Please pick a password starting with ad and ending with min

magic_lobster_party , 4 hours ago

There’s a special place in hell for those who set an upper limit in password lengths.

CosmicTurtle0 , 4 hours ago

I sort of get it. You don’t want to allow the entire work of Shakespeare in the text field, even if your database can handle it.

16 characters is too low. I’d say a good upper limit would be 100, maybe 255 if you’re feeling generous.

i_am_not_a_robot , 4 hours ago

The eBay password limit is 256 characters.

They made the mistake of mentioning this when I went to change my password.

Guess how many characters my eBay password has?

abfarid , 3 hours ago

-1?

JackbyDev , 1 hour ago

Damn signed bytes!

eager_eagle , 2 hours ago

69

intensely_human , 22 minutes ago

oh yeah

n3cr0 , 1 hour ago

Just paste it in here and I count the characters for you.

owsei , 4 hours ago

The problem is that you (hopefully) hash the passwords, so they all end up with the same length.

Carighan , 4 hours ago

And sure, in theory your hashing browser-side could break if you do that. Depending on how much text the user pastes in. But at that point, it’s no longer your problem but the browser’s. 🦹

owsei , 3 hours ago

Why are you hasing in the browser?

Also, what hashing algorithm would break with large input?

FierySpectre , 2 hours ago

Why would you not hash in the browser. Doing so makes sure the plaintext password never even gets to the server while still providing the same security.

candybrie , 1 hour ago (edited 55 minutes ago)

Because then the hash is the password. Someone could just send the hash instead of trying to find a password that gets the correct hash. You can’t trust the client that much.

You can hash the password on both sides to make it work; though I’m not sure why you’d want to. I’m not sure what attack never having the plain text password on the server would prevent. Maybe some protection for MITM with password reuse?

CommanderCloon , 37 minutes ago

Because then that means you don’t salt your hashes, or that you distribute your salt to the browser for the hash. That’s bad.

yhvr , 1 hour ago

bcrypt has a maximum password length of 72 bytes.

en.wikipedia.org/wiki/Bcrypt#Maximum_password_len…

CommanderCloon , 35 minutes ago

If you hash in the browser it means you don’t salt your hash. You should absolutely salt your hash, not doing so makes your hashes very little better than plaintext.

Shadow , 11 minutes ago

There’s nothing stopping a browser from salting a hash. Salts don’t need to be kept secret, but it should be a new random salt per user.

expr , 3 hours ago

At minimum you need to limit the request size to avoid DOS attacks and such. But obviously that would be a much larger limit than anyone would use for a password.

owsei , 3 hours ago

Also rate of the requests. A normal user isn’t sending a 1 MiB password every second

JackbyDev , 1 hour ago

What’s a sensible limit. 128 bytes? Maybe 64?

MangoPenguin , 1 hour ago

Even 255 bytes with 10 million entries is only ~2.6GB of data you need to store, and if you have 10 million users the probably $1 a month extra that would cost is perfectly fine.

I suppose there may be a performance impact too since you have to read more data to check the hash, but servers are so fast now it doesn’t seem like that would be significant unless your backend was poorly made.

intensely_human , 25 minutes ago

Yeah but what if I have one user with 9.9 million accounts? That bastard

Olmai , 21 minutes ago

Account georg

CeruleanRuin , 2 hours ago

Oh and also, “change this every four weeks please.”

Okay then. NEW PASSWORD: pa$$word_Aug24

fritolay , 2 hours ago

Invalid password, maximum 13 characters.

Showroom7561 , 1 hour ago

Reasonable upper limits are OK. But FFS, the limit should be enough to have a passphrase with 4 or 5 words in it.

lauha , 17 minutes ago

Usually 256 bit hash is used. 256 bits is 32 bytes or 32 characters. Of course you are losing some entropy because character set is limited, but 32 characters is beyond reasonable anyway.

Eiri , 2 hours ago

You remind me of my bank about 17 years ago. Everyone had to have a 10-character password, exactly, and it had to include exactly 2 numbers and 1 symbol. I wasn’t very knowledgeable about computers at the time and it already felt dumb.

ByteOnBikes , 1 hour ago

17 years ago, jeez. My credit Union’s website is like that. Only its between 8-12 characters. No more, no less.

It’s terrifying.

Wogi , 1 hour ago

A few years ago my ISP pushed an update to my router that changed the password requirements, invalidating my passwords. Because I couldn’t enter the old password I also couldn’t change the password. I had to do a factory reset.

JackbyDev , 1 hour ago

Feels odd to check the password requirements on the enter password screen in addition to the new password screen.

Eiri , 39 minutes ago

Wow that’s a big oops

UpperBroccoli , 5 hours ago

English letters? Really? So basically no a-z, only Æ, Þ, Ƿ, Ð?

ImplyingImplications , 5 hours ago

Ye olde passwarde

fartsparkles , 5 hours ago

What have the Romans ever done for us?

Spot , 2 hours ago

Roads?

fartsparkles , 2 hours ago

Well, yeah. Obviously the roads. I mean, the roads go without saying, don’t they? But apart from the sanitation, the aqueducts, and the roads…

Spot , 2 hours ago

Irrigation! I need to rewatch this, it’s been too long.

fartsparkles , 2 hours ago

All right, but apart from the sanitation, the medicine, education, wine, public order, irrigation, roads, a fresh water system, and public health, what have the Romans ever done for us?

Spot , 2 hours ago

Brought peace?

skuzz , 1 hour ago

livescience.com/…/remains-of-7000-year-old-sunken…

Nah

egrets , 4 hours ago

Also Œ, Ȝ, and arguably W and U.

drolex , 4 hours ago

Anglo-saxons got the UWU, nice

Carighan , 4 hours ago

Would ë qualify?

guy_threepwood , 5 hours ago

I had one of those “fancy” Vodafone routers included with my broadband which had a stupid rule set on choosing the WiFi password. It’s my network, not yours, stupid router. It can be as insecure as I want.

Anyway the rules were enforced by the JavaScript so it was easy to bypass until I got my own router to replace it with.

infeeeee , 4 hours ago

It’s important to note, that these things are designed for the average user. If you want to change the wifi password, you are by far not an average user. Most users just plugs in and never even think about that, and the number of that kind of users are several order of magnitude higher than the conscious ones. For them it’s much more secure to set a random pw. If you let them select a password they will choose 12345 or password.

If you know what you are doing usually it’s better to buy your own router where you can change everything the way you like.

JackbyDev , 1 hour ago

If we could magically get the data I’d be willing to bet at least half of everyone thinks they can’t change their router password.

possiblylinux127 , 1 hour ago

Create a randomly generated password and store it in a password manager

superkret , 2 hours ago

add1more_Dopamin

bjoern_tantau , 4 hours ago

Take a string as bytes is bad with weird non-ASCII characters. Been there, been bitten in the ass by it.

At least with e-mail clients different clients on different operating systems use different encoding by default for their passwords.

With a router I could imagine different client apps following different standards.

expr , 3 hours ago

You don’t have to take arbitrary bytes. UTF-8 encoded strings are just fine and easily handled by libraries.

bjoern_tantau , 3 hours ago

At least with e-mail clients different clients on different operating systems use different encoding by default for their passwords.

expr , 2 hours ago

The manufacturer obviously also makes the app and can control the encoding.

abfarid , 3 hours ago

Adrenamin™

9point6 , 5 hours ago

underlines

dohpaz42 , 5 hours ago

/^w{6,16}$/

gratux , 3 hours ago

german programmers trying to translate Unterstrich

Carighan , 4 hours ago

Just do the Password Game to figure out a good one!

skullgiver , 4 hours ago

Depending on how they do their length check, this “English only” check makes sense in a way. Non-ascii letters are a pain to validate the length of (“🏴󠁧󠁢󠁳󠁣󠁴󠁿” is seven code points and fourteen bytes long, but just one “character” to most people).

I don’t know why the max length is that low (I presume it’s stored in plaintext) but you can’t expect someone to write a good password strength algorithm from a company producing the cheapest routers imaginable.

Machefi , 5 hours ago

Assuming we can use both lower- and uppercase letters (52 in total), with the ten digits and the underscore that gives us 63 characters to work with. A random 16-character combination of these gives us 95 bits of entropy (rounding down), which is secure enough by modern standards, at least for a home router.

Regardless, I understand the frustration of arbitrary limitations preventing you from choosing a secure password in a way that you’re comfortable with.