In password security, the longer the better. With a password manager, using more than 24 characters is simple. Unless, of course, the secure password is not accepted due to its length. (In this case, through STOVE.)

Possibly indicating cleartext storage of a limited field (which is an absolute no-go), or suboptimal or lacking security practices.

  • @OsKe@lemm.ee
    link
    fedilink
    English
    18 minutes ago

    At least they tell you. I signed up with websites that just cut the password after the 12th character. No way of signing in with the password again (not without trying a couple of times, at least)

  • katy ✨
    link
    fedilink
    English
    13 hours ago

    when you varchar(24) and forget about the hash

  • @oo1@lemmings.world
    link
    fedilink
    English
    39 hours ago

    You’ve got to stop all those who put: abcdefghijklmnopqrstuvwxyz

    That’s my password for most things, any hackers die of RSI before they get in.

  • @bunnyBoy@pawb.social
    link
    fedilink
    English
    711 hours ago

    One of the accounts that I have to use at my job is like this but much much worse. It only accepts letters and numbers, no capitalization, no symbols and can only be 8 digits long maximum. It’s like they want to account to be easy to compromise.

    • @JcbAzPx@lemmy.world
      link
      fedilink
      English
      311 hours ago

      That sounds like the limitations of an ancient mainframe system. If so, then someone trying to brute force their way in would be more likely to crash the system instead.

  • @kepix@lemmy.world
    link
    fedilink
    English
    1918 hours ago

    i once used 20 for a bank. the website havent told me it was too long just clipped off 2 and accepted the rest. not even the banking support was able to help me. took me a few days to solve this by accident.

    • Nora (She/Her)
      link
      fedilink
      English
      412 hours ago

      This shit always pisses me off. I’ve encountered it in like 2-3 places over the years since I started using a password manager, and every time it’s so frustrating and hard to figure out.

  • @MolecularCactus1324@lemmy.world
    link
    fedilink
    English
    551 day ago

    At least they tell you. I’ve had inputs take the full password and then truncate it silently, so you don’t actually know what they saved. Then, you try to login and they tell you wrong password.

    • Liz
      link
      fedilink
      English
      171 day ago

      I once encountered a system that truncated your submitted password if you logged in through their app, but not through their website. So you would set your password through the website, verify that the login was working (through the website) and then have that same login fail through the app.

    • @Tenkard@lemmy.ml
      link
      fedilink
      English
      51 day ago

      Yes I’ve had issues with this as well, since I’m a child I’ve set my password generator length at 69 characters… A small trick I’ve found is to delete and rewrite the last character of one of the two repeated passwords since often the validity check gets triggered on write but not on paste

  • Rei
    link
    fedilink
    English
    1824 hours ago

    The password should be hashed anyway, which has a fixed output

      • Caveman
        link
        fedilink
        English
        1022 hours ago

        Long here means a 400 page book as a password.

          • Caveman
            link
            fedilink
            English
            114 hours ago

            I think if people have 400 page book long passwords it doesn’t really need a unique hash

  • @TheObviousSolution@lemm.ee
    link
    fedilink
    English
    418 hours ago

    Some people even suggest typing a longer password over a simpler one with more special characters. It’s harder to brute force.

    • @veni_vedi_veni@lemmy.world
      link
      fedilink
      English
      2
      edit-2
      16 hours ago

      I thought the use vocabulary lookup tables effectively nullifies the entropy benefits, if everyone started using phrases as password

      • KubeRoot
        link
        fedilink
        English
        415 hours ago

        Obligatory xkcd.

        I don’t know enough to say how accurate the numbers are, but the sentiment stands - if it’s a password you’re memorizing, longer password will probably be better.

        • Jyek
          link
          fedilink
          English
          15 hours ago

          That’s not even the case though. Using a memorized passphrase that can be broken down into individual words is susceptible to dictionary attacks provided you know what the length of the password is. You can algorithmically sort away swathes of the dictionary based on how many likely word combinations exist before searching unusual word combinations. The thing is, passwords suck. It doesn’t matter how long the password is, if someone wants in, they’ll crack the password or steal it via some other means. Instead of relying on a strong password, you need to be relying on additional proof factors for sign in. Proper MFA with actual secure implementation is far more secure than any password scheme. And additionally, hardware key authentication is even more secure. If you are signing into an account and storing important data there, you do not want to rely on passwords to keep that data secure.

          The reason for the character limit on passwords is often to prevent malicious attacks via data dumping in the password dialogue box. Longer numbers take more CPU cycles to properly salt and encrypt. Malicious actors may dump as many characters in a password system as they wish if they wanted to take down a service or at least hurt performance.

          Additionally, even if you just used lowercase letters, an 18 character password would take 12 RTX 5090s approximately 284 thousand years to crack according to the recent Hive Systems report.

          24 characters is more than enough to be secure as far as passwords alone go. Just know that, nobody is out here brute forcing passwords at any length these days, there are infinite more clever ways of hacking accounts than that.

      • @Don_alForno@feddit.org
        link
        fedilink
        English
        3
        edit-2
        14 hours ago

        Assuming the attacker knows it’s a phrase: The english language alone apparently has some 800.000 words. 800.000^6 = 2*10^35 combinations in a dictionary attack. That’s comparable to 18 random ASCII characters. We might also be using a different language, or a combination of languages, or we might deliberately misspell words.

        A long string of random characters will give you more combinations per password length, but there are some passwords you just need to be able to memorize, and I’d say that’s more likely with the 6 words.

  • @mcat@lemmy.world
    link
    fedilink
    English
    451 day ago

    My worst experience so far was a webpage that trimmed passwords to 20 characters in length without telling you. Good luck logging in afterwards…

    • @SkunkWorkz@lemmy.world
      link
      fedilink
      English
      319 hours ago

      I remember some office software that didn’t accept certain special characters but didn’t tell the user and just accepted the new password. I had to bother IT support many times to reset my password.

    • @drewcarreyfan@lemm.ee
      link
      fedilink
      English
      331 day ago

      One of my favorite memories of how much Something Awful’s sysadmins were absolutely amateur hour back in the early 2000s was the “lappy” to “laptop” debacle. Apparently Lowtax found the term “lappy” so annoying that he ordered his system administrator to do a find/replace for every instance of “lappy,” replacing them with “laptop.”

      Unfortunately this included usernames and passwords, as well as anything that just managed to have the letters “lappy” in that order anywhere in the word. So, there was one user named ‘Clappy’ who woke up one day to find his name changed to ‘Claptop.’ Apparently this is also how people discovered that they were storing password unsalted in plain text in a fucking MySQL database, which if you’re old enough, you probably already remember that the combination of MySQL and PHPmyAdmin were like Swiss cheese when it comes to site defense. :p

    • @Randelung@lemmy.world
      link
      fedilink
      English
      31 day ago

      Common mistake for amateurs that found a password library and used it without reading the documentation. E. g. bcrypt will tell you to salt and hash the password before digesting it into constant length output for your database.

      Salting before doing anything else is basic password security. I assume the webpage in question doesn’t do that, either.

  • @UpperBroccoli@lemmy.blahaj.zone
    link
    fedilink
    English
    431 day ago

    We have a customer, a big international corporation, that has very specific rules for their intranet passwords:

    • Must contain letters
    • Must contain numbers
    • Must contain special characters
    • No repeats
    • Passwords must be changed every two months
    • Not the same password as any of the last seven
    • PASSWORDS MUST BE EXACTLY EIGHT CHARACTERS LONG

    I can only assume that whoever came up with these rules is either an especially demented BofH, or they have some really really weird legacy infrastructure to deal with.

    • @blacia@lemmy.blahaj.zone
      link
      fedilink
      English
      219 hours ago

      I worked in IT for a big national company for a short time. Passwords rules were : at least 8 characters, at least one uppercase letter, at least one number, change password every 2/3 months and different than the 3 previous ones. Several workers had a post-it on the screen with the 4 passwords they use. One of them had name of child and year of birth, I don’t know if it was his children or his relatives’ children too.

    • @drewcarreyfan@lemm.ee
      link
      fedilink
      English
      191 day ago

      I am a designer, but I once did a project with a very very major and recognizable tech corporation that, no joke, implemented an 8 character limit on passwords for storage reasons.

      This company made in the tune of tens of billions of dollars per year, and they were penny-pinching on literal bytes of data.

      I can’t say who it is, but their name begins with ‘M’ and ends in ‘cAfee.’

      • @Kissaki@feddit.orgOP
        link
        fedilink
        English
        4
        edit-2
        19 hours ago

        I can’t say who it is, but their name begins with ‘M’ and ends in ‘cAfee.’

        Whoever the company is, we have to assume it’s not a security-related company. Because, surely, none of those would do that ever.

    • Omega
      link
      fedilink
      English
      141 day ago

      No repeats??? Like, you cant have ‘aaaa123@’ as a password?

      You’re just making it easier to brute force…

      • @ILikeTraaaains@lemmy.world
        link
        fedilink
        English
        422 hours ago

        Since the password has to be changed every two months, I would assume that it means no repeating previously used passwords.

        • @TrippaSnippa@aussie.zone
          link
          fedilink
          English
          3
          edit-2
          19 hours ago

          It also says “must not be the same as any of the last seven passwords used” so I can only take “no repeats” to mean no repeated characters.

          Requiring passwords to be exactly 8 characters is especially ridiculous because even if they’re cheaping out on bytes of storage, that’s completely cancelled out by the fact that they’re storing the last seven passwords used.

  • @Crashumbc@lemmy.world
    link
    fedilink
    English
    116 hours ago

    What’s the point? no one is brute forcing a 12-15 password if the login system has ANY login attempt protection anyway.

    This seems like one of the extreme overkill things…

    • @JcbAzPx@lemmy.world
      link
      fedilink
      English
      210 hours ago

      That doesn’t help if someone got a list of their hashes somehow. Then an attacker can use their own system to crack them.

      And that’s if they aren’t just storing the passwords as clear text to begin with, which length limitations are often a sign of.

    • @Kissaki@feddit.orgOP
      link
      fedilink
      English
      312 hours ago

      Do you check on login attempt protection behavior before creating accounts, and then choose your password length accordingly - longer or shorter?

    • @_skj@lemmy.world
      link
      fedilink
      English
      211 hours ago

      Such a small max length is a good indicator they aren’t handling passwords correctly. A modern website should be able to send and hash kilobytes of text without the user seeing a significant delay. Having a max size like this sounds like they are storing the password as text instead of a hash.

      Or some dumb project manager said passwords longer than 24 characters look bad in the UI and wanted the limit.

  • @dQw4w9WgXcQ@lemm.ee
    link
    fedilink
    English
    231 day ago

    For a system I worked on a few years ago I got the password requirement:

    • Only upper case letters A-Z, no letter or symbols.

    • Exactly 7 characters.

    I was also recommended to make it a single word to make it memorable.