It’s pretty stupid because the longer the password the more secure it is.
Comment on My password is not accepted because it is too long
tarsisurdi@lemmy.eco.br 2 days ago
I once registered an account with a random ~25 characters long password (Keepass PM) for buying tickets on uhuu.com.br
The website allowed me to create the account just fine, but once I verified my e-mail, I couldn’t log into it due to there being a character limit ONLY IN THE LOGIN PASSWORD FIELD. Atrocious.
Etterra@discuss.online 2 days ago
scintilla@lemm.ee 1 day ago
I understand a cap of like 64 characters or something to keep storage space down for a company with millions of users. other than that it doesn’t make a ton of sense.
Redjard@lemmy.dbzer0.com 1 day ago
That is a huge red flag if ever given as a reason, you never store the password.
You store a hash which is the same length regardless of the password.scintilla@lemm.ee 1 day ago
Youre right lol. I forgot that hash lengths are different from the actually password length.
Cethin@lemmy.zip 1 day ago
Although at some point you’ll get collisions, but I don’t think that’s actually an issue. It still equally hard to guess a password from the hash, there will just be some solutions that are much longer than others.
mic_check_one_two@lemmy.dbzer0.com 1 day ago
The cap should actually be due to the hashing algorithm. Every password should be the exact same length once it is salted and hashed, so the actual length of the password doesn’t make a difference in regards to database size. The hash will be a set length, so the storage requirements will be the same regardless. Hashing algorithms have a maximum length, (IIRC the most popular ones cap at 128 characters), but the salt is also counted in that limit. So if they’re using a 32 character salt, then the functional cap would be 96 characters.
Low character caps are a huge red flag, because it means they’re likely not hashing your password at all. They’re just storing them in plaintext and capping the length to save storage space, which is the first mortal sin of password storage.
Redjard@lemmy.dbzer0.com 1 day ago
You can easily get the hash of whole files, there is no input size constraint with most hashing functions.
Special password hashing implementations do have a limit to guarantee constant runtime, as there the algorithm always takes as long as the worst-case longest input. The standard modern password hashing function (bcrypt) only considers the first 72 characters for that reason, though that cutoff is arbitrary and could easily be increased, and in some implementations is. Having differences past the 72nd character makes passwords receive the same hash there, so you could arbitrarily change the password on eveey login until the page updates their hashes to a longer password hashing function, at which point the password used at next login after the change will be locked in.
Irelephant@lemm.ee 1 day ago
You never store passwords. They should be hashed and salted.
FiniteLooper@lemm.ee 1 day ago
I’ve had this exact same thing happen.
I’ve also had it happen where you have the two fields to verify the password is the same. One had a maxlength set in it, and the other didn’t. I was for sure entering the same password and I was so confused until I opened up the dev tools and inspected the inputs.
AA5B@lemmy.world 1 day ago
I’ve seen this behavior too, I forget where. For me it was a bit easier since the fields displayed a different number of stars. I did spend too long trying to figure out how my password manager could be failing that way
skullgiver@popplesburger.hilciferous.nl 2 days ago
PayPal did the same. Registration took 40 characters, login only half of that. Editing the login form didn’t work unfortunately.