• Aer
    shield
    M
    link
    English
    11 year ago

    User error can still be mildly infuriating, I’m not removing this post. Thanks!

  • @hth
    link
    English
    128
    edit-2
    1 year ago

    Anytime you see a password length cap you know they are not following current security standards. If they aren’t following them for something so simple and visible, you’d better believe it’s a rat infested pile of hot garbage under the hood, as evidenced here.

    • Primarily0617
      link
      fedilink
      70
      edit-2
      1 year ago

      you have to limit it somewhere or you’re opening yourself up for a DoS attack

      password hashing algorithms are literally designed to be resource intensive

      • @confusedbytheBasics
        link
        English
        5
        edit-2
        1 year ago

        Edited to remove untrue information. Thanks for the corrections everyone.

        • Primarily0617
          link
          fedilink
          13
          edit-2
          1 year ago

          Incorrect.

          They’re designed to be resource intensive to calculate to make them harder to brute force, and impossible to reverse.

          Some literally have a parameter which acts as a sliding scale for how difficult they are to calculate, so that you can increase security as hardware power advances.

          • @confusedbytheBasics
            link
            English
            11 year ago

            I was incorrect but I still disagree with you. The hashing function is not designed to be resource intensive but to have a controlled cost. Key stretching by adding rounds repeats the controlled cost to make computing the final hash more expensive but the message length passed to the function isn’t really an issue. After the first round it doesn’t matter if the message length was 10, 128, or 1024 bytes because each round after is only getting exactly the number of bytes the one way hash outputs.

            • Primarily0617
              link
              fedilink
              21 year ago

              It depends on the hash. E.g., OWASP only recommends 2 iterations of Argon2id as a minimum.

              Yes, a hashing function is designed to be resource intensive, since that’s what makes it hard to brute force. No, a hashing function isn’t designed to be infinitely expensive, because that would be insane. Yes, it’s still a bad thing to provide somebody with a force multiplier like that if they want to run a denial-of-service.

              • @confusedbytheBasics
                link
                English
                11 year ago

                I’m a bit behind on password specific hashing techniques. Thanks for the education.

                My background more in general purpose one way hashing functions where we want to be able to calculate hashes quickly, without collisions, and using a consistent amount of resources.

                If the goal is to be resource intensive why don’t modern hashing functions designed to use more resources? What’s the technical problem keeping Argon2 from being designed to eat even more cycles?

                • Primarily0617
                  link
                  fedilink
                  1
                  edit-2
                  1 year ago

                  Argon2 has parameters that allow you to specify the execution time, the memory required, and the degree of parallelism.

                  But at a certain point you get diminishing returns and you’re just wasting resources. It seems like a similar question to why not just use massive encryption keys.

        • @adambowles
          link
          English
          71 year ago

          Hashes are one way functions. You can’t get from hash back to input

          • @taipan_snake
            link
            English
            51 year ago

            Only if the hash function is designed well

          • @confusedbytheBasics
            link
            English
            21 year ago

            True. I was all kinds of incorrect in my hasty typing. I’ll update it to be less wrong.

        • andrew
          link
          fedilink
          English
          31 year ago

          Not true. Password hashing algorithms should be resource intensive enough to prevent brute force calculation from being a viable route. This is why bcrypt stores a salt, a hash, and the current number of rounds. That number of rounds should increase as CPUs get faster to prevent older hashes from existing in the wild which can be more effectively broken by newer CPUs.

          • @confusedbytheBasics
            link
            English
            21 year ago

            I was incorrect about the goal being minimal resources. I should have written that that goal was to have controlled resource usage. The salt does not increase the expense of the the hash function. Key stretching techniques like adding rounds increase the expense to reach the final hash output but does not increase the expense of the hash function. High password length allowances of several thousand characters should not lead to a denial of service attack but they don’t materially increase security after a certain length either.

            • andrew
              link
              fedilink
              English
              21 year ago

              I’m arguing semantics here but bcrypt is the hashing function. Per the Wikipedia article on bcrypt:

              bcrypt is a password-hashing function designed by Niels Provos and David Mazières, based on the Blowfish cipher and presented at USENIX in 1999.

              Blowfish being a symmetric encryption cipher, not a hashing function.

              Agreed on the rest, though. The hashing cost of a long password would not lead to DOS any more than the bandwidth of accepting that password etc. It’s not the bottleneck. But also no extra security beyond a point, so might as well not bother when passwords are too long.

              • @confusedbytheBasics
                link
                English
                21 year ago

                Semantics aside it sounds like we are in agreement. Have another upvote. :)

                Why does upvoting feel better without a karma system? shrug

    • crunchyoutside
      link
      fedilink
      661 year ago

      Are you saying that any site which does not allow a 27 yobibyte long password is not following current security standards?
      I think a 128 character cap is a very reasonable compromise between security and sanity.

    • @Mrduckrocks
      link
      English
      521 year ago

      Atleast this is reasonable, I have seen some website don’t allow more than 6 character.

      • @teuast
        link
        English
        31 year ago

        WTF? Are they trying to get hit with brute force attacks?

    • @Saneless
      link
      English
      261 year ago

      At least it’s 128

      I had a phone carrier that changed from a pin to a “password” but it couldn’t be more than 4 characters

    • @[email protected]
      link
      fedilink
      English
      231 year ago

      At my job they just forced me to use a minimum 15-character password. Apparently my password got compromised, or at least that was someone’s speculation because apparently not everyone is required to have a 15-char password.

      My job is retail, and I type my password about 50 times a day in the open, while customers and coworkers and security cameras are watching me.

      I honestly don’t know how I’m expected to keep my password secure in these circumstances. We should have physical keys or biometrics for this. Passwords are only useful when you enter them in private.

      • @captainlezbian
        link
        English
        131 year ago

        Yeah you should have a key card. Like not even from a security perspective but from an efficiency one. Tap a keycard somewhere that would be easily seen if an unauthorized person were to even touch or even swipe it if need be. I’m sick and tired of passwords at workplaces when they can be helped

        • @[email protected]
          link
          fedilink
          English
          21 year ago

          It’s an enormous corporation. They’d have to outfit every computer in the building for the yubikey. It’s not going to happen.

    • DreamButt
      link
      English
      181 year ago

      In theory yes. But in practice the DB will almost always have some cap on the field length. They could just be exposing that all the way forward. Especially depending on their infastructure it could very well be that whatever modeling system they use is tightly integrated with their form generation too. So the dev (junior or otherwise) thought it would be a good idea to be explicit about the requirement

      That said, you are right that this is still wrong. They should use something with a large enough cap that it doesn’t matter and also remove the copy telling the use what that cap is

        • @[email protected]
          link
          fedilink
          English
          111 year ago

          Right but that puts a limit on the hash algorithm’s input length. After a certain length you can’t guarantee a lack of collisions.

          Of course the probability stays low, but at a certain point it becomes possible.

          • @brygphilomena
            link
            English
            71 year ago

            Collisions have always been a low concern. If, for arguments sake, I.hate.password. had a collision with another random password like kag63!gskfh-$93+"ja the odds of the collision password being cracked would be virtually non-existent. It’s not a statistically probable occurrence to be worried about.

          • @__dev
            link
            English
            21 year ago

            This is plainly false. Hash collisions aren’t more likely for longer passwords and there’s no guarantee there aren’t collisions for inputs smaller than the hash size. The way secure hashing algorithms avoid collisions is by making them astronomically unlikely and that doesn’t change for longer inputs.

        • DreamButt
          link
          English
          81 year ago

          yup yup. Forgot we were talking about a protected field and not just raw data

      • @[email protected]
        link
        fedilink
        English
        231 year ago

        You misunderstand the issue. The length of the password should not have any effect on the size of the database field. The fact that it apparently does is a huge red flag. You hash the password and store the hash in the db. For example, a sha256 hash is always 32 bytes long, no matter how much data you feed into it (btw, don’t use sha256 to hash passwords, it was just an example. It’s not a suitable password hashing algorithm as it’s not slow enough).

        • DreamButt
          link
          English
          61 year ago

          ur absolutely right. Idk why I was thinking about it like a normal text/char field

    • @shotgun_crab
      link
      English
      31 year ago

      Do you really need more than 128 characters?

    • @lanolinoil
      link
      English
      11 year ago

      I’m going to ruin this man’s whole database

  • @[email protected]
    link
    fedilink
    English
    571 year ago

    I know this a a joke, but please use a password manager, it is such a game changer.

    Bitwarden is free and E2E encrypted and if you want additonal feature, they only cost 10 bucks pre year. You can even use it with anonaddy to hide your email, which is also totally free and open source.

  • Wolf Link 🐺
    link
    English
    391 year ago

    I know it’s annoying that the password “doesn’t match”, but … a 128 character limit?! I’d like to see THAT fully utilized lol.

    (PS: the sentence above is exactly 128 characters, just for a comparison.)

    …and I bet once you want to change it you get the “your new password can not be the old password” error message just because.

    • Vii
      link
      fedilink
      English
      271 year ago

      An acquaintance of mine has a 36 characters long passcode for his tablet that he manually puts in every time he wants to use it.

      And you can use password managers to make secure passwords without ever having to input them yourself.

      • @muzzle
        link
        English
        271 year ago

        That is a very good idea if you want to disincentivise yourself from using your tablet

        • Vii
          link
          fedilink
          English
          71 year ago

          He doesnt use it outside of school stuff and even then prefers to write things on paper, I dont think that he has to make disincentives.

    • @[email protected]
      link
      fedilink
      English
      71 year ago

      I mean there is bitwarden, which literally can generate you strong random unique passwords for each site. Not really hard these days, I personally have unique one for every site but cap mine around 36 characters when generating passwords. Depends on the website tho.

    • The Pantser
      link
      English
      41 year ago

      My favorite was when I changed my password and they allowed different restrictions on the change password screen than they did when logging in. I changed my password to a 24 character one but log in screen only allows for max 16. I think they were truncating somewhere but I could not figure it out. Also could not change it again as it said it was incorrect.

  • This is even more infuriating than getting “password incorrect” going in and getting a recovery password, then trying to change passwords to the one you initially used and getting “new password can’t be the same as old password.”

  • @douglasg14b
    link
    English
    121 year ago

    Yikes… This thread is a wasteland of misinformation and mininformers arguing with other mininformers about who’s misinformation is less ill informed.

    This thread is:

    • 50% technology illiteracy
    • 25% Dunning Kruger valley
    • 10% Actual knowledge
    • Everyone else just here for the ride
      • CommunityLinkFixerBotB
        link
        fedilink
        English
        121 year ago

        Hi there! Looks like you linked to a Lemmy community using a URL instead of its name, which doesn’t work well for people on different instances. Try fixing it like this: [email protected]

        • 子犬です
          link
          English
          71 year ago

          On the connect for lemmy app, it thinks it’s a user lol.

          • Echo Dot
            link
            fedilink
            English
            11 year ago

            Yeah it’s a big that needs looking at.

            Also try changing your volume.

            • Kuro
              link
              fedilink
              English
              21 year ago

              Hi, just wanted to say both issues are now fixed in case they were frustrating you!

              • Echo Dot
                link
                fedilink
                English
                1
                edit-2
                1 year ago

                Clicking the link literally still takes me to the user page.

    • @douglasg14b
      link
      English
      1
      edit-2
      1 year ago

      It’ll just end up as much of a mess as the reddit one unless it’s actually moderated by folks involved in software development.

      Pics of every test email, intern tweet, off center icon, or misspelled SMS message are not software gore. The stuff every application everywhere has isn’t gore, it’s normal, mundane, every day stuff.

      Edit: Looks like it exists already, and I’m right. It’s not really software gore, more like software paper cuts.

  • @XeroxCool
    link
    English
    31 year ago

    Did one get an autocorrect space after the .?

  • @MrJameGumb
    link
    English
    21 year ago

    Seems like they don’t consider a period to be a “special character”

    • @NewNewAccount
      link
      English
      211 year ago

      That’s not the issue here as the special character check passes. It’s the validation between the two fields that’s broken.

      • @[email protected]
        link
        fedilink
        English
        221 year ago

        Most probably not broken at all.

        I.hate.password.
        l.hate.password.

        The first is a capital i, the second is a lower case L.

        • glibg10b
          link
          fedilink
          English
          141 year ago

          I noticed as well. I tested for it by zooming in and seeing if their tops align with the top of the h. Capital I is shorter than lower case L

      • 🇨🅾️🇰🅰️N🇪OP
        link
        English
        41 year ago

        OP here, reading all the comments and theories as to why the I or L or whatever isn’t a match. I copy and pasted it after it didn’t like my typing skills, tried it twice and no go… I believe the periods aren’t an acceptable special character even though they technically are. It also would not accept spaces in-between words, I was first gonna use “I hate password” for my password but no go there.

        The password it accepted was weak AF, two “stupid-words” strung together.

    • @Polydextrous
      link
      English
      181 year ago

      No, one is an uppercase “I” while the other is a lowercase “L.” lI — you can see the difference when you compare it to the nearby “h.”

      • @MrJameGumb
        link
        English
        81 year ago

        Ah, so OP was up to shenanigans??? I should have suspected as much from that mischievous miscreant!!!

    • 🇨🅾️🇰🅰️N🇪OP
      link
      English
      01 year ago

      Yeah I think that’s the main issue. It wouldn’t take it with spaces so I put the periods instead. Rage face

    • @subtext
      link
      English
      21 year ago

      I’m glad someone else noticed this right away as well