Table Flip Time 🙃
Table Flip Time 🙃
Table Flip Time 🙃
Anytime you see a password length cap you know they are not following current security standards. If they aren't following them for something so simple and visible, you'd better believe it's a rat infested pile of hot garbage under the hood, as evidenced here.
you have to limit it somewhere or you're opening yourself up for a DoS attack
password hashing algorithms are literally designed to be resource intensive
Edited to remove untrue information. Thanks for the corrections everyone.
Are you saying that any site which does not allow a 27 yobibyte long password is not following current security standards?
I think a 128 character cap is a very reasonable compromise between security and sanity.
Atleast this is reasonable, I have seen some website don't allow more than 6 character.
WTF? Are they trying to get hit with brute force attacks?
At least it's 128
I had a phone carrier that changed from a pin to a "password" but it couldn't be more than 4 characters
my bank...
At my job they just forced me to use a minimum 15-character password. Apparently my password got compromised, or at least that was someone’s speculation because apparently not everyone is required to have a 15-char password.
My job is retail, and I type my password about 50 times a day in the open, while customers and coworkers and security cameras are watching me.
I honestly don’t know how I’m expected to keep my password secure in these circumstances. We should have physical keys or biometrics for this. Passwords are only useful when you enter them in private.
Yeah you should have a key card. Like not even from a security perspective but from an efficiency one. Tap a keycard somewhere that would be easily seen if an unauthorized person were to even touch or even swipe it if need be. I’m sick and tired of passwords at workplaces when they can be helped
Ask your boss to get you a yubikey
In theory yes. But in practice the DB will almost always have some cap on the field length. They could just be exposing that all the way forward. Especially depending on their infastructure it could very well be that whatever modeling system they use is tightly integrated with their form generation too. So the dev (junior or otherwise) thought it would be a good idea to be explicit about the requirement
That said, you are right that this is still wrong. They should use something with a large enough cap that it doesn't matter and also remove the copy telling the use what that cap is
Hashing will make every password the same length.
You misunderstand the issue. The length of the password should not have any effect on the size of the database field. The fact that it apparently does is a huge red flag. You hash the password and store the hash in the db. For example, a sha256 hash is always 32 bytes long, no matter how much data you feed into it (btw, don’t use sha256 to hash passwords, it was just an example. It’s not a suitable password hashing algorithm as it’s not slow enough).
[This comment has been deleted by an automated system]
Do you really need more than 128 characters?
I'm going to ruin this man's whole database
I know this a a joke, but please use a password manager, it is such a game changer.
Bitwarden is free and E2E encrypted and if you want additonal feature, they only cost 10 bucks pre year. You can even use it with anonaddy to hide your email, which is also totally free and open source.
What are those premium features? I never felt like I was missing something from the free bitwarden
You can have it generate 2FA TOTP.
yubikey/fido2 support is what I'd probably consider premium for
One of them is password sharing if I remember well.
I’m already using Bitwarden but I hadn’t heard about anonaddy, thanks for the tip!
They work like a miracle together https://bitwarden.com/blog/add-privacy-and-security-using-email-aliases-with-bitwarden/
What is even more surprising is that even the free tier is perfectly usable, but consider paying if you have the money to support them.
I know it's annoying that the password "doesn't match", but ... a 128 character limit?! I'd like to see THAT fully utilized lol.
(PS: the sentence above is exactly 128 characters, just for a comparison.)
...and I bet once you want to change it you get the "your new password can not be the old password" error message just because.
An acquaintance of mine has a 36 characters long passcode for his tablet that he manually puts in every time he wants to use it.
And you can use password managers to make secure passwords without ever having to input them yourself.
That is a very good idea if you want to disincentivise yourself from using your tablet
I mean there is bitwarden, which literally can generate you strong random unique passwords for each site. Not really hard these days, I personally have unique one for every site but cap mine around 36 characters when generating passwords. Depends on the website tho.
My favorite was when I changed my password and they allowed different restrictions on the change password screen than they did when logging in. I changed my password to a 24 character one but log in screen only allows for max 16. I think they were truncating somewhere but I could not figure it out. Also could not change it again as it said it was incorrect.
One is clearly uppercase 'i' and the other lowercase 'L'
Those are L.hate… and i.hate…, am I seeing that correctly?
This is even more infuriating than getting "password incorrect" going in and getting a recovery password, then trying to change passwords to the one you initially used and getting "new password can't be the same as old password."
Yikes.... This thread is a wasteland of misinformation and mininformers arguing with other mininformers about who's misinformation is less ill informed.
This thread is:
This comment could just be copy-pasted to so many threads
Is there a software gore community yet?
Hi there! Looks like you linked to a Lemmy community using a URL instead of its name, which doesn't work well for people on different instances. Try fixing it like this: !softwaregore@lemmy.world
It'll just end up as much of a mess as the reddit one unless it's actually moderated by folks involved in software development.
Pics of every test email, intern tweet, off center icon, or misspelled SMS message are not software gore. The stuff every application everywhere has isn't gore, it's normal, mundane, every day stuff.
Edit: Looks like it exists already, and I'm right. It's not really software gore, more like software paper cuts.
Did one get an autocorrect space after the .?
Seems like they don't consider a period to be a "special character"
That’s not the issue here as the special character check passes. It’s the validation between the two fields that’s broken.
Most probably not broken at all.
I.hate.password.
l.hate.password.
The first is a capital i, the second is a lower case L.
OP here, reading all the comments and theories as to why the I or L or whatever isn't a match. I copy and pasted it after it didn't like my typing skills, tried it twice and no go... I believe the periods aren't an acceptable special character even though they technically are. It also would not accept spaces in-between words, I was first gonna use "I hate password" for my password but no go there.
The password it accepted was weak AF, two "stupid-words" strung together.
No, one is an uppercase “I” while the other is a lowercase “L.” lI — you can see the difference when you compare it to the nearby “h.”
Ah, so OP was up to shenanigans??? I should have suspected as much from that mischievous miscreant!!!
Yeah I think that's the main issue. It wouldn't take it with spaces so I put the periods instead. Rage face
User error can still be mildly infuriating, I'm not removing this post. Thanks!
How do hackers break into things? Inject codes into the password field and attack a vulnerability. Buffer overflow, application fuzzing.
i vs L strikes again
I’m glad someone else noticed this right away as well