In password security, the longer the better. With a password manager, using more than 24 characters is simple. Unless, of course, the secure password is not accepted due to its length. (In this case, through STOVE.)
Possibly indicating cleartext storage of a limited field (which is an absolute no-go), or suboptimal or lacking security practices.
oh. this has been a big pet peeve of mine for awhile. After starting to use password managers I figured I would standardize on the largest required characters only to find a source whos maximum characters were lower than anothers minimum characters.
I also hate these kind of websites.
Obligatory https://neal.fun/password-game/
I don’t understand rule 5. “Digits shall add up to 25” I have a 1 and a 24, and it doesn’t accept it :(
figured it out, it adds digits, not numbersWhen that was first making the rounds I shared it with my coworkers. Most of my coworkers enjoyed it for a few minutes then moved on. One of my coworkers sent me a teams message 3 days later of the win message
Kudos for the dedication, I gave up at the fire thing
Yeah I never got passed the fire thing, or the egg hatching, whichever comes second
I decided to be a smartass once and made a 63 character long password.
It wasn’t too bad at a keyboard, though if you make a type you’re screwed.
Trying to use my AD account to access admin tools on printer? I got it fixed, and immediately changed my password, lol.
The password on my PC is something like 30 characters long. Back when win10 was first coming out, they were pushing getting an actual outlook account and tying that to your login. I was hesitant at first, but figured I’d try it out and see how that worked for me.
Turns out outlook accounts (at the time) had something like a 16 character limit on passwords. Bruh.
There was a game launcher for a popular game that required a minimum of 8 characters but only used the first 8 characters and it wasn’t case sensitive. So something like PassWord12345!? could be entered when changing the password, but you could sign in with any of the following:
- password1234
- PassWord123499(#$%
- Password12345!?
- passWord12345!
- pASSword12345?!
- PassWord123499(#$%
- password
I haven’t logged in for years so I’m not sure if it is still working that way.
My mum told be the other day she logged onto a new bank, gave it a 12 character password then couldn’t get back in after. When she got through to their customer services they said that it was an 8 character password limit (!), but it just never said on the register screen.
Yeah, I’d be doing that bank if there’s any choice.
Edit: Leaving (my attention got taken away as I posted)
Either this is some new slang I’m not rizz enough to understand or one of us had a stroke.
He just wants to have sex with the bank.
No cap
Tain planet, he’s our hero.
Maybe that’s security by obscurity. Or security by confusion. /s
so secure, no one can get in, even her!
Microsoft does this to our users at my job. They go to charge their password and it won’t accept it but won’t tell them what the requirements are. “Your password doesn’t meet our criteria.” Okay, so what are you looking for???
Worst is that there seems to be a soft block at some point and instead of telling them that, it shows this dumb error instead over and over again no matter what password they choose.
Ah must be my bank. Same.
Sounds like they’re using bcrypt. Feeding more than 24 utf8 characters into bcrypt won’t do anything useful. You can permit longer passwords (many sites do) but they’d be providing a false sense of security.
Bcrypt is still secure enough and 24 characters are fine as long as they’re randomly generated by your password manager.
The specification of the algorithm specifies up to 56 bytes, including a null terminator. If you’re using UCS-2 (2+ bytes per character, like Windows, Java, Javascript, and more languages and platforms do), that’s 27 characters (can’t use the last half byte character pair). Add some margins for extended characters (emoji and such) and you’ll end up just above or below 24. With UTF-8 you can end up doing much better (exclusively Latin-1) or much worse (exclusively non-Latin character sets). Verifying that on the frontend is a massive pain (string length in JS is unreliable) and dynamically switching codecs is a recipe for bugs and security leaks.
The 72 byte limit is the result of the internal workings of most bcrypt algorithms, but if you ever switch implementations you need to make sure that implementation doesn’t change the internal workings if you rely on details like that. If the stars align you can use 71 characters (72 if you use Pascal strings), but that’s far from a given.
Utf8 isn’t ASCII. It takes up more space.
No, it does not take up more space for ASCII characters.
If you want a source, Wikipedia
the first 128 characters of Unicode, which correspond one-to-one with ASCII, are encoded using a single byte with the same binary value as ASCII
Good to know
I was just speculating
My best experience… They allowed me to set a 100 characters password, but then changed the limits a year later, so that you couldn’t even login anymore.
It can also be just a randomly chosen limit. I work as a software engineer on a custom management software for a big client. For whatever reason until recently, the limit for email addresses in the master data was 50 character. Why? No clue but someone had decided that randomly in the past. Now it was increased to 100. Why again? According to RFC 5321 a limit of 254 would be the most sensible one. But the people who come up with those requirements just don’t care. They decided it to be 100 from now on for no apparent reason.
Then we have many input fields, that have a limit of 255 character. Why not 256? Why such a weird number in general? The people who use this software in production are most likely not the ones who usually think in powers of two. So why not make it 250 or 300 oder whatever?
Sometimes those limits are just arbitrary with no technical or logical reason to back them up. Which doesn’t make it less stupid mind you.
a limit of 255 character. Why not 256? Why such a weird number in general?
255 chars + ‘\0’ = 256
Not weird at all.
I see your point, but we have Java backends and strings there are not null terminated. Also I’m very sure that those would never be the reason for our Postgres server to run out of storage so I don’t get it why not make it more user friendly. We’re not implenting an embedded system where every byte of storage counts.
Agree, I was just commenting on why 255 in itself isn’t “weird”. I find myself doing comparisons of the “value == variable” type even in languages where you cannot assign by mistake. Some of us old farts code from muscle memory … :)
There’s a joke in there somewhere.
What’s more frustrating is when the password creation page is silently cutting off too long passwords and don’t inform you about it.
I have a “cuts off special chars, wtf” somewhere in my password store.
Oh, I hate this one
Back in the day, long time ago, Unix would do that, and limit user silently to 8 characters.
Which then wasn’t great, but a good password would be hard to break even at only 8 characters with equipment of the time.
We would do a cracking test against the user passwords periodically and ding users who got cracked. Well one user was shocked because they thought their 16 character password was super secure and there’s no way we would crack it. So we cited her password and she was shocked she went through so much trouble only for the computer to throw away half her awesome password.
There’s a site I use that does that on the password reset page, but not when logging in. So when using a long password it’s as if the reset never works. Took me ages to figure out what was going wrong.
You think that’s infuriating? Imagine having an ISP that wants you to pick a password of max 8 characters.
That was the insurance corp my career came bundled with for a decade until recently.
Sunlife. Finally very slowly replacing their garbage old website.
I’ll do you one better. The target redcard credit card doesn’t allow non-standard special chars, max I think it was 12 chars and gets pissy at using known SQL special chars. If it wasn’t for the fact it required a credit check prior to getting to that screen I would have ran so hard.
What’s even more annoying is their password field says that it does support that, but if you try via the mobile app it errors out
Time to choose a new ISP!
Ah yes, I will just go to another ISP. Wait, there’s only one.
In the US you can pull up the FCC broadband tracker to see what companies offer service
Sure but that doesn’t change the lack of competition. For my address, I have two non wireless providers, and one of them is copper only and capped at 50 down. So not a lot of choice if an ISP is screwing you.
That really sucks
I feel like it is cases like that were community run infrastructure can really help. It provides decent service and puts pressure on the local ISP to do better.
And then they store it in plain text anyway…
When I banked with wells fucking fargo they had issues similar to this. I had something like a 16 character password and I once forgot the last character and it accepted it anyway, so there was some kind of character limit that they didn’t make obvious.
I also had a time I accidentally had caps lock on, and my password still was accepted. Their passwords were not case sensitive even though their password screen says they were.
That’s insane
