Please pick a password starting with ad and ending with min

Eiri , 16 minutes ago

You remind me of my bank about 17 years ago. Everyone had to have a 10-character password, exactly, and it had to include exactly 2 numbers and 1 symbol. I wasn’t very knowledgeable about computers at the time and it already felt dumb.

superkret , 42 minutes ago

add1more_Dopamin

abfarid , 1 hour ago

Adrenamin™

Carighan , 2 hours ago

Just do the Password Game to figure out a good one!

skullgiver , 2 hours ago

Depending on how they do their length check, this “English only” check makes sense in a way. Non-ascii letters are a pain to validate the length of (“🏴󠁧󠁢󠁳󠁣󠁴󠁿” is seven code points and fourteen bytes long, but just one “character” to most people).

I don’t know why the max length is that low (I presume it’s stored in plaintext) but you can’t expect someone to write a good password strength algorithm from a company producing the cheapest routers imaginable.

bjoern_tantau , 2 hours ago

Take a string as bytes is bad with weird non-ASCII characters. Been there, been bitten in the ass by it.

At least with e-mail clients different clients on different operating systems use different encoding by default for their passwords.

With a router I could imagine different client apps following different standards.

expr , 1 hour ago

You don’t have to take arbitrary bytes. UTF-8 encoded strings are just fine and easily handled by libraries.

bjoern_tantau , 58 minutes ago

At least with e-mail clients different clients on different operating systems use different encoding by default for their passwords.

expr , 44 minutes ago

The manufacturer obviously also makes the app and can control the encoding.

magic_lobster_party , 2 hours ago

There’s a special place in hell for those who set an upper limit in password lengths.

CosmicTurtle0 , 2 hours ago

I sort of get it. You don’t want to allow the entire work of Shakespeare in the text field, even if your database can handle it.

16 characters is too low. I’d say a good upper limit would be 100, maybe 255 if you’re feeling generous.

i_am_not_a_robot , 2 hours ago

The eBay password limit is 256 characters.

They made the mistake of mentioning this when I went to change my password.

Guess how many characters my eBay password has?

abfarid , 1 hour ago

-1?

eager_eagle , 41 minutes ago

69

owsei , 2 hours ago

The problem is that you (hopefully) hash the passwords, so they all end up with the same length.

Carighan , 2 hours ago

And sure, in theory your hashing browser-side could break if you do that. Depending on how much text the user pastes in. But at that point, it’s no longer your problem but the browser’s. 🦹

owsei , 1 hour ago

Why are you hasing in the browser?

Also, what hashing algorithm would break with large input?

FierySpectre , 2 minutes ago

Why would you not hash in the browser. Doing so makes sure the plaintext password never even gets to the server while still providing the same security.

expr , 1 hour ago

At minimum you need to limit the request size to avoid DOS attacks and such. But obviously that would be a much larger limit than anyone would use for a password.

owsei , 1 hour ago

Also rate of the requests. A normal user isn’t sending a 1 MiB password every second

CeruleanRuin , 1 minute ago

Oh and also, “change this every four weeks please.”

Okay then. NEW PASSWORD: pa$$word_Aug24

Machefi , 3 hours ago

Assuming we can use both lower- and uppercase letters (52 in total), with the ten digits and the underscore that gives us 63 characters to work with. A random 16-character combination of these gives us 95 bits of entropy (rounding down), which is secure enough by modern standards, at least for a home router.

Regardless, I understand the frustration of arbitrary limitations preventing you from choosing a secure password in a way that you’re comfortable with.

UpperBroccoli , 3 hours ago

English letters? Really? So basically no a-z, only Æ, Þ, Ƿ, Ð?

ImplyingImplications , 2 hours ago

Ye olde passwarde

fartsparkles , 2 hours ago

What have the Romans ever done for us?

Spot , 39 minutes ago

Roads?

fartsparkles , 31 minutes ago

Well, yeah. Obviously the roads. I mean, the roads go without saying, don’t they? But apart from the sanitation, the aqueducts, and the roads…

Spot , 25 minutes ago

Irrigation! I need to rewatch this, it’s been too long.

fartsparkles , 11 minutes ago

All right, but apart from the sanitation, the medicine, education, wine, public order, irrigation, roads, a fresh water system, and public health, what have the Romans ever done for us?

Spot , 6 minutes ago

Brought peace?

egrets , 2 hours ago

Also Œ, Ȝ, and arguably W and U.

drolex , 2 hours ago

Anglo-saxons got the UWU, nice

Carighan , 2 hours ago

Would ë qualify?

9point6 , 3 hours ago

underlines

dohpaz42 , 2 hours ago

/^w{6,16}$/

gratux , 1 hour ago

german programmers trying to translate Unterstrich

guy_threepwood , 3 hours ago

I had one of those “fancy” Vodafone routers included with my broadband which had a stupid rule set on choosing the WiFi password. It’s my network, not yours, stupid router. It can be as insecure as I want.

Anyway the rules were enforced by the JavaScript so it was easy to bypass until I got my own router to replace it with.

infeeeee , 2 hours ago

It’s important to note, that these things are designed for the average user. If you want to change the wifi password, you are by far not an average user. Most users just plugs in and never even think about that, and the number of that kind of users are several order of magnitude higher than the conscious ones. For them it’s much more secure to set a random pw. If you let them select a password they will choose 12345 or password.

If you know what you are doing usually it’s better to buy your own router where you can change everything the way you like.