If you know, please also provide relevant documentation.
UPDATE (2025-02-02T06:06Z): I did some brute-force testing, and, at least for sh.itjust.works, it seems that the maximum username length is 50, and the maximum password length is 60 [1].
References
- “Sign Up”. sh.itjust.works. Lemmy. Accessed: 2025-02-02T08:49Z. https://sh.itjust.works/signup.
- When creating an account on sh.itjust.works, the sign-up form will throw this error if the provided password is greater than 60 characters in length.
You must log in or register to comment.
It seems to be set per-instance - you can find out through their APIs:
curl -L http://lemmy.world/api/v3/site | jq -r .site_view.local_site.actor_name_max_length(26)curl -L http://sh.itjust.works/api/v3/site | jq -r .site_view.local_site.actor_name_max_length(50)Assuming that’s the field applicable to this question, there isn’t some other limit somewhere other than the database and that I didn’t miss another later migration that changes the field length etc. I haven’t looked terribly thoroughly, though.
Can’t wait for the 255 username posting to 255 community @ 255 (253?) instance
A password max length shouldn’t be needed if they store a hash of it in the db.
It’s possible that Lemmy uses fixed-size buffers for the username and unhashed password. It would be pretty bad to give an unauthenticated user the power to allocate hundreds of megabytes in a shared process.
Not that I read the source code to know for sure, but it’s common practice to reduce the opportunity for denial of service attacks by limiting user input size.
It’s up to the UI as to how much data to accept AFAIK. The lemmy-ui will truncate passwords beyond 60. So even if you have a 64 char password it will drop the last 4 and do the hashing on that.
[…] The lemmy-ui will truncate passwords beyond 60. So even if you have a 64 char password it will drop the last 4 and do the hashing on that.
At least on sh.itjust.works, it doesn’t just silently truncate the password; it throws an error [1]:
References
- “Sign Up”. sh.itjust.works. Lemmy. Accessed: 2025-02-02T08:49Z. https://sh.itjust.works/signup.
- When creating an account on sh.itjust.works, the sign-up form will throw this error if the provided password is greater than 60 characters in length.
Oh, that’s good. My experience is from when joining .world during the API exodus.
- “Sign Up”. sh.itjust.works. Lemmy. Accessed: 2025-02-02T08:49Z. https://sh.itjust.works/signup.
