Comment by cgriswald
6 years ago
Many, many websites will happily accept passwords of $X characters and then hash only $(X-Y) characters on registration, but try to hash all $X characters on login, so of course the hashes don’t match. And at no point do they tell you the maximum number of characters.
I once had a page that prevented pasting, but last pass's password generator still worked. So I put in a long password using that, but when I clicked to register it came up with a blank error message. Turns out they had a 16 character limit that was only enforced when you typed in the box, so I had to count the number of letters they allowed me to type and then let lastpass generate a password of that length. Infuriating.
This has happened to me on many occasions, even with bigger sites which "should know better". Tis why I'm always slightly paranoid about entering in long passwords when signing up to new sites.
Square Enix's account management on the PS4 allowed me to set a password with a space on the end, but their website strips spaces from the password field when you sign in.
Fun fact: it's actually really easy to submit a string with a space on the end when entered via a PS4 controller.
Trimming spaces is the one evil that is kind of necessary. Way to many text selection tools select trailing spaces. Firefox and Chrome both do when selecting words. Got a mail with a reset password and want to copy it over? Yeah, good chance the space is copied as well. On a few occasions even ended up in my password manager. Please, just apply password rules everywhere consistently.
> Please, just apply password rules everywhere consistently.
This would honestly fix all of it, without even needing to communicate information about how passwords are handled. Although, I think those rules should be communicated as well, so users can make good choices about password security. If spaces are removed, that lowers entropy and users may want to add additional characters or restrict spaces in their password generator.
It may not be easy. You might have dozens of different client applications with different requirements or abilities. But it is simple: Figure out your best practices and your lowest common denominator. Then apply those rules to every password every time in every context.
Alternatively, if you have clients which (for whatever reason) need a special case, create a separate hash for that special case and then use that only for that client. (Likely, this will reduce the overall security of the account, but if this is your lowest common denominator, allowing other clients to have greater security certainly doesn't hurt you.)
On a semi-related note I once had to help a coworker who couldn't log into a server using an auto-generated password listed like so:
The password is p4ssw()rd.
Turns out they didn't realize the period was part of the password.
Back in the day, I created an AOL password with CTRL-BACKSPACE in it. It worked when using the AOL software but when I tried to log into the website, it deleted the password.
Yes, this is terribly annoying, often there is a minimum length but no mention of maximum length. I see this on many, many websites...
What kind of range limits are you talking about? 30? 100?
Lots of sites have a limit of 72 characters, maybe even without the developers knowing about it. Bcrypt has a limit of 72
It's honestly a crapshoot. I've seen as low as 8 (a sibling poster says 6), but 10, 12, 15, 16, and 20 are not unusual. It's usually an even number, so you can just knock 2 characters off your password at a time (after making it an even number) until you're down to the maximum to figure it out.
Wells Fargo’s is 12 IIRC.
5 replies →
I believe that Blizzard had a limit of ~20 until recently for battle.net accounts (don't know if that's still the case).
1 reply →
I remember that Microsoft got stuck with a 16 character limit for a while thanks to hotmail.
1 reply →
Often it's 20. Not sure why 20 is so common.
1 reply →
I've seen 6 characters and 16.
Had this issue with Google a few years ago when I tried to set my password to something ludicrously long (think 5000+ characters). It would happily change my password, but I couldn't log in to anything afterwards…
For many years, Schwab ignored any characters after 8 in its password. Discovered that when I knew I flubbed one of the last characters, and it still worked.
I still can't believe a major bank got away with that for so long, apparently unharmed.
I learned this the hard way when I started using a password manager. I had the bright idea to start using 90 character passwords for all my accounts and suddenly I couldn't log into a lot of accounts.