cross-posted from: https://lemmy.world/post/383055
Scroll to Update Three for a description of what turned out to be the problem, and potential solutions on Lemmy.world’s end.
When I visit lemmy.world in either Firefox or Chrome, go to the log in page, enter my credentials, and press the Login button, it changes to a spinner and spins forever. No error is logged to the browser console when I press the button.
On the other hand, when using Jerboa on my phone, I can vote, comment and post just fine. That makes me think it’s not an issue with this account.
I was briefly able to log in on my desktop a few days ago, but don’t think I did anything differently when it worked.
Update
I tried again with my username lowercased, and with the password copied and pasted instead of autofilled, and it worked despite not working a few seconds earlier when I tried it the usual way. I’m going to log out and see which of the two things it was that made the difference.
Update Two
Copying and pasting the password while leaving the username with mixed case also let me in, so it’s somehow related to the password manager autofill.
Update Three
I figured it out. I generated a password longer than lemmy.world’s password length limit. When creating the account, it appears to have truncated it to sixty characters. When using the password manager to autofill Jerboa, it’s also truncated it to sixty characters. When copying and pasting the password from the password manager manually, it truncated it to sixty characters, too. However, the browser extension autofill managed to include the extra characters, too, so the data in the textbox wasn’t correct.
In case an admin or Lemmy developer sees this, I’d recommend:
- Not limiting the password length. It should be hashed and salted anyway, so it doesn’t increase storage requirements if it’s huge.
- Giving feedback when creating an account with a too-long password that it’s invalid for being too long instead of simply truncating it. Ideally, the password requirements would be displayed before you’d entered the password, too.
- As mentioned by one of the commenters, giving feedback when an incorrect password is entered.
To your point, the UX of having the site not tell the user when they have a password that is too long (or approaching too long), is definitely terrible. Especially for something with users as technologically adept as I’d assume Lemmy users are, and with how abundant password managers are, I doubt yours is the only experience like this.
But I disagree that the password max length needs to be increased. The actual work of hashing the password needs to be done by the server and if someone feeds in Atlas Shrugged as a password that might crash the server (unless other safeguards are put in place). I think 60 characters is enough to outlast the solar system even.
So definitely agree that the UX should be improved, but I’d disagree that we need to increase the max length.
A 60 character password has something like 400 bits of entropy… I believe the NSA requires something like 128 bits of entropy for their highest security documents. The amount of security provided by a 60 character password would cost something on the order of $10^111 ($6 * 2^(400-32)) in 2021 dollars[1], or $10^29 for every one of the 10^82 atoms in the universe[2].
So I don’t think anyone is cracking your 60 character password any time soon.
[1] - https://blog.1password.com/cracking-challenge-update/ [2] - https://www.livescience.com/how-many-atoms-in-universe.html
I had a personal banking online account that silently truncated my long password to their unstated maximum character count. I’d change my password and then auto-type would fail. I played with it, dropping characters until it succeeded to find the count then edit my new password profile for that one account.
To each their own, but I’d agree that 60+ characters is a tad excessive for a pseudo-anonymous social media account.