323
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 28 Sep 2023
323 points (75.7% liked)
Games
32736 readers
2056 users here now
Welcome to the largest gaming community on Lemmy! Discussion for all kinds of games. Video games, tabletop games, card games etc.
Weekly Threads:
Rules:
-
Submissions have to be related to games
-
No bigotry or harassment, be civil
-
No excessive self-promotion
-
Stay on-topic; no memes, funny videos, giveaways, reposts, or low-effort posts
-
Mark Spoilers and NSFW
-
No linking to piracy
More information about the community rules can be found here.
founded 1 year ago
MODERATORS
Doesnt lemmy also do it? I think I ve heard from Ruben at Boostforlemmy that lemmy only treats first 60 characters of your password as a password and the rest gets discarded. [citation needed]
Can't say I've ever tried to use a password quite that long, so I'm not sure.
Not ideal, but trimming it (especially when you're keeping 60 chars) isn't the end of the world. It was just super confusing that the web app doesn't trim it during login as well. There's no indication that your password was modified or what you've entered to login is too long. Just 'incorrect user/pass' despite entering what you've just set. That char limit for my bank is only 16 chars, so it's easy to hit.
It's a big deal IMO, particularly because at login it doesn't do the same. From the user perspective, your password has effectively been modified without your knowledge and no reasonable way of finding out. Good luck getting access to your account.
When a bank does this it should be considered gross negligence.
Kind of.
The official web UI doesn't let you enter more than 60 characters, but doesn't indicate that at all. So you can keep typing past 60 characters but it won't get added to the input field and you can't really see that. If you paste a password into the field, it gets trimmed to 60 characters.
When creating a password, the server checks that it isn't longer than 60 characters and returns an error if so. On login, however, it silently trims the password to 72 bytes, because that's what the hashing algorithm they use supports.