In password security, the longer the better. With a password manager, using more than 24 characters is simple. Unless, of course, the secure password is not accepted due to its length. (In this case, through STOVE.)
Possibly indicating cleartext storage of a limited field (which is an absolute no-go), or suboptimal or lacking security practices.
The password should be hashed anyway, which has a fixed output
But there must be a (long) max length anyway, to prevent some kinds of attacks.
At least they tell you. I’ve had inputs take the full password and then truncate it silently, so you don’t actually know what they saved. Then, you try to login and they tell you wrong password.
I once encountered a system that truncated your submitted password if you logged in through their app, but not through their website. So you would set your password through the website, verify that the login was working (through the website) and then have that same login fail through the app.
Yes I’ve had issues with this as well, since I’m a child I’ve set my password generator length at 69 characters… A small trick I’ve found is to delete and rewrite the last character of one of the two repeated passwords since often the validity check gets triggered on write but not on paste
My worst experience so far was a webpage that trimmed passwords to 20 characters in length without telling you. Good luck logging in afterwards…
One of my favorite memories of how much Something Awful’s sysadmins were absolutely amateur hour back in the early 2000s was the “lappy” to “laptop” debacle. Apparently Lowtax found the term “lappy” so annoying that he ordered his system administrator to do a find/replace for every instance of “lappy,” replacing them with “laptop.”
Unfortunately this included usernames and passwords, as well as anything that just managed to have the letters “lappy” in that order anywhere in the word. So, there was one user named ‘Clappy’ who woke up one day to find his name changed to ‘Claptop.’ Apparently this is also how people discovered that they were storing password unsalted in plain text in a fucking MySQL database, which if you’re old enough, you probably already remember that the combination of MySQL and PHPmyAdmin were like Swiss cheese when it comes to site defense. :p
Flaptop Bird
That must have done a lot of dawizard to their reputation.
Common mistake for amateurs that found a password library and used it without reading the documentation. E. g. bcrypt will tell you to salt and hash the password before digesting it into constant length output for your database.
Salting before doing anything else is basic password security. I assume the webpage in question doesn’t do that, either.
For a system I worked on a few years ago I got the password requirement:
-
Only upper case letters A-Z, no letter or symbols.
-
Exactly 7 characters.
I was also recommended to make it a single word to make it memorable.
PASSWOR
-
We have a customer, a big international corporation, that has very specific rules for their intranet passwords:
- Must contain letters
- Must contain numbers
- Must contain special characters
- No repeats
- Passwords must be changed every two months
- Not the same password as any of the last seven
- PASSWORDS MUST BE EXACTLY EIGHT CHARACTERS LONG
I can only assume that whoever came up with these rules is either an especially demented BofH, or they have some really really weird legacy infrastructure to deal with.
I am a designer, but I once did a project with a very very major and recognizable tech corporation that, no joke, implemented an 8 character limit on passwords for storage reasons.
This company made in the tune of tens of billions of dollars per year, and they were penny-pinching on literal bytes of data.
I can’t say who it is, but their name begins with ‘M’ and ends in ‘cAfee.’
If password length affects storage size then something has gone very wrong. They should be hashed, not encrypted or in plaintext.
No repeats??? Like, you cant have ‘aaaa123@’ as a password?
You’re just making it easier to brute force…
My favorite is when they don’t have this check, but silently slice the string to meet the requirement, so that you can’t login with the original password the next time.
Wells Fargo used to do this. They cut my 16 character password to 8 and negated capitalization. Which is why I don’t use them anymore
amazon also had it a couple years ago
My bank used to do that back in the early 2000’s, I moved banks.
Metro Bank did something like this to me.
a game i played doesnt allow special characthers or its too long.
This shit pisses me off so bad. I had an identity theft a few years back, took ages to undo, and my credit score is still impacted by it. At the time I moved to a password manager and all my passwords are 31 characters of garbage. I’ve got several, highly sensitive accounts that my passwords don’t work for, in fact one a bank, until fairly recently, had repurposed a phone number field in the DB so passwords were limited to 10 characters numeric only (I managed to get one of their IT folks on the horn to explain why the password was so awful).
I cannot believe we live in 2025 and we still haven’t figured out passwords.
Is there any specific reason to using 31 random characters instead of 32?
Illogical meat brain that thinks odd numbers are more random that even I guess.
My bank forces a 6 digit PIN as a password.
Their 2fa is also email or text only.
At least we can set a unique username?
Meh, if they lock you out after X attempts, then 6 digits is fine. Hell, even 4 digits is fine if they have a lockout-policy.
Do they have a limit on attempts?
So long as attempts aren’t per IP and or ipv6 isn’t allowed
And as long as they don’t have an unknown database leak, negating the attempt limit.
Yeah, I’m up to 40 hide my addresses for that same reason. Figure if the password sucks, at least the email can be unique and obscure.
I just use a catch-all email domain. It’s functionally similar to a hide-my-email address, except the email addresses are much easier to read and remember.
Every single email that hits my domain goes to the same inbox. So Target@{my domain} and Walmart@{my domain} both hit the same inbox. And if I start seeing spam addressed to Target@{my domain} then I know Target sold my info. I can easily filter everything to that address straight to spam, with the exception of any senders ending in “@target.com”
It means my shit gets automatically sorted into neat little folders before it ever even hits my inbox. I can still get the birthday coupons, while all of the spam quietly vanishes into the spam inbox abyss.
I had delusions of trying to keep track of which address is sold by who which is why I did the hide my email addresses. But I’ve always kept separate personal and spam accounts. This was my attempt at combining to a single account.
168! Don’t hold back - everything gets a unique email address, a generated password, unique username and profile info.
It’s only the damn phone number that can be used to connect my data. Can’t do anything about that.
I have a google voice number for that. Most things no longer accept it though.
We have figured out passwords. Management hasn’t figured out allocating resources to security, and governments haven’t figured out fining the crap out of such companies.
all our banks and government systems and may online services work on a governments own 2fa, and there are several variants. They are linked to phone and require inputting Pins. Very comfortable, very secure and very convenient. Also very fast.
Don’t get me wrong, there are systems that work. I built up a very successful smart card based system many years ago after a failed audit. I initially hated the idea but in the end we built a crazy secure environment that was very easy to use and maintain. That project is long since obsolete but after doing that one, over a decade ago, I figured things were headed in the right direction.
I think I’m extra sensitive right now because my aging mom has made the issue acute. She’s not the same as she was a few years ago and helping her with all her online accounts has become a nightmare. It’s just too complicated for many folks.
Happens more and more often
How about creating a new account, letting bitwarden create a password, only for them to send me a clear text copy of that passwod in their confirmation email…
That means the breach is imminent, but at least you won’t need to worry about other accounts when it happens. Just be sure you don’t give them any kind of PII or financial data to save. No, you can’t save my card data to make shopping easier, because you’re almost certainly going to have a data breach next month, and drag your heels about disclosing it, giving hackers plenty of time to commit a bunch of fraud using all of the cards on file.
Here’s your password, remember to write it down on your password post-it!
i thought that practice died like 20 years ago
friendica does this.
I once registered an account with a random ~25 characters long password (Keepass PM) for buying tickets on https://uhuu.com.br/
The website allowed me to create the account just fine, but once I verified my e-mail, I couldn’t log into it due to there being a character limit ONLY IN THE LOGIN PASSWORD FIELD. Atrocious.
EDIT: btw, the character limit was 12
I’ve had this exact same thing happen.
I’ve also had it happen where you have the two fields to verify the password is the same. One had a maxlength set in it, and the other didn’t. I was for sure entering the same password and I was so confused until I opened up the dev tools and inspected the inputs.
I’ve seen this behavior too, I forget where. For me it was a bit easier since the fields displayed a different number of stars. I did spend too long trying to figure out how my password manager could be failing that way
PayPal did the same. Registration took 40 characters, login only half of that. Editing the login form didn’t work unfortunately.
It’s pretty stupid because the longer the password the more secure it is.
I understand a cap of like 64 characters or something to keep storage space down for a company with millions of users. other than that it doesn’t make a ton of sense.
The cap should actually be due to the hashing algorithm. Every password should be the exact same length once it is salted and hashed, so the actual length of the password doesn’t make a difference in regards to database size. The hash will be a set length, so the storage requirements will be the same regardless. Hashing algorithms have a maximum input length. IIRC the most popular ones return a result of 64-255 characters, and cap at 128 characters for input; Even an input of just “a” would return a 64 character hash. But the salt is also counted in that limit. So if they’re using a 32 character salt, then the functional cap would be 96 characters.
Low character caps are a huge red flag, because it means they’re likely not hashing your password at all. They’re just storing them in plaintext and capping the length to save storage space, which is the first mortal sin of password storage.
That is a huge red flag if ever given as a reason, you never store the password.
You store a hash which is the same length regardless of the password.Youre right lol. I forgot that hash lengths are different from the actually password length.
You never store passwords. They should be hashed and salted.
One time I worked a job where you had to make EXACTLY a 12 character password using only ten letters and two numbers.
My mum told be the other day she logged onto a new bank, gave it a 12 character password then couldn’t get back in after. When she got through to their customer services they said that it was an 8 character password limit (!), but it just never said on the register screen.
so secure, no one can get in, even her!
Yeah, I’d be doing that bank if there’s any choice.
Edit: Leaving (my attention got taken away as I posted)
Either this is some new slang I’m not rizz enough to understand or one of us had a stroke.
He just wants to have sex with the bank.
No cap
Tain planet, he’s our hero.
Microsoft does this to our users at my job. They go to charge their password and it won’t accept it but won’t tell them what the requirements are. “Your password doesn’t meet our criteria.” Okay, so what are you looking for???
Worst is that there seems to be a soft block at some point and instead of telling them that, it shows this dumb error instead over and over again no matter what password they choose.
Maybe that’s security by obscurity. Or security by confusion. /s
Ah must be my bank. Same.
Don’t worry, pretty soon they will just block password managers from autofilling fields on their login page so that you HAVE to remember your password! Then you’ll be happy it can’t be that long, you can only fit so much on a post-it note on the side of your monitor
/s
EDIT: I think there should be a law against blocking password managers for filling in fields. Any brute force bots are going to submit HTTP requests directly anyway; no one is hitting the DOM to do that
think there should be a law against blocking password managers for filling in fields.
I’ve never heard of anyone trying to do that. I couldn’t even imagine how a website could detect a password manager.
I’ve had banks do it in the past. It’s not that they can “detect” the password manager, they just use a method that’s incompatible with them.
They have a fake input field and capture keypress events via JavaScript directly from the dom, then just make it look like you typed in to the input field. They don’t read the password from the input field, they build it up in memory from those key press events.
It also completely breaks accessibility software, which is the main reason I think the industry moved away from doing it for the most part.
I’ve seen a couple of times. It’s the same ones that block copy/paste on password fields. The workaround is to write a short python script using pyautogui or similar to “type” out the clipboard content.
I spent way too much time on this the first time I came across it
Joyously frustrating game
