In password security, the longer the better. With a password manager, using more than 24 characters is simple. Unless, of course, the secure password is not accepted due to its length. (In this case, through STOVE.)
Possibly indicating cleartext storage of a limited field (which is an absolute no-go), or suboptimal or lacking security practices.
i once used 20 for a bank. the website havent told me it was too long just clipped off 2 and accepted the rest. not even the banking support was able to help me. took me a few days to solve this by accident.
Some people even suggest typing a longer password over a simpler one with more special characters. It’s harder to brute force.
This seems to be very common still
I don’t have it in me
The password should be hashed anyway, which has a fixed output
But there must be a (long) max length anyway, to prevent some kinds of attacks.
Long here means a 400 page book as a password.
One of the older, but still usable password hash uses only 72 characters iirc.
a game i played doesnt allow special characthers or its too long.
At least they tell you. I’ve had inputs take the full password and then truncate it silently, so you don’t actually know what they saved. Then, you try to login and they tell you wrong password.
I once encountered a system that truncated your submitted password if you logged in through their app, but not through their website. So you would set your password through the website, verify that the login was working (through the website) and then have that same login fail through the app.
Yes I’ve had issues with this as well, since I’m a child I’ve set my password generator length at 69 characters… A small trick I’ve found is to delete and rewrite the last character of one of the two repeated passwords since often the validity check gets triggered on write but not on paste
My worst experience so far was a webpage that trimmed passwords to 20 characters in length without telling you. Good luck logging in afterwards…
As long as their login page also does that :p
Common mistake for amateurs that found a password library and used it without reading the documentation. E. g. bcrypt will tell you to salt and hash the password before digesting it into constant length output for your database.
Salting before doing anything else is basic password security. I assume the webpage in question doesn’t do that, either.
One of my favorite memories of how much Something Awful’s sysadmins were absolutely amateur hour back in the early 2000s was the “lappy” to “laptop” debacle. Apparently Lowtax found the term “lappy” so annoying that he ordered his system administrator to do a find/replace for every instance of “lappy,” replacing them with “laptop.”
Unfortunately this included usernames and passwords, as well as anything that just managed to have the letters “lappy” in that order anywhere in the word. So, there was one user named ‘Clappy’ who woke up one day to find his name changed to ‘Claptop.’ Apparently this is also how people discovered that they were storing password unsalted in plain text in a fucking MySQL database, which if you’re old enough, you probably already remember that the combination of MySQL and PHPmyAdmin were like Swiss cheese when it comes to site defense. :p
Flaptop Bird
That must have done a lot of dawizard to their reputation.
For a system I worked on a few years ago I got the password requirement:
-
Only upper case letters A-Z, no letter or symbols.
-
Exactly 7 characters.
I was also recommended to make it a single word to make it memorable.
PASSWOR
‘Sorry but this password is already taken’
By user abc@example.com
-
We have a customer, a big international corporation, that has very specific rules for their intranet passwords:
- Must contain letters
- Must contain numbers
- Must contain special characters
- No repeats
- Passwords must be changed every two months
- Not the same password as any of the last seven
- PASSWORDS MUST BE EXACTLY EIGHT CHARACTERS LONG
I can only assume that whoever came up with these rules is either an especially demented BofH, or they have some really really weird legacy infrastructure to deal with.
I am a designer, but I once did a project with a very very major and recognizable tech corporation that, no joke, implemented an 8 character limit on passwords for storage reasons.
This company made in the tune of tens of billions of dollars per year, and they were penny-pinching on literal bytes of data.
I can’t say who it is, but their name begins with ‘M’ and ends in ‘cAfee.’
If password length affects storage size then something has gone very wrong. They should be hashed, not encrypted or in plaintext.
No repeats??? Like, you cant have ‘aaaa123@’ as a password?
You’re just making it easier to brute force…
Since the password has to be changed every two months, I would assume that it means no repeating previously used passwords.
It also says “must not be the same as any of the last seven passwords used” so I can only take “no repeats” to mean no repeated characters.
Requiring passwords to be exactly 8 characters is especially ridiculous because even if they’re cheaping out on bytes of storage, that’s completely cancelled out by the fact that they’re storing the last seven passwords used.
There is little point of having a long password. Online accounts don’t have the same issues as encryption
Assuming a breach, and hashes are released, its significantly harder to bruteforce a long password.
Some (a lot) poorly set up websites may not even have a limit on password attempts, or cooldowns.
It won’t matter if you use a password manager. You shouldn’t rely on the website to keep your password safe. They could be storing it in plain text for all you know. (It has happened before)
Think of it from a random guess perspective. Guessing a number randomly generated between 0-16 is easier than guessing one between 0-8.
Now think that all passwords are stored in certain amount of bits, so let’s compare 4 and 8 bits.
Each bit has a chance to be either 0 or 1, so guessing a single bit’s possibility is 1/2.
Guessing the correct orientation of 4 different bits takes 1/24 = 1/16
Guessing the correct orientation of 8 different bits takes 1/28 = 1/256
Now think passwords being stored in more bits(=longer password)
At a certain point it doesn’t matter as the password is effectively unguessable.
One weakness with longer passwords is that if they are created by humans chances are it will be easier to guess the pattern. This is true for all human created passwords but I think the longer ones are worse since there is more space to create a easily guessable pattern.
I really hope you don’t work in the tech industry.
I’ve yet to see anyone link to a source
Here is where I’m getting my info
you realize that they say the exact opposite of what you are saying, right?
Longer passwords are generally more secure and easier for users to remember,” said Dr. Paul Turner, a cybersecurity expert at NIST. “We’re moving away from complex rules that often lead to predictable patterns and towards encouraging unique, lengthy passphrases.
You haven’t provided any evidence to support your claim. Online accounts can’t easily be brute forced.
If a hash is leaked you just change the password. As long as you aren’t reusing the same password everywhere you are fine.
If the hashes are leaked and that’s immediately caught and customers are immediately informed, just change your password.
how braindead are you?
How old are you?
The old security wisdom has been thrown out in favor of better practices. If you spend to much time focusing on one spot you will make everyone hate you while leaving gapping holes in your security.
your comments just make me hope that you never touch an IT system as a developer
That’s simply false. Increased length increases the entropy of a password, making it harder to brute force to gain access.
You have to go out of your way to restrict the length of passwords. There’s absolutely no reason to do it, and it is contrary to all good security practices.
I’m not sure how you expect someone to brute force a web service. It is possible but it would be equivalent to a denial of service. Having long passwords for a online login makes no sense. A randomly generated 12 character password isn’t any more or less secure than a 40 character password since they both take a unrealistic amount of time to brute force.
A 12 character password made up of standard characters would take 475,920,314,814,253,376,475,136 tries assuming you know the length. I don’t see how someone could brute force a web service.
I will say I get annoyed at web services that require special characters since I like to use 3 words from the EFF extended word list.
pls elaborate
As long as the adversary doesn’t have the ability to brute force the password locally, you have the ability to reset in the event of a leaked hash and you aren’t reusing passwords you are fine with a shorter password. Obviously be mindful of easily guessable passwords or ones that are very short. However, a 12 digit sufficiently random password is fine. Don’t fall into the trap of longer but easier to guess.
Don’t do things like impossiblebatman1. Something like SalariedOverhand22 or imposiba1ttman
The first secure one I used diceware to generate two random words and then a random number generator to add a number. The second one I randomly changed spelling and the pattern to increase entropy.
I love wordlists
My favorite is when they don’t have this check, but silently slice the string to meet the requirement, so that you can’t login with the original password the next time.
My bank used to do that back in the early 2000’s, I moved banks.
Metro Bank did something like this to me.
Wells Fargo used to do this. They cut my 16 character password to 8 and negated capitalization. Which is why I don’t use them anymore
amazon also had it a couple years ago
Happens more and more often
One time I worked a job where you had to make EXACTLY a 12 character password using only ten letters and two numbers.
In password security, the longer the better.
This is only true up to a certain point
Passphrases are much stronger than any 10 character password you can conjure up
How does that contradict my statement? 10 chars is pretty weak.
Explain please, I’m curious
So this is *mathematically correct, but practically not really. Let me give you a longer (but still simplified) answer. There’s essentially two things here that are different:
- Does a longer password make your password more difficult to guess? (always yes)
- Does a longer password make accessing the content it protects more difficult (yes, to a certain point).
The reason for #2 in digital systems is because of hashing, which is used to protect your password in the case of a data breach. Essentially, you can think of a hashing algorithm as a one-way algorithm that takes an input, and then always returns the same output for that input. One-way here means that you can’t use the hashed output to reverse-engineer the originally inputted password (you can’t unhash a hashbrown into the original potato 🥔). This is why if someone hacks Facebook, they don’t necessarily have your Facebook password; Facebook never saves your actual password anywhere. To login, the website hashes your password input, and compares it against the hash that they saved from your original password creation.
Usually, the result of these algorithms is saved as a fixed-length string of characters. And so your data is mathematically not more safe if you exceed this length, since a random password combination can theoretically resolve to the same value as your super-long-password. This would depend on the algorithm being used / data being stored, but for example, bcrypt outputs a 184-bit hash (often represented as a 60-character string). So mathematically, your password is not more secure beyond 60 characters.
However in practice, this is a non-issue, because I think that basically the only way that collisions like this are useful are for brute-forcing a password? And the chance of a password collision in this way is something like 1027-or-28 (being hit by lightning every day for 10,000 years)? The much easier solution for gaining access is to get your actual password. So if your password being longer makes it harder for people to guess, I’d say that adding security by way of #1 is still extremely valid.
All passwords longer than eight characters are silently truncated anyway.
Only by very badly designed systems. Most are not truncated but hashed. Those hashes are much longer than 8 characters.
Looks like somebody made a generality out of the Shamir Secret Sharing PayPal implem (read it thought)
good read. TLDR is that Sun Microsystems database software truncated passwords to 8 characters and the OP assumed that others must do that too. I surely hope not, TBH. I thought truncating to 8 characters had to do with computational or storage efficiency back when that mattered. I’m pretty sure most database fields if they’re modern use like a 256 character limit for passwords right?
Uh? Why?
Only by batshit insane system wreckers. Normal systems don’t do this at all.
