And that’s what hashing a password protects against, when done correctly.
Just in case someone runs across this and doesn’t notice the downvotes, the parent post is full of inaccuracies and bad assumptions. Don’t base anything on it.
Oh I had the same thought. Whoever limits password length probably has many other shitty security practices.
True!
If a company tells you your password has a maximumn length, they are untrustable with anything important.
I would add if they require a short “maximum length.” There’s no reason to allow someone to use the entirety of Moby Dick as their password, so a reasonable limit can be set. That’s not 16 characters, but you probably don’t need to accept more than 1024 anyway.
Why not? You’re hashing it anyways, right?
Right?!
Bcrypt and scrypt functionally truncate it to 72 chars.
There’s bandwidth and ram reasons to put some kind of upper limit. 1024 is already kinda silly.
Sure but if my password is the entire lord of the rings trilogy as a string, hashing that would consume some resources
I think there are other problems before that 😂
Of course, but if you’re paying for network and processing costs you might as well cap it at something secure and reasonable. No sense in leaving that unbounded when there’s no benefit over a lengthy cap and there are potentially drawbacks from someone seeing if they can use the entirety of Wikipedia as their password.
You can also hash it on the client-side, then the server-side network and processing costs are fixed because every password will be transmitted using same number of bytes
You still need to deal with that on the server. The client you build and provide could just truncate the input, but end users can pick their clients so the problem still remains.
The server can just reject any password hash it receives which isn’t exactly hash-sized.
That would take care of it, you do nead to salt & hash it again server side ofc.
I wonder if a lot of it is someone using their personal experience and saying “just a little bigger ought to cover it”
When I used my own passwords, I rarely used more than 12 characters, so that should be enough
All the password generators I’ve used default to about 24 chars, so 30 ought to be enough for anyone
you probably don’t need to accept more than 1024 anyway.
OWASP recommends allowing at least 64 characters. That would cover all of my passphrases, including the ones that are entire sentences
If a company tells you your password has a maximum length, they are untrustable with anything important.
Lemmy-UI has a password limit of 60 characters. Does that make it untrustworthy?
It being open source helps because we can confirm it’s not being mishandled, but it’s generally arbitrary to enforce password max lengths beyond avoiding malicious bandwidth or compute usage in extreme cases.
OWASP recommendation is to allow 64 chars at least:
Maximum password length should be at least 64 characters to allow passphrases (NIST SP800-63B). Note that certain implementations of hashing algorithms may cause long password denial of service.
The lemmy-UI limit is reasonably close and as everything is open source, we can verifiy that it does hash the password before storing it in the database.
There is a github issue, too.
also, if they think a strong password is only about types of characters. a dozen words from as many languages and 5+alphabets is just as good!
its to the point I don’t bother remembering my passwords anymore, because this bullshit makes user-memorable-hard-to-machine-guess passwords impossible.
The number of government websites that I’ve encountered with this “limitation.” Even more frustrating when it’s not described upfront in the parameters or just results in an uncaught error that reloads the page with no error message.
Or accepts and silently truncates it 🤬
bcrypt has a maximum password length of 56 to 72 bytes and while it’s not today’s preferred algo for new stuff, it’s still completely fine and widely used.
Wait, really? I always thought bcrypt was just a general-purpose hash algorithm, never realized that it had an upper data size limit like that.
I got this from a bank. A BANK. Not only was it limited to 12 characters. THEY ALSO LIMITED THE SPECIAL CHARACTER SET.
I complained and was told, oh that’s why we have the security number for (a unchanging six digit code), and I’m like, that’s basically 1 password with 18 character limit and 6 of the characters are definitely numbers.
Not only that, 2FA is not available for logon, it just says “to authenticate certain types of Internet and Mobile Banking transactions”.
I couldn’t believe it. Surprise, surprise, there are no minimum password security regulations in Australia…
Fuck this! My bank has this, and not just that, the limit is 6 digits, that’s right, only digits and only 6 of them.
My balance is harder to guess than my password (if you include cents)
Fuck!
Use a different bank.
All of them do this where I’m based. 4 to 6 digits is common.
Online bank an option?
I’m talking about online banks. Not even worth engaging with the others.
Drives me nuts when this happens.
Eons ago, I got an account for using a software on an IBM mainframe. Keep in mind that the machine used masks with fixed-width text fields on the terminal (TN3270, IIRC), even for the login mask. Being security cautious, the first thing I did after login was to change my password. The “change password” mask allowed for passwords of up to 12 characters, which I used freely. I logged out, got back to the login mask - which only allowed for an eight character password…
worst i’ve seen is 8 characters. precisely 8 characters, no more no less… it was for a bank …
No no, not 8 characters, 8 numerical characters!
Whoa whoa whoa, did you use two of the same number in a row? Insecure!
Is that a sequence? No way, José!
Numerical Chateaubriand*, and total sum must be less than 3.
* okay Google, if that’s what you really think I meant to type.
The fact that it was a power of 2 makes me suspect lazy coding. That bank didn’t pay its programmers well enough.
maybe they store the entire password as a u64 and bitmask out each character
Banks don’t have much money for paying people, methinks. They’re famously poor practically non-profits.
A major US bank that I used to use has case insensitive passwords, found that out one day when I noticed caps lock was on after logging in with no trouble
Makes you wonder if they store the password in plain text, or convert to lower key during your first input so it’s at least hashed. I wouldn’t be surprised if it’s not.
they store the passwords as filenames on a windows system
Put a colon in your password and crash the whole system
set your password as
GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}for infinite money glitch
I don’t think it could be hashed if it is case insensitive. It’s fairly early so I may be misremembering but I’m not aware of any hashing algo that ignores case.
Edit: Ah, actually they could be storing the password as a hash, but they would probably have to do like a
password. ToLower()call or something where they morphed the string before checking… The thought of which just makes me shudder.
I had to make a 10 character password for Santander
Early 2000s internet banking was a trip.
i think this was about a year ago when they changed it…
Ha. I had the same thing, with a government-run student loan website
ADD FIELD PASSWORD VARCHAR(16)SELECT * FROM users WHERE name = "$name" OR password = "$password"sqlquery = "INSERT INTO users (username, password) VALUES ('" + username + "', '" + password + "')"What could go wrong?
deleted by creator
Christopher Null feels his pain.
Password=a");drop table users;–
Alas, it’s longer than 16 characters. Protection works!
They often don’t allow semicolons but it’s never stopped me from checking
I had to make an account the other day with the absolute worst password requirements I’ve ever seen:
When I was working on a password system a few years ago, I found some amazingly bad password requirements. One that stuck with me was it couldn’t contain any two digit years (e.g. 08).
I’ll also leave this here: https://dumbpasswordrules.com/sites-list/
That sounds like a rule from The Password Game
Do you know the password game?
The digits in your password must add up to 25.
Yeah but the stakes are higher in Jersey you can get fined or even jail for messing up that password.
I am now even more relieved that the NJ courts have removed me permanently from jury duty, so my chances of interacting with that entire nonsense has gone down. A bit. Just a bit down.
Now I just must try to not be taken to court or take one to court.
This is where hiding inside might help.
Ugh, I’m unfortunately even more bothered by the random extra spaces at the start of the first and last requirements than I am by the security horror.
similarly:
make a new account
use password manager to generate a strong random password
“your password must contain at least one special character (! @ # $ % ^ or &)”
but not 2! and not THAT special character! and…
“Ope, sorry, that password is already in use by [email protected]. Please choose a different one!”
OOPS we think this password is too long for you to remember, try again! and change it again in a month. your best buy account that we forced you create and are going to have a data breach on in about fifteen minutes is VERY IMPORTANT AND MUST BE SECURE
I would thank you to quit publishing my email address in public forums for no reason.
I just reset my password with Southwest Airlines today. They had both the stupid 16 character limit and the stupid list of permitted special characters. But they also had the perplexing criterion that the first character of the password specifically couldn’t be one of those permitted special characters.
Literally why.
Poor input sanitization probably.
I’m not saying it was a soft rule where the form refused to validate my input. It was an actual, fully-described rule in the bulleted list among the other rules. For whatever reason they specifically went out of their way to enforce it. And I cannot fathom why they would.
I understood what you meant, it doesn’t change my answer though
The back-end environment could have at least a few ways to screw things up if, for example, they were passing the password thru a shell script to hash it and had poor sanitization of the input
!, #, and $ can be particular troublemakers at the start of a string, there’s probably more I’m not aware of too.
when CEOs make security policy.
Your password must contain at least one swear word.
I hate that, why can’t I use something like £ or Ł?
