this post was submitted on 25 Aug 2024
556 points (98.4% liked)
Cybersecurity - Memes
1964 readers
1 users here now
Only the hottest memes in Cybersecurity
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
My 'favorite' password rules are incorrect rules. Recently signed up to a service, which looked like it hasn't been updated since the 90s. They sent me my password via letter, but hey, I was allowed to change it digitally.
So, I did. I set it to a reasonably long password (probably something like 22 characters), with no problems.
Then I went to login and it refused my login. I copied my password out of my password manager, for both setting it and logging in, so there was no way that it was wrong. I quadruple checked the login name, but no luck.
Eventually, I manually typed the password from my password manager. Then I saw it, their password field stopped accepting inputs after about 20 characters.
Presumably, I was able to set my long password on the registration page, but the login page did not accept this long of a password. Fucking ace.
I had to order another password letter.
As a website developer, it’s easy to just use the 'maxlength' attribute on fields you don’t want to exceed a certain length (for valid reasons or not). But then exactly this happens: A user pastes something in there, doesn’t notice that their input got truncated, and something, somewhere breaks.
'maxlength' is terrible user experience.
Yeah, thinking about it now, I could've probably tried removing the maxlength attribute to see if the server accepts the longer password.
That doesn't sound like it should work, but probably would..
That wouldn't have been (as much of) a problem if the initial password form also truncated the input. The mismatch is the problem.
Let’s say “you wouldn’t have noticed there was a problem if there was no mismatch”. But then a few years later that max length gets dropped or increased and suddenly your password, which has always worked, isn’t accepted anymore, because now you’re pasting 2 extra characters.
I was also not talking about password fields, exclusively. Pasting stuff like customer identifiers or zipcodes into maxlength’d fields also begs for surprises, especially when you can’t see the whole input when you’re done with it.
I understand why stored information, such as passwords, usernames, stuff like that, has to have a max character count.
What I don't get is why so many people are so daft as to let stuff like this happen, and not even put the maximum password length anywhere people can obviously see it.
If you tell me what the maximum limit is, I'll be able to keep my password shorter than that.
But no.... Password minimum length is shown, symbols, numbers and special character requirements are plainly stated. Maximums? Ha.
Should have right clicked and hit 'inspect element' and changed it from 20 to 32487839423 then entered it. Bet it would have worked because, you know HTML hackers.
bonus points for capping the length silently.
I recently made a bit of software that does this. Maximum username and password length of 100 chars can be set, but the login panel only allows you to put 50 chars in the username and password fields. So if you use a password or username longer than 50 chars, youll soft lock yourself out.
But I picked it up in QC testing, it got nowhere near prod. And Im a one man band. I cant fathom how a company could let tgat get past QC.
You can't? I definitely can.