In password security, the longer the better. With a password manager, using more than 24 characters is simple. Unless, of course, the secure password is not accepted due to its length. (In this case, through STOVE.)

Possibly indicating cleartext storage of a limited field (which is an absolute no-go), or suboptimal or lacking security practices.

  • OsKe@lemm.eeEnglish
    0·
    7 days ago

    At least they tell you. I signed up with websites that just cut the password after the 12th character. No way of signing in with the password again (not without trying a couple of times, at least)

  • absGeekNZ@lemmy.nzEnglish
    0·
    7 days ago

    I like it that the site says the max length…this is not common. I wish it was.

    • pleasejustdie@lemmy.worldEnglish
      0·
      6 days ago

      The problem is a password hash is a fixed length regardless of the password, so if this is implemented correctly there is no need for a maximum password length. These things raise my security flag because it makes me think they are storing the password in plain text instead of doing proper practice and storing the hash only.

  • lemmydividebyzero@reddthat.comEnglish
    0·
    9 days ago

    My best experience… They allowed me to set a 100 characters password, but then changed the limits a year later, so that you couldn’t even login anymore.

  • MNByChoice@midwest.socialEnglish
    0·
    9 days ago

    Used to run into this more. Some legacy systems imposed password limits that seem archaic by modern standards. The authentication system was just supporting systems from before newer standards were created.

    I think some of those compatibility layers outlived the systems they needed to be compatible with. The people that knew the system retired ages ago and the documentation was lost 3 or 4 “documentation system” changes ago.

    Anyway, those have no place on the modern web.

  • eronth@lemmy.dbzer0.comEnglish
    0·
    8 days ago

    The password on my PC is something like 30 characters long. Back when win10 was first coming out, they were pushing getting an actual outlook account and tying that to your login. I was hesitant at first, but figured I’d try it out and see how that worked for me.

    Turns out outlook accounts (at the time) had something like a 16 character limit on passwords. Bruh.

  • Buffalox@lemmy.worldEnglish
    0·
    8 days ago

    Your password MUST contain big and small letters, and contain at least 1 number character and 1 spacial character, it MUST be 8 characters long, and it MUST be typed on a German Cherry keyboard between 8-9 PM, using ONLY 1 finger while blindfolded and listening to ABBA music. BUT NO SPACES ALLOWED!!!
    This is because of something called entropy we never even read about so we have zero understanding of it. Of course combined with lousy programming, so safety is all on you.

    Making all these possibilities OPTIONAL would actually make for safer passwords (higher entropy), as would using multiple words separated by spaces. The only meaningful way to accept a password would be to test it against common bad passwords, and test the entropy to determine acceptable levels. There is no good reason a password couldn’t be 10 words and at least 127 characters. There is no way that should stress a properly designed modern system.

      • WanderingThoughts@europe.pubEnglish
        0·
        8 days ago

        Had that yesterday.

        “Must use special characters!”

        “Okay, no problem. Here you go.”

        “Not that one! It’s too special!”

        “Dude, I haven’t even touched extended ASCII yet.”

      • Buffalox@lemmy.worldEnglish
        0·
        8 days ago

        I think it’s originally because of bad programming. It’s so incredibly stupid I don’t have words.

      • AA5B@lemmy.worldEnglish
        0·
        8 days ago

        Even worse, when you can’t figure out why, or how to configure the generator, then end up having to type your own anyway

    • Kushan@lemmy.worldEnglish
      0·
      9 days ago

      You have described all of the guidelines that NIST, Microsoft, GCHQ and a few other institutions now recommend for password security.

      And yet I still have to have this argument with so-called security engineers and my favourite, compliance officers.

      • Buffalox@lemmy.worldEnglish
        0·
        8 days ago

        the guidelines that NIST, Microsoft, GCHQ and a few other institutions now recommend for password security

        Because they are morons that don’t understand entropy.
        Requiring at least 1 number increases entropy less than simply allowing the use of numbers, and then recommending it.
        But most password queries are lousy at describing what’s allowed when creating it, and they generally don’t describe it at all when you enter it for access.
        The second part can be crucial for remembering exactly how the password was created, because what is now required, used to often not even be possible to use!

    • RedditRefugee69@lemmynsfw.comEnglish
      0·
      8 days ago

      I like the ones that just tell you your password strength.

      Subtle shaming of bad passwords without giving bad actors hints as to what the minimum (and thus most likely) password is.

  • 4am@lemm.eeEnglish
    0·
    8 days ago

    Don’t worry, pretty soon they will just block password managers from autofilling fields on their login page so that you HAVE to remember your password! Then you’ll be happy it can’t be that long, you can only fit so much on a post-it note on the side of your monitor

    /s

    EDIT: I think there should be a law against blocking password managers for filling in fields. Any brute force bots are going to submit HTTP requests directly anyway; no one is hitting the DOM to do that

    • bleistift2@sopuli.xyzEnglish
      0·
      8 days ago

      think there should be a law against blocking password managers for filling in fields.

      I’ve never heard of anyone trying to do that. I couldn’t even imagine how a website could detect a password manager.

      • BradleyUffner@lemmy.worldEnglish
        0·
        8 days ago

        I’ve had banks do it in the past. It’s not that they can “detect” the password manager, they just use a method that’s incompatible with them.

        They have a fake input field and capture keypress events via JavaScript directly from the dom, then just make it look like you typed in to the input field. They don’t read the password from the input field, they build it up in memory from those key press events.

        It also completely breaks accessibility software, which is the main reason I think the industry moved away from doing it for the most part.

      • PracticalParrot@discuss.tchncs.deEnglish
        0·
        8 days ago

        I’ve seen a couple of times. It’s the same ones that block copy/paste on password fields. The workaround is to write a short python script using pyautogui or similar to “type” out the clipboard content.

  • Skull giver@popplesburger.hilciferous.nlEnglish
    0·
    9 days ago

    Sounds like they’re using bcrypt. Feeding more than 24 utf8 characters into bcrypt won’t do anything useful. You can permit longer passwords (many sites do) but they’d be providing a false sense of security.

    Bcrypt is still secure enough and 24 characters are fine as long as they’re randomly generated by your password manager.

      • Skull giver@popplesburger.hilciferous.nlEnglish
        0·
        8 days ago

        The specification of the algorithm specifies up to 56 bytes, including a null terminator. If you’re using UCS-2 (2+ bytes per character, like Windows, Java, Javascript, and more languages and platforms do), that’s 27 characters (can’t use the last half byte character pair). Add some margins for extended characters (emoji and such) and you’ll end up just above or below 24. With UTF-8 you can end up doing much better (exclusively Latin-1) or much worse (exclusively non-Latin character sets). Verifying that on the frontend is a massive pain (string length in JS is unreliable) and dynamically switching codecs is a recipe for bugs and security leaks.

        The 72 byte limit is the result of the internal workings of most bcrypt algorithms, but if you ever switch implementations you need to make sure that implementation doesn’t change the internal workings if you rely on details like that. If the stars align you can use 71 characters (72 if you use Pascal strings), but that’s far from a given.

        • Kissaki@feddit.orgOPEnglish
          0·
          8 days ago

          No, it does not take up more space for ASCII characters.

          If you want a source, Wikipedia

          the first 128 characters of Unicode, which correspond one-to-one with ASCII, are encoded using a single byte with the same binary value as ASCII

  • snooggums@lemmy.worldEnglish
    0·
    9 days ago

    There was a game launcher for a popular game that required a minimum of 8 characters but only used the first 8 characters and it wasn’t case sensitive. So something like PassWord12345!? could be entered when changing the password, but you could sign in with any of the following:

    • password1234
    • PassWord123499(#$%
    • Password12345!?
    • passWord12345!
    • pASSword12345?!
    • PassWord123499(#$%
    • password

    I haven’t logged in for years so I’m not sure if it is still working that way.

  • HubertManne@piefed.socialEnglish
    0·
    8 days ago

    oh. this has been a big pet peeve of mine for awhile. After starting to use password managers I figured I would standardize on the largest required characters only to find a source whos maximum characters were lower than anothers minimum characters.

  • The Infinite Nematode@feddit.ukEnglish
    0·
    8 days ago

    My mum told be the other day she logged onto a new bank, gave it a 12 character password then couldn’t get back in after. When she got through to their customer services they said that it was an 8 character password limit (!), but it just never said on the register screen.