this post was submitted on 18 Aug 2024
830 points (98.8% liked)

Cybersecurity - Memes

1891 readers
2 users here now

Only the hottest memes in Cybersecurity

founded 1 year ago
MODERATORS
Sam1232188@lemmy.world
neurohost@lemmy.world
Alphadef@programming.dev
CannaVet@lemmy.world
830
Password length requirement (feddit.org)
submitted 3 weeks ago* (last edited 3 weeks ago) by cron to c/cybersecuritymemes@lemmy.world
171 comments fedilink hide all child comments
 

Last week, I tried to register for a service and was really surprised by a password limit of 16 characters. Why on earth yould you impose such strict limits? Never heard of correct horse battery staple?

you are viewing a single comment's thread
view the rest of the comments
[–] Lycist@lemmy.world 38 points 3 weeks ago (3 children)

Its even better when they don't tell you that your password is too long, and they truncate it somewhere unknown.

Tried a randomgen 32 character password at the local sheriff's office. Copy and pasted it directly out of my password manager into the password creation field so I know I didn't typo it and when I tried to login it wouldn't work. Took me a bit of troubleshooting to figure out what happened.

[–] cron 11 points 3 weeks ago (1 children)

Oh that's evil.

[–] Zorsith@lemmy.blahaj.zone 5 points 3 weeks ago

Ive seen an account creation or password reset that let's you do any length password, but the actual login page has a character limit.

[–] bamboo@lemmy.blahaj.zone 7 points 3 weeks ago

About 10 years ago this happened to me at chase.com. IIRC they truncated at 30 characters at the time.

[–] wreckedcarzz@lemmy.world 4 points 3 weeks ago (2 children)

That happens all the fucking time, and it's infuriating. Most recent example was with Kagi, which I eventually found out had a max of 72, truncated, no warning. I bitched out their support and they were like 'nbd, and it should have warned you' and I'm like 'nope, no warning at all' which means they didn't bother checking if a warning actually showed or prevented the input, just 'I wrote it so we must be good'.

They claim to have fixed this, but ugh. Took me a half an hour, and I started with the suspicion that it was being truncated. Test your shit if you're going to be stupid, people.

[–] frezik@midwest.social 1 points 3 weeks ago

Bcrypt and scrypt have a limit of 72 chars, so it's probably that. Implementations can work around it by putting the password through a pre-hash, but most don't bother. There are tons of reasonably secure password storage systems with that limit.

[–] Rogue@feddit.uk 1 points 3 weeks ago (1 children)

What are the benefits of a password greater than 72 characters? How high do you try to go?

[–] AA5B@lemmy.world 2 points 3 weeks ago (1 children)

The longer it is, the harder for anyone to guess, write down, remember, or brute force. For that long a password, someone can actually see my password and then have effectively zero chance of being able to use it.

But maybe it’s more a ”why not?” In one side it’s generated so you can use it equally well, and in the other side it should be hashed to a standard length so they should be able to manage it equally well.

[–] frezik@midwest.social 1 points 3 weeks ago

When I did the math with a reasonable list of alphanums and symbols on a US standard keyboard, a 40 char randomly generated password had equivalent security to a 256 but block cipher key. Describing the difficulty in brute forcing that starts with the phrase "assume you can convert all the energy from a supernova at 100% efficiency into a thermodynamiclly perfect computer". A roundabout way of saying impossible.

40 chars random is already overkill.