Increase password length to 32 chars

I was having trouble logging into an account, following a password reset I was in so I assumed I had the wrong password recorded my end. I then set the password in the team management pages. After trying to log in again I was told that my password was not valid, so I followed the password reset again and chose another password, but this time used no special characters just in case it was any of those causing an issue. Upon logging in again the error was The password must be at least 6 characters long even though the password was definitely more than 6 characters (32 actually).

I assume there is some restriction on passwords somewhere for some reason, but this isn’t mentioned on the team management pages. The password change process obviously silently drops invalid passwords (or trims them, or something).

I’ve managed to replicate this with a 32 character password too. Seems to be set to a maximum of 25 characters on the log in page. I’ll pass this one on too, and see if we can sort something here.

There’s a maxlength set on the input for 20 characters, it won’t let you key in anything longer. I thought perhaps pasting in directly would circumvent this but the maxlength property truncates to 20. You can’t easily see this as it’s type=password so it’s obfuscated. If you however went into the browser debugger and manually changed the type to text you would see the truncation happening.

The browser is doing all this automatically from the maxlength so I’m not sure how we can warn. Although a simple thing we should do is make the password requirements clearer on the screen.

I was pasting the password in so I missed the truncation on screen. Not sure why you have a maxlength on it anyway, ideally this could be removed and then there should be no restrictions on password complexity. If this isn’t achievable then some mention of the maximum length on the password creation screens might be handy.

We may eventually remove the maxlength, although if you use a 20 character password with letters, numbers and symbols, it’s still extremely resilient, you can test it here:

https://www.grc.com/haystack.htm

Yeah, as you probably guessed I like strong passwords and 20 random characters should be fine, but I use KeePass so really there is no reason why I should limit myself to only have 20 random characters! The standard profile uses 32 characters and most sites accept that.

I think we will up the limit to 32. I’m not overly keen on removing the cap entirely as it will increase the table size and overall footprint of the database (maybe in a relatively small way, but they all add up).

No one will ever need more than 640k 32 chars!

1 Like

OK we’ve increased the password length to 40.

We went to 40 to cover some GUIDs that password managers are using now.

1 Like

You’re storing the password in plain text…???

Hi @dlamp

Passwords are not stored in plain text.

That’s my fault, I made an incorrect assumption about the password hash increasing with the length of the plain text, one of our engineers did later correct me on this point :blush:

I can confirm we don’t store passwords in plain text.

Must admit this did confuse me, I thought I must have misunderstood something somewhere and was going to go back and relearn password hashing. Saved me a job there! :wink:

Had me worried there! But… if someone wants to use an absurdly long password, there’s no reason to stop them. On the other hand, anything that helps people to understand password length and security is a good thing.

Forty characters of a-z, A-z, and 0-9 is by my reckoning sufficient to give every atom in our galaxy a unique identifier, with a few orders of magnitude left over - that’s a big number.

Yes my hesitation was based on a false assumption. I read up on this later and the general consensus is that there’s no reason to set a maxlength on the password.

I think 40 is good for now, but on the next iteration we’ll likely remove it entirely.

1 Like