- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
So if I want to hack one of his account, I only have to check passwords of 62 characters or what the limit of the site is? Good to know...
Admin
Once upon a time my bank had a limit of 16 characters IIRC. That was fun! Luckily today they don't even offer password authentication as an option anymore, instead going for various forms of 2FA tokens.
Admin
As long time members of the TDWTF forums will know, if you don't have an upper limit on password length then sooner or later someone is going to paste the whole of War and Peace and bring your server to its knees as it tries to hash a million character plus string
Edit Admin
Luckily? Relying on 2FA tokens only is not secure; it's the combination of 2FA with a password that works. With 2FA only, an attacker just needs to get access to the victim's email or phone (including SIM spoofing or something like that), and say bye-bye to your money.
Edit Admin
If access only requires a code sent via email or SMS, then by definition it isn't 2-Factor Authentication.
/pedantic
Admin
Maximum password lengths are TRWTF because they suggest insecure password storage. If you are storing your passwords as secure hashes of the actual password, as everyone should, then you have no reason to care about how long the password is. (Within nonobscene limits Jaloopa.) The only reason you would force the password to be less than however many characters is because that is the size of the database field where you are storing it. If you don't have enough sense to hash your passwords, then I don't trust you to do any other security right either.
Even if someone does paste in war and peace as their password, I can just hash the first kilobyte or so which will be more than secure, and the user will never know the difference.
Edit Admin
When I see a limit of 40 characters, I automatically assume that they are storing the actual password as plain text.
Admin
A fully randomly generated password of 40 bytes, with an alphabet of 64 characters (26 upper case letters + 26 lower case letters + 10 digits + only 2 symbols, in practice more should be supported) will have 40 * log2(64) = 40 * 6 = 240 bits of entropy. In practice a little more than that because there's certainly more than 2 symbols available. Most cryptographic primitives peak out at 256 bits of security, and 240 bits is close enough to that. If you use a decent key derivation function with a reasonably large work factor, you'd have to harvest the whole energy of the universe to crack a single password. I wouldn't worry about that limit at all.
Admin
I don't think the existence of an upper limit was the issue. If I was on a straight, flat highway with many wide lanes, I wouldn't complain about the existence of a 25MPH speed limit, I would complain about the number at which it's set.
Admin
There are whole sites dedicated to cataloging lists of websites with stupid password requirements, in the hopes of shaming them. E.g. passwordshamer.com .
Edit Admin
To your pedantry, I raise my real world experience: I've seen that before. LUCKILY, my banks (I have a few, between my personal and corporate entities) don't do that, but other sites have this fake-urity.
Admin
Yes, came here to say this. Although the hashing of a passwords means one isn't constrained by a something like a database column size, there are denial of service considerations from very long strings being submitted. So, I wouldn't raise an eyebrow at a limit of say 1024, or one is wanting to be really accommodating you could make it 4096 (not that it needs to be a power of 2, but it always feels more right to me).
Admin
Whenever I see an upper limit on password length, I assume they're storing the plaintext password somewhere. Your password should never be transmitted raw, it should be processed through a KDF locally with salt and whatnot, and that should go to the server. And the output can be whatever size they feel like using so you don't have to worry about someone DOSing you with War and Peace...
Edit Admin
An excellent point!
Edit Admin
I think if you do put an upper limit, 100 is the smallest it should be set. I would use 256.
Also, never trust a user's machine with secure information. The end user might end up changing stuff around that will result in you storing their password in plain text.
Admin
On one site (before they got bought by another company and now do authentication completely differently), I kept having problems logging in using a password generated by my password manager. Every time I tried to log in, I would have to reset my password and set a new one, which it happily accepted at the time, but then next time it wouldn't work. On a hunch, I slightly shortened the generated password length, and then it worked fine after that. Turns out that while the system would accept a 15-character password, the password field on the login page only accepted 14 characters.
Edit Admin
...Depending.
I can't remember where it was, but I know I had an account somewhere and kept having to reset my password for it. I think it was either one of those cases where the "forgot password" path sent you a temporary link that took you to a Change Password interface and then after changing the password you were already logged in, or the kind where you answered some security questions and the Reset Password form would send you a new password and you had to change it immediately upon logging in before you could do anything else...not sure which; it's been a long time. But it about had to be one of those two, or I wouldn't likely have run into this issue repeatedly before figuring out the problem.
The issue, as I eventually discovered, was that the form for setting my new password was SILENTLY TRUNCATING what I entered, but the password field on the LOGIN form was not. So my actual password was shorter than what I'd tried to set.
If I remember correctly, once I did figure it out, I determined that the length limit was set on the field properties in HTML, and when I modified the field before submitting the change password form, I was actually able to set a longer password and have it work. So it is POSSIBLE that they were not in fact storing the password in plain text. But...anyone taking bets?
Admin
I accidentally did something similar- the valid characters for Set Password and login were different, and the login wouldn't allow you to enter the "bad" characters...
Admin
The first kilobyte of "War and Peace" is not secure. But neither is the whole text.
Admin
In this case, the derived key becomes the actual password (an attacker only needs this key, not the actual password entered), so the server needs to hash it again to avoid storing it in plain. Sure, the derived key will usually be fixed-size, but a malicious user could still send overly long data in the key field, so you still need a length check to avoid DOS attacks.
Edit Admin
A once saw a security auditor mandating a password requirement like "no two identical characters in a row". That had the nice effect of making random passwords generated by password managers very likely to be rejected, unless you lowered password length significantly.
Edit Admin
Of course the present trend is stopping using passwords entirely and just using the 6-digit code txted to your phone. Not necessarily for high security apps, but for many less vital apps.
One of my credit card issuers (eek!) just went to that login standard.
Why is this popular? Because typing passwords is too hard on a phone and every business wants to be more phone-friendly than big screen + keyboard friendly. I'm not sure which is worse, the moronic PHB suits, or the idjit user community.
Edit Admin
Yeah, I had that experience around 1990 with a login password. The password setting code truncated my password to 8 characters but the login hashed all 9 of my password. Fortunately, it was a common enough issue that it didn't take long for my peers to help.
Edit Admin
“Well, Prince, so Genoa and Lucca are now just family estates of the Buonapartes. But I warn you, if you don’t tell me that this means war, if you still try to defend the infamies and horrors perpetrated by that Antichrist—I really believe he is Antichrist—I will have nothing more to do with you and you are no longer my friend, no longer my ‘faithful slave,’ as you call yourself! But how do you do? I see I have frightened you—sit down and tell me all the news.”
It was in July, 1805, and the speaker was the well-known Anna Pávlovna Schérer, maid of honor and favorite of the Empress Márya Fëdorovna. With these words she greeted Prince Vasíli Kurágin, a man of high rank and importance, who was the first to arrive at her reception. Anna Pávlovna had had a cough for some days. She was, as she said, suffering from la grippe; grippe being then a new word in St. Petersburg, used only by the elite.
All her invitations without exception, written in French, and delivered by a scarlet-liveried footman that morning, ran as follows:
“If you have nothing better to do, Count (or Prince), and if the prospect of spending an evening with a poor invalid is not too terrible, I shall be very charmed to see you tonight between 7 and 10—Annette Schérer.”
“Heavens! what a virulent attack!” replied the prince, not in the least disconcerted by this reception. He had just **** stack smashing detected **: ./wtf.bin terminated ======= Backtrace: ========= /lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)Aborted