Last week, I tried to register for a service and was really surprised by a password limit of 16 characters. Why on earth yould you impose such strict limits? Never heard of correct horse battery staple?

  • MisterFrog@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    I got this from a bank. A BANK. Not only was it limited to 12 characters. THEY ALSO LIMITED THE SPECIAL CHARACTER SET.

    I complained and was told, oh that’s why we have the security number for (a unchanging six digit code), and I’m like, that’s basically 1 password with 18 character limit and 6 of the characters are definitely numbers.

    Not only that, 2FA is not available for logon, it just says “to authenticate certain types of Internet and Mobile Banking transactions”.

    I couldn’t believe it. Surprise, surprise, there are no minimum password security regulations in Australia…

    • herrvogel@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      2 months ago

      What? The password should only receive the hashed password, and that’s gonna have a fixed length. What’s stored in the db should have the exact same length whether the password is 2 characters long or 300. If the length of the password is in any way a consideration for your database, you’ve royally fucked up long before you got to that point.

      • Ptsf@lemmy.world
        link
        fedilink
        arrow-up
        0
        ·
        2 months ago

        There are going to be very few hashing algorithms that can take a certain byte value and hash it down into a unique smaller byte value. If you miscoded the database and stored the hashed passwords into a value of a fixed length, you have to abide by that length without some trickery or cleaveriness. Is that not the case? Every time I’ve seen this limitation in wild code that has been the case.

      • Sibbo@sopuli.xyz
        link
        fedilink
        arrow-up
        0
        ·
        2 months ago

        You are expecting a lot from someone who thinks a password needs a low maximum length. It makes sense to limit password length to avoid dos attacks, but certainly to something longer than 16.

  • cron@feddit.orgOP
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    Here is a screenshot from the page where my meme came from. But it it not the only company out there with ridiculous password policies.

  • akilou@sh.itjust.works
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    I had to make an account the other day with the absolute worst password requirements I’ve ever seen:

    • ChickenLadyLovesLife@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      2 months ago

      Ugh, I’m unfortunately even more bothered by the random extra spaces at the start of the first and last requirements than I am by the security horror.

    • RebekahWSD@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      2 months ago

      I am now even more relieved that the NJ courts have removed me permanently from jury duty, so my chances of interacting with that entire nonsense has gone down. A bit. Just a bit down.

      Now I just must try to not be taken to court or take one to court.

      This is where hiding inside might help.

  • faltryka@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    This is my biggest pet peeve. Password policies are largely mired in inaccurate conventional wisdom, even though we have good guidance docs from NIST on this.

    Frustrating poor policy configs aside, this max length is a huge red flag, basically they are admitting that they store your password in plan text and aren’t hashing like they should be.

    If a company tells you your password has a maximum length, they are untrustable with anything important.

    • primrosepathspeedrun@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      2 months ago

      also, if they think a strong password is only about types of characters. a dozen words from as many languages and 5+alphabets is just as good!

      its to the point I don’t bother remembering my passwords anymore, because this bullshit makes user-memorable-hard-to-machine-guess passwords impossible.

    • chameleon@fedia.io
      link
      fedilink
      arrow-up
      0
      ·
      2 months ago

      bcrypt has a maximum password length of 56 to 72 bytes and while it’s not today’s preferred algo for new stuff, it’s still completely fine and widely used.

      • DaPorkchop_@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        2 months ago

        Wait, really? I always thought bcrypt was just a general-purpose hash algorithm, never realized that it had an upper data size limit like that.

    • clearedtoland@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      2 months ago

      The number of government websites that I’ve encountered with this “limitation.” Even more frustrating when it’s not described upfront in the parameters or just results in an uncaught error that reloads the page with no error message.

      • faltryka@lemmy.world
        link
        fedilink
        arrow-up
        0
        ·
        2 months ago

        It being open source helps because we can confirm it’s not being mishandled, but it’s generally arbitrary to enforce password max lengths beyond avoiding malicious bandwidth or compute usage in extreme cases.

    • unmagical@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      2 months ago

      If a company tells you your password has a maximumn length, they are untrustable with anything important.

      I would add if they require a short “maximum length.” There’s no reason to allow someone to use the entirety of Moby Dick as their password, so a reasonable limit can be set. That’s not 16 characters, but you probably don’t need to accept more than 1024 anyway.

        • phcorcoran@lemmy.world
          link
          fedilink
          arrow-up
          0
          ·
          2 months ago

          Sure but if my password is the entire lord of the rings trilogy as a string, hashing that would consume some resources

        • frezik@midwest.social
          link
          fedilink
          arrow-up
          0
          ·
          2 months ago

          Bcrypt and scrypt functionally truncate it to 72 chars.

          There’s bandwidth and ram reasons to put some kind of upper limit. 1024 is already kinda silly.

        • unmagical@lemmy.ml
          link
          fedilink
          arrow-up
          0
          ·
          2 months ago

          Of course, but if you’re paying for network and processing costs you might as well cap it at something secure and reasonable. No sense in leaving that unbounded when there’s no benefit over a lengthy cap and there are potentially drawbacks from someone seeing if they can use the entirety of Wikipedia as their password.

          • DaPorkchop_@lemmy.ml
            link
            fedilink
            arrow-up
            0
            ·
            2 months ago

            You can also hash it on the client-side, then the server-side network and processing costs are fixed because every password will be transmitted using same number of bytes

            • unmagical@lemmy.ml
              link
              fedilink
              arrow-up
              0
              ·
              2 months ago

              You still need to deal with that on the server. The client you build and provide could just truncate the input, but end users can pick their clients so the problem still remains.

    • MotoAsh@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      edit-2
      2 months ago

      “If a company tells you your password has a maximum length…”

      Uhhh no. Not at all. What so ever. Period. Many have a limit for technical reasons because hashing passwords expands their character count greatly. Many websites store their passwords in specific database columns that themselves have a limit that the hashing algorithm quickly expands passwords out to.

      If you plan your DB schema with a column limit in mind for fast processing, some limits produce effectively shorter password limits than you might expect. EVERYONE has column limits at least to prevent attacks via huge passwords, so a limit on a password can be a good sign they’re doing things correctly and aren’t going to be DDOS’d via login calls that can easily crush CPUs of nonspecialized servers.

        • frezik@midwest.social
          link
          fedilink
          arrow-up
          0
          ·
          edit-2
          2 months ago

          The hash isn’t at all secure when you do that, but don’t worry too much about it. GP’s thinking about how things work is laughably bad and can’t be buried in enough downvotes.

            • frezik@midwest.social
              link
              fedilink
              arrow-up
              0
              ·
              edit-2
              2 months ago

              The Wikipedia article is probably a good place to start: https://en.wikipedia.org/wiki/Cryptographic_hash_function

              Though I’d say this isn’t something you read directly, but rather understand by going through cryptographic security as a whole.

              To keep it short, cryptographic hashes make a few guarantees. A single bit change in the input will cause a drastic change in the output. Due to the birthday problem, the length needs to be double the length of a block cipher key to provide equivalent security. And a few others. When you chop it down, you potentially undermine all the security guarantees that academics worked very hard to analyze.

              Even a small change would require going to a lot of work to make sure you didn’t break something. And when you’ve read up on cryptography in general and understand it, this tends to be an automatic reflex.

              None of which really matters. GP’s big assumption is that the hash size grows with input size, which is not true. Hash size stays fixed no matter the input.

      • wer2@lemm.ee
        link
        fedilink
        arrow-up
        0
        ·
        2 months ago

        It doesn’t matter the input size, it hashes down to the same length. It does increase the CPU time, but not the storage space. If the hashing is done on the client side (pre-transmission), then the server has no extra cost.

        For example, the hash of a Linux ISO isn’t 10 pages long. If you SHA-256 something, it always results in 256 bits of output.

        On the other hand, base 64-ing something does get longer as the input grows.

        • redxef@scribe.disroot.org
          link
          fedilink
          arrow-up
          0
          ·
          2 months ago

          Hashing on the client side is as secure as not hashing at all, an attacker can just send the hashes, since they control the client code.

          • wer2@lemm.ee
            link
            fedilink
            arrow-up
            0
            ·
            2 months ago

            Hashing is more about obscuring the password if the database gets compromised. I guess they could send 2^256 or 2^512 passwords guesses, but at that point you probably have bigger issues.

            • redxef@scribe.disroot.org
              link
              fedilink
              arrow-up
              0
              ·
              edit-2
              2 months ago

              It’s more about when a database gets leaked. They then don’t even have to put in the effort of trying to match hashes to passwords. And that’s what hashing a password protects against, when done correctly.

      • frezik@midwest.social
        link
        fedilink
        arrow-up
        0
        arrow-down
        1
        ·
        2 months ago

        Just in case someone runs across this and doesn’t notice the downvotes, the parent post is full of inaccuracies and bad assumptions. Don’t base anything on it.

    • cron@feddit.orgOP
      link
      fedilink
      arrow-up
      0
      ·
      2 months ago

      Oh I had the same thought. Whoever limits password length probably has many other shitty security practices.

  • Lycist@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    Its even better when they don’t tell you that your password is too long, and they truncate it somewhere unknown.

    Tried a randomgen 32 character password at the local sheriff’s office. Copy and pasted it directly out of my password manager into the password creation field so I know I didn’t typo it and when I tried to login it wouldn’t work. Took me a bit of troubleshooting to figure out what happened.

    • wreckedcarzz@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      2 months ago

      That happens all the fucking time, and it’s infuriating. Most recent example was with Kagi, which I eventually found out had a max of 72, truncated, no warning. I bitched out their support and they were like ‘nbd, and it should have warned you’ and I’m like ‘nope, no warning at all’ which means they didn’t bother checking if a warning actually showed or prevented the input, just ‘I wrote it so we must be good’.

      They claim to have fixed this, but ugh. Took me a half an hour, and I started with the suspicion that it was being truncated. Test your shit if you’re going to be stupid, people.

      • Rogue@feddit.uk
        link
        fedilink
        arrow-up
        0
        ·
        2 months ago

        What are the benefits of a password greater than 72 characters? How high do you try to go?

        • AA5B@lemmy.world
          link
          fedilink
          arrow-up
          0
          ·
          2 months ago

          The longer it is, the harder for anyone to guess, write down, remember, or brute force. For that long a password, someone can actually see my password and then have effectively zero chance of being able to use it.

          But maybe it’s more a ”why not?” In one side it’s generated so you can use it equally well, and in the other side it should be hashed to a standard length so they should be able to manage it equally well.

      • Zorsith@lemmy.blahaj.zone
        link
        fedilink
        English
        arrow-up
        0
        ·
        2 months ago

        Ive seen an account creation or password reset that let’s you do any length password, but the actual login page has a character limit.

  • x0x7@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    How to properly set password requirements on your website. Accept any utf8 string. Have a nice day.

    • tiredofsametab@fedia.io
      link
      fedilink
      arrow-up
      0
      ·
      2 months ago

      It’s all fun and games until someone realizes they can just create lots of accounts with large passwords and fill your space.

      • Jade@programming.dev
        link
        fedilink
        arrow-up
        0
        ·
        2 months ago

        Not a problem because passwords are hashed, which means they take up a fixed size, and you should have form upload size limits anyway.

        • tiredofsametab@fedia.io
          link
          fedilink
          arrow-up
          0
          ·
          2 months ago

          hashed, which means they take up a fixed size

          One would hope so anyway,

          you should have form upload size limits

          The above conflicts directly with OP’s Accept any utf8 string

          • x0x7@lemmy.world
            link
            fedilink
            arrow-up
            0
            ·
            edit-2
            2 months ago

            Ok. Take up to 65,536 bytes of utf8 string. Or better yet. Accept any password length. I mean any. But instead of transmitting it you bcyrpt on their machine and then use the resulting key to hmac sign a recent timestamp that can’t be reused.

  • CafecitoHippo@lemm.ee
    link
    fedilink
    English
    arrow-up
    0
    ·
    2 months ago

    My current employer has the dumbest restrictions for passwords to our core system. It is a large regional bank. Our core system must have a password that is either 7 or 8 characters long (nothing shorter or longer). It cannot have any vowels or special characters. It cannot have any capital letters. It cannot have two numbers in a row.

      • CafecitoHippo@lemm.ee
        link
        fedilink
        English
        arrow-up
        0
        ·
        2 months ago

        Whoops. Forgot a restriction, can’t use repeating characters either so that one doesn’t work either.

          • CafecitoHippo@lemm.ee
            link
            fedilink
            English
            arrow-up
            0
            ·
            edit-2
            1 month ago

            Yeah but then you gotta change it every 30 days and it can’t use any of your last 24 passwords so you can’t even cycle through 10 numbers in one spot or even two spots. So you’d have to do like “p0s0w0rd” and then do “p1s0w0rd” and so forth.

  • MTK@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    Fuck this! My bank has this, and not just that, the limit is 6 digits, that’s right, only digits and only 6 of them.

    My balance is harder to guess than my password (if you include cents)

    Fuck!

    • BlueKey@fedia.io
      link
      fedilink
      arrow-up
      0
      ·
      2 months ago

      And (at least at the time of my account creation) don’t even tell you about it. I found out by the errormessage in the networklog of the REST requests why my signup failed repeately.

  • paris@lemmy.blahaj.zone
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    2 months ago

    The worst is when it either won’t tell you what the character limit is so you have to just keep lowering it and retrying until it finally works, or when the infrastructure for signing up has a different character limit than the infrastructure for logging in, so you can sign up with a long password but can’t actually sign in with it. I once encountered a website that had this issue for both the password AND username so I had to change my password and then contact support to change my username. Absurd.

    • absGeekNZ@lemmy.nz
      link
      fedilink
      English
      arrow-up
      0
      ·
      2 months ago

      I have had this before, I was so confused for a while.

      Made account used my password manager, so I knew the password was correct, went around the loop a few times of “forgot password”; finally shortened form 25 to 16 characters and it just worked.

    • CoggyMcFee@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      2 months ago

      I used a service that had password validation on the “current password” field when you update your password. My password had stopped being valid due to a change in their password policy, but I couldn’t fix it because the “update password” form kept saying my current password was invalid. I know — you told me to change it!!!

    • Nicadimos@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      2 months ago

      I used to manage a system that had a longer character limit on the creation than in the sign in. To fix it, they just let you type in more characters when you signed in but only validated the first 8 anyway. 🤦‍♂️