In password security, the longer the better. With a password manager, using more than 24 characters is simple. Unless, of course, the secure password is not accepted due to its length. (In this case, through STOVE.)
Possibly indicating cleartext storage of a limited field (which is an absolute no-go), or suboptimal or lacking security practices.
At least they tell you. I signed up with websites that just cut the password after the 12th character. No way of signing in with the password again (not without trying a couple of times, at least)
when you varchar(24) and forget about the hash
I like it that the site says the max length…this is not common. I wish it was.
The problem is a password hash is a fixed length regardless of the password, so if this is implemented correctly there is no need for a maximum password length. These things raise my security flag because it makes me think they are storing the password in plain text instead of doing proper practice and storing the hash only.
You’ve got to stop all those who put: abcdefghijklmnopqrstuvwxyz
That’s my password for most things, any hackers die of RSI before they get in.
It’ll be caught by a dictionary attack. at least do something to break up their sequential order.
One of the accounts that I have to use at my job is like this but much much worse. It only accepts letters and numbers, no capitalization, no symbols and can only be 8 digits long maximum. It’s like they want to account to be easy to compromise.
That sounds like the limitations of an ancient mainframe system. If so, then someone trying to brute force their way in would be more likely to crash the system instead.
If I have to create a password Ill need to remember and don’t have access to my password manager for whatever reason I have a long phrase that’s my go to but I have a system about adding numbers and characters to it based on the context of the log in. Sites with character limits really fuck that up.
What’s the point? no one is brute forcing a 12-15 password if the login system has ANY login attempt protection anyway.
This seems like one of the extreme overkill things…
That doesn’t help if someone got a list of their hashes somehow. Then an attacker can use their own system to crack them.
And that’s if they aren’t just storing the passwords as clear text to begin with, which length limitations are often a sign of.
Such a small max length is a good indicator they aren’t handling passwords correctly. A modern website should be able to send and hash kilobytes of text without the user seeing a significant delay. Having a max size like this sounds like they are storing the password as text instead of a hash.
Or some dumb project manager said passwords longer than 24 characters look bad in the UI and wanted the limit.
Do you check on login attempt protection behavior before creating accounts, and then choose your password length accordingly - longer or shorter?
Being regected for being too long. What a conundrum.
i once used 20 for a bank. the website havent told me it was too long just clipped off 2 and accepted the rest. not even the banking support was able to help me. took me a few days to solve this by accident.
This shit always pisses me off. I’ve encountered it in like 2-3 places over the years since I started using a password manager, and every time it’s so frustrating and hard to figure out.
That must have been frustrating. How many times did it lock you out from trying again?
Some people even suggest typing a longer password over a simpler one with more special characters. It’s harder to brute force.
I thought the use vocabulary lookup tables effectively nullifies the entropy benefits, if everyone started using phrases as password
Assuming the attacker knows it’s a phrase: The english language alone apparently has some 800.000 words. 800.000^6 = 2*10^35 combinations in a dictionary attack. That’s comparable to 18 random ASCII characters. We might also be using a different language, or a combination of languages, or we might deliberately misspell words.
A long string of random characters will give you more combinations per password length, but there are some passwords you just need to be able to memorize, and I’d say that’s more likely with the 6 words.
I don’t know enough to say how accurate the numbers are, but the sentiment stands - if it’s a password you’re memorizing, longer password will probably be better.
That’s not even the case though. Using a memorized passphrase that can be broken down into individual words is susceptible to dictionary attacks provided you know what the length of the password is. You can algorithmically sort away swathes of the dictionary based on how many likely word combinations exist before searching unusual word combinations. The thing is, passwords suck. It doesn’t matter how long the password is, if someone wants in, they’ll crack the password or steal it via some other means. Instead of relying on a strong password, you need to be relying on additional proof factors for sign in. Proper MFA with actual secure implementation is far more secure than any password scheme. And additionally, hardware key authentication is even more secure. If you are signing into an account and storing important data there, you do not want to rely on passwords to keep that data secure.
The reason for the character limit on passwords is often to prevent malicious attacks via data dumping in the password dialogue box. Longer numbers take more CPU cycles to properly salt and encrypt. Malicious actors may dump as many characters in a password system as they wish if they wanted to take down a service or at least hurt performance.
Additionally, even if you just used lowercase letters, an 18 character password would take 12 RTX 5090s approximately 284 thousand years to crack according to the recent Hive Systems report.
24 characters is more than enough to be secure as far as passwords alone go. Just know that, nobody is out here brute forcing passwords at any length these days, there are infinite more clever ways of hacking accounts than that.
This seems to be very common still
I don’t have it in me
The password should be hashed anyway, which has a fixed output
But there must be a (long) max length anyway, to prevent some kinds of attacks.
Long here means a 400 page book as a password.
One of the older, but still usable password hash uses only 72 characters iirc.
I think if people have 400 page book long passwords it doesn’t really need a unique hash
a game i played doesnt allow special characthers or its too long.
At least they tell you. I’ve had inputs take the full password and then truncate it silently, so you don’t actually know what they saved. Then, you try to login and they tell you wrong password.
I once encountered a system that truncated your submitted password if you logged in through their app, but not through their website. So you would set your password through the website, verify that the login was working (through the website) and then have that same login fail through the app.
Yes I’ve had issues with this as well, since I’m a child I’ve set my password generator length at 69 characters… A small trick I’ve found is to delete and rewrite the last character of one of the two repeated passwords since often the validity check gets triggered on write but not on paste
