nixCraft 🐧My bank: “your password is too long, please choose a new password.”
Should never be an error message, ever.
charlesesmith@nixCraft Those bytes are expensive.
Kai@nixCraft
At least they didn't truncate it silently in the frontend. /S
At least they didn't truncate it silently in the frontend. /S
Dragon@nixCraft well no, there’s no reason why someone should be able to paste an entire novel into the password field.
However the length limit should be sane enough it’s not likely to trip anyone up in normal usage.
𝕂𝐞𝐢𝐭𝐡 𝔸𝐥𝐥𝐞𝐧I think it's reasonable to cap a password length at 128 or 256 characters.
That's not what they are doing... but I'd be OK if that's how high the number was.
Sam Adeleine@0xDEADKEITH @nixCraft If you're hashing passwords anyway, does it even matter? You don't store the password, you create a hash from the password and that can be as short as you like.
Random Damage 🌻@nixCraft Oracle has a max of 32 characters, which isn't terrible apart from being a limit that's easy to pass
Mausmaki 🇧🇷🇻🇪@nixCraft Hilarious!
Саша Морс, here we go again...@nixCraft it took me 10 minutes the other day to figure out why I couldn't create an account somewhere, it was because my password was too long
BlueKey@alexmorse @nixCraft
Same here. Paypal showed an unspecified error. In the replies in the network-inspactor I saw the real error cause.
Same here. Paypal showed an unspecified error. In the replies in the network-inspactor I saw the real error cause.
Null@nixCraft Fun fact, at one of my banks it isn't...!
Because they truncate it, and then don't tell you. 🫠
Because they truncate it, and then don't tell you. 🫠
FoolishOwl@nixCraft I was trying to update an email address on a site I hadn't used in a few years, and the site wasn't accepting my password. I tried resetting it and found the new rule for passwords was six to eight characters, only alphanumeric.
Rodolphe@nixCraft Except when preventing DOS is cases like CVE-2013-1443, CVE-2014-9016, CVE-2014-9034 and so on.
SpaceLifeFormTranslation: We do not know how to store a hash, so you probably should not bank with us.
Denis Bisson@SpaceLifeForm @nixCraft 100% agree. If they stored password "as-is" in database, it is really not safe. Yes, it made me nervous to deal with such companies...
Zenny@nixCraft
Reminds me of some server I manage.
User: sets a 32 character password.
Supermicro IPMI2: that seems long let's use the first 19 characters only and sends an password sets successfully message.
User: tries to log in with their 32 character password.
Supermicro: password doesn't match.
KNova@zentinel17 @nixCraft This kills me. Truncate the string the same everywhere god damnit
Nickoli@zentinel17 @nixCraft PayPal does this. I found it had a 20 character limit after it appeared to let me change my password to a 40 character password but then wouldn't let me log in with it.
Eloy.@nixCraft no, hashing big blobs can be a DoS, there should be a reasonable limit. Say 500 bytes
DROP\ TABLE Hacker of Earthsea@nixCraft what ab out 1 megabyte?
Adam Katz@nixCraft
Bank: your password is too tall
Me: p̱͕̹̰̤̭̲̲̮̬̳̩̱ͪͭ̉͑̐ͯͧ͒ͬ̂͑̑͐a̩̳̪̺̘͓̗̙͙̬ͩ͂̿̐ͩ͒́̓̎̅̈ͅṣ̯̤̝̟̻̣̗̝̻̹͊̍̊́͂̍̇ͯ̍̆̚s̻̥̗͔̗̥͖͔̘͔͊͆ͨͩ̐ͦ̅̃͗ͦw̮̭͖͙̼̬͚̜ͯ͊͗ͫ̈̈̓ͪo͙͕͔̘̳͕̞͚̲̜͚ͅrͪͭd̍ͨ͂͂͌͆̈́̚
Arnaud Launay@nixCraft Don't complain. Banks here impose an 8 number code, to be mouse inserted on a random virtual keyboard.
Claude
Kaito@nixCraft What do you mean my 1-million-character password is too long?
Sam Bossley@nixCraft or "your password cannot contain a $ character, please choose a new password."
🇺🇸 🇺🇦 🇮🇱 🐧 🥦I've had that experience.
Austin Lund@nixCraft I once had a message telling me not to use unicode characters. That very much limits your options.
Lennart J. Kurzweg 🇪🇺@nixCraft they just never heard of varchar for their DB. (Also that means they are saving clear text??)
Where Chuck once stood, only I will remain.@nixCraft nothing says "we upgraded our mainframe to z/OS in 2008 but not so much our code, woopsie" than that.
Mike Twomey@nixCraft that’s about as good as the Microsoft Support tech telling me last week that I had “too much security” when I was required to escalate priv in order to reinstall O365 on one of our user’s machines.
I laughed in the guys face, asked him if he really just said that and told him that he’d have to take his grievances up with M$ developers and security engineers.
Benjamin@nixCraft I actually encode all my files into very long strings, and use those strings as passwords on websites with no password length limit. It takes nearly an hour to login, but I get free unlimited file storage!
@nixCraft after a good night’s sleep I realize that this in no way makes sense lol
Fubaroque
CSDUMMINot necessarily. There are legitimate performance considerations to using too long passwords, since they increase the burden on the authenticating server.
A 32 character limit is too low though.
The password is, after all, sent in plaintext from the browser to server (over HTTPS).
Pxl Phile@nixCraft my personal pet peeves was a dissonance between Adobe's password policy in their ID mgmt and inside Photoshop.
Created an account with password X online.
Photoshop: invalid password cannot XYZZY jadajadajada
Chtixof 🦊🚲🌻🐝@nixCraft
Please choose a 4 digits number
Please choose a 4 digits number
Tijgertje1987@nixCraft unless you try to put half a book in there (> 250 chars)
ixeft@nixCraft my bank ask for an 8 *NUMBER* password 😭.
@nixCraft this happens to me a lot, generating passwords using a generator, I often have to figure out the maximum length of a website by trial and error.
Actually most websites have a maximum character limit, though most don't implement a warning or message about the max chars at all.
io@nixCraft the difference between to long to bruteforce and to long to bruteforce ;-)
@nixCraft Whenever I think I'm too much of an amateur to get a programming job, I think of websites like this. (Or sites that demand I type the phone number with or without dashes as if they'd never heard of text processing.)
Mark A. ⏏️ {FalconMarkSix}@nixCraft A lot of food apps (KFC, etc...) do this, I don't know why. 🤷
Diabolic Preacher@nixCraft bank should not reveal password "too long" like that in plain text. maybe they are investing more on securing physical currencies from bank heists than the "oopsies, amount deleted from bank account" slip of edit.
UlyssesZhan@nixCraft My bank does not even allow me to include special characters in the password.
Arthur@nixCraft especially not from a BANK
LEdoian@nixCraft Exactly, why bother with the error message when you can just use <input maxlength=20>, everybody understands that :-D (My bank did this, and only in some places, so the supposedly same password did not work.)
My favourite story though is when a public transit service changed their password policy and limited length in the login form, so I could no longer log in with long password. And the password change form was proactively removing characters which were not Czech enough, without any notice whatsoever. Completely brain-dead.