848
submitted 4 months ago* (last edited 4 months ago) by cron@feddit.org to c/cybersecuritymemes@lemmy.world

Last week, I tried to register for a service and was really surprised by a password limit of 16 characters. Why on earth yould you impose such strict limits? Never heard of correct horse battery staple?

you are viewing a single comment's thread
view the rest of the comments
[-] faltryka@lemmy.world 142 points 4 months ago

This is my biggest pet peeve. Password policies are largely mired in inaccurate conventional wisdom, even though we have good guidance docs from NIST on this.

Frustrating poor policy configs aside, this max length is a huge red flag, basically they are admitting that they store your password in plan text and aren’t hashing like they should be.

If a company tells you your password has a maximum length, they are untrustable with anything important.

[-] cron@feddit.org 88 points 4 months ago

Oh I had the same thought. Whoever limits password length probably has many other shitty security practices.

[-] slazer2au@lemmy.world 32 points 4 months ago

If a company tells you your password has a maximum length, they are untrustable with anything important.

Lemmy-UI has a password limit of 60 characters. Does that make it untrustworthy?

[-] cron@feddit.org 57 points 4 months ago

OWASP recommendation is to allow 64 chars at least:

Maximum password length should be at least 64 characters to allow passphrases (NIST SP800-63B). Note that certain implementations of hashing algorithms may cause long password denial of service.

The lemmy-UI limit is reasonably close and as everything is open source, we can verifiy that it does hash the password before storing it in the database.

There is a github issue, too.

[-] faltryka@lemmy.world 14 points 4 months ago

It being open source helps because we can confirm it’s not being mishandled, but it’s generally arbitrary to enforce password max lengths beyond avoiding malicious bandwidth or compute usage in extreme cases.

[-] unmagical@lemmy.ml 20 points 4 months ago

If a company tells you your password has a maximumn length, they are untrustable with anything important.

I would add if they require a short "maximum length." There's no reason to allow someone to use the entirety of Moby Dick as their password, so a reasonable limit can be set. That's not 16 characters, but you probably don't need to accept more than 1024 anyway.

[-] Valmond@lemmy.world 5 points 4 months ago

Why not? You're hashing it anyways, right?

Right?!

[-] phcorcoran@lemmy.world 12 points 4 months ago

Sure but if my password is the entire lord of the rings trilogy as a string, hashing that would consume some resources

[-] Valmond@lemmy.world 2 points 4 months ago

I think there are other problems before that 😂

[-] unmagical@lemmy.ml 5 points 4 months ago

Of course, but if you're paying for network and processing costs you might as well cap it at something secure and reasonable. No sense in leaving that unbounded when there's no benefit over a lengthy cap and there are potentially drawbacks from someone seeing if they can use the entirety of Wikipedia as their password.

[-] DaPorkchop_@lemmy.ml 1 points 4 months ago

You can also hash it on the client-side, then the server-side network and processing costs are fixed because every password will be transmitted using same number of bytes

[-] unmagical@lemmy.ml 2 points 4 months ago

You still need to deal with that on the server. The client you build and provide could just truncate the input, but end users can pick their clients so the problem still remains.

[-] DaPorkchop_@lemmy.ml 1 points 4 months ago

The server can just reject any password hash it receives which isn't exactly hash-sized.

[-] Valmond@lemmy.world 1 points 4 months ago

That would take care of it, you do nead to salt & hash it again server side ofc.

[-] frezik@midwest.social 2 points 4 months ago

Bcrypt and scrypt functionally truncate it to 72 chars.

There's bandwidth and ram reasons to put some kind of upper limit. 1024 is already kinda silly.

[-] AA5B@lemmy.world 1 points 4 months ago

I wonder if a lot of it is someone using their personal experience and saying “just a little bigger ought to cover it”

When I used my own passwords, I rarely used more than 12 characters, so that should be enough

All the password generators I’ve used default to about 24 chars, so 30 ought to be enough for anyone

[-] Revan343@lemmy.ca 1 points 4 months ago

you probably don't need to accept more than 1024 anyway.

OWASP recommends allowing at least 64 characters. That would cover all of my passphrases, including the ones that are entire sentences

[-] clearedtoland@lemmy.world 14 points 4 months ago

The number of government websites that I’ve encountered with this “limitation.” Even more frustrating when it’s not described upfront in the parameters or just results in an uncaught error that reloads the page with no error message.

[-] DarkDarkHouse 2 points 4 months ago* (last edited 4 months ago)

Or accepts and silently truncates it 🤬

[-] chameleon@fedia.io 10 points 4 months ago

bcrypt has a maximum password length of 56 to 72 bytes and while it's not today's preferred algo for new stuff, it's still completely fine and widely used.

[-] DaPorkchop_@lemmy.ml 2 points 4 months ago

Wait, really? I always thought bcrypt was just a general-purpose hash algorithm, never realized that it had an upper data size limit like that.

[-] primrosepathspeedrun@lemmy.world 2 points 4 months ago

also, if they think a strong password is only about types of characters. a dozen words from as many languages and 5+alphabets is just as good!

its to the point I don't bother remembering my passwords anymore, because this bullshit makes user-memorable-hard-to-machine-guess passwords impossible.

[-] Reverendender@sh.itjust.works 1 points 4 months ago

I am now very concerned about a certain medical implant device company

this post was submitted on 18 Aug 2024
848 points (98.8% liked)

Cybersecurity - Memes

1893 readers
2 users here now

Only the hottest memes in Cybersecurity

founded 1 year ago
MODERATORS