Small rant incomming. I just went to look at applying to Walmart, and when going to make an account their password requirements were 8-11 characters. What kinda nonsense is that? Some terribly made backend I’d assume. It’s bad enough I gotta make a million accounts when applying to jobs but then you got my PII sitting behind such terrible password requirements it makes me wonder where else they are cutting corners on security.

  • Scott@lem.free.as
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    All stored passwords should be salted and hashed. That means each one uses the same amount of space, regardless of original length.

    There should definitely be a minimum length but not a maximum (within limits; let’s not break web standards or the laws of thermodynamics).

    • 14th_cylon@lemm.ee
      link
      fedilink
      arrow-up
      0
      ·
      2 months ago

      but not a maximum

      well if there is, at least be glad when they tell you. i once met a system that let you enter whatever, and then just ignored anything behind nth (where n was ~10) character…

      • Fribbtastic@lemmy.world
        link
        fedilink
        arrow-up
        0
        ·
        2 months ago

        Oh, let me tell you about Playsation that I had the pleasure of having to deal with it.

        I needed to log in to my Playstation account but it told me that my username or password was wrong. Okay, send me a reset link. I got the link and set my new password.

        I use Bitwarden and my password generator is set to 32 characters by default.

        I generate a new password, paste that into the new password field, click okay and everything is fine, password changed. I save that new password in my vault and go back to the login site. I use the just changed credentials: Wrong username or password.

        Well, turns out that the Password reset field is limited to 30 characters but the problem is that NOWHERE is it stated that your password has a max length. Not to mention that they don’t tell you that your password was modified and cut short. The login password field, however, does allow more than 30 characters.

        This means that you generate a 32-character password and paste that into the password reset field, this then gets cut short to 30 characters, click save and then use the same password on the login, which is 32 characters. This now obviously doesn’t work because those passwords aren’t the same.

        Fun times. The worst part is that the first support person just went “Well, everything looks fine on our side. Sucks for you. Goodbye”.

      • Hamartiogonic@sopuli.xyz
        link
        fedilink
        arrow-up
        0
        ·
        edit-2
        2 months ago

        I’ve once had a password that was over 200 characters long. That was in a custom email server where the admin either didn’t know or care about limitations. I mean, if you can have a super long password, then why not. I just kept on going until I felt like it was secure enough.

        I used a randomly generated character soup, so there’s no way I’m ever going to memorize that nightmare of a password. Even if I print it on paper and hand to you, there’s a pretty good chance that you wouldn’t be able to type it correctly without restoring to OCR.

    • NullNet@lemmy.blahaj.zoneOP
      link
      fedilink
      arrow-up
      0
      ·
      2 months ago

      you mentioned salting and hashing that reminds me of places that use to put companies on blast for storing passwords in plaintext.

    • PlexSheep@infosec.pub
      link
      fedilink
      arrow-up
      0
      ·
      2 months ago

      There should be a maximum, but only to cover ridiculous cases, like users pushing a 5 Kilobyte password onto the server. Hashing is expensive.

      While we’re at hashing: salting is important of course, but one should also not use any hash function, but one specifically made for passwords, such as argon2. If you just use plain old sha-2, that can still be computed with quite some performance on modern hardware, hence the need for hashing functions that take up performance in a controlled way.