29
My password is not accepted because it is too long (feddit.org)
submitted 2 months ago by Kissaki@feddit.org to c/mildlyinfuriating@lemmy.world
93 comments fedilink hide all child comments

In password security, the longer the better. With a password manager, using more than 24 characters is simple. Unless, of course, the secure password is not accepted due to its length. (In this case, through STOVE.)

Possibly indicating cleartext storage of a limited field (which is an absolute no-go), or suboptimal or lacking security practices.

top 50 comments
sorted by: hot top controversial new old
[-] OsKe@lemm.ee 5 points 2 months ago

At least they tell you. I signed up with websites that just cut the password after the 12th character. No way of signing in with the password again (not without trying a couple of times, at least)

[-] cupcakezealot@lemmy.blahaj.zone 4 points 2 months ago

when you varchar(24) and forget about the hash

[-] bunnyBoy@pawb.social 4 points 2 months ago

One of the accounts that I have to use at my job is like this but much much worse. It only accepts letters and numbers, no capitalization, no symbols and can only be 8 digits long maximum. It's like they want to account to be easy to compromise.

[-] JcbAzPx@lemmy.world 3 points 2 months ago

That sounds like the limitations of an ancient mainframe system. If so, then someone trying to brute force their way in would be more likely to crash the system instead.

[-] tarsisurdi@lemmy.eco.br 4 points 2 months ago* (last edited 2 months ago)

I once registered an account with a random ~25 characters long password (Keepass PM) for buying tickets on https://uhuu.com.br/

The website allowed me to create the account just fine, but once I verified my e-mail, I couldn't log into it due to there being a character limit ONLY IN THE LOGIN PASSWORD FIELD. Atrocious.

EDIT: btw, the character limit was 12

[-] skullgiver@popplesburger.hilciferous.nl 3 points 2 months ago

PayPal did the same. Registration took 40 characters, login only half of that. Editing the login form didn't work unfortunately.

[-] FiniteLooper@lemm.ee 1 points 2 months ago

I’ve had this exact same thing happen.

I’ve also had it happen where you have the two fields to verify the password is the same. One had a maxlength set in it, and the other didn’t. I was for sure entering the same password and I was so confused until I opened up the dev tools and inspected the inputs.

load more comments (5 replies)
[-] absGeekNZ@lemmy.nz 3 points 2 months ago

I like it that the site says the max length....this is not common. I wish it was.

[-] pleasejustdie@lemmy.world 5 points 2 months ago* (last edited 2 months ago)

The problem is a password hash is a fixed length regardless of the password, so if this is implemented correctly there is no need for a maximum password length. These things raise my security flag because it makes me think they are storing the password in plain text instead of doing proper practice and storing the hash only.

[-] MolecularCactus1324@lemmy.world 3 points 2 months ago

At least they tell you. I’ve had inputs take the full password and then truncate it silently, so you don’t actually know what they saved. Then, you try to login and they tell you wrong password.

[-] Liz@midwest.social 1 points 2 months ago

I once encountered a system that truncated your submitted password if you logged in through their app, but not through their website. So you would set your password through the website, verify that the login was working (through the website) and then have that same login fail through the app.

load more comments (1 replies)
[-] UpperBroccoli@lemmy.blahaj.zone 2 points 2 months ago

We have a customer, a big international corporation, that has very specific rules for their intranet passwords:

  • Must contain letters
  • Must contain numbers
  • Must contain special characters
  • No repeats
  • Passwords must be changed every two months
  • Not the same password as any of the last seven
  • PASSWORDS MUST BE EXACTLY EIGHT CHARACTERS LONG

I can only assume that whoever came up with these rules is either an especially demented BofH, or they have some really really weird legacy infrastructure to deal with.

[-] drewcarreyfan@lemm.ee 1 points 2 months ago

I am a designer, but I once did a project with a very very major and recognizable tech corporation that, no joke, implemented an 8 character limit on passwords for storage reasons.

This company made in the tune of tens of billions of dollars per year, and they were penny-pinching on literal bytes of data.

I can't say who it is, but their name begins with 'M' and ends in 'cAfee.'

load more comments (1 replies)
[-] blacia@lemmy.blahaj.zone 1 points 2 months ago

I worked in IT for a big national company for a short time. Passwords rules were : at least 8 characters, at least one uppercase letter, at least one number, change password every 2/3 months and different than the 3 previous ones. Several workers had a post-it on the screen with the 4 passwords they use. One of them had name of child and year of birth, I don't know if it was his children or his relatives' children too.

load more comments (1 replies)
[-] kepix@lemmy.world 2 points 2 months ago

i once used 20 for a bank. the website havent told me it was too long just clipped off 2 and accepted the rest. not even the banking support was able to help me. took me a few days to solve this by accident.

load more comments (1 replies)
[-] rei@lemmy.world 2 points 2 months ago

The password should be hashed anyway, which has a fixed output

[-] Scrollone@feddit.it 2 points 2 months ago

But there must be a (long) max length anyway, to prevent some kinds of attacks.

[-] olafurp@lemmy.world 2 points 2 months ago

Long here means a 400 page book as a password.

[-] magic_lobster_party@fedia.io 2 points 2 months ago

What’s more frustrating is when the password creation page is silently cutting off too long passwords and don’t inform you about it.

[-] TheObviousSolution@lemm.ee 1 points 2 months ago

Some people even suggest typing a longer password over a simpler one with more special characters. It's harder to brute force.

[-] veni_vedi_veni@lemmy.world 1 points 2 months ago* (last edited 2 months ago)

I thought the use vocabulary lookup tables effectively nullifies the entropy benefits, if everyone started using phrases as password

[-] kuberoot@discuss.tchncs.de 2 points 2 months ago

Obligatory xkcd.

I don't know enough to say how accurate the numbers are, but the sentiment stands - if it's a password you're memorizing, longer password will probably be better.

[-] Jyek@sh.itjust.works 2 points 2 months ago

That's not even the case though. Using a memorized passphrase that can be broken down into individual words is susceptible to dictionary attacks provided you know what the length of the password is. You can algorithmically sort away swathes of the dictionary based on how many likely word combinations exist before searching unusual word combinations. The thing is, passwords suck. It doesn't matter how long the password is, if someone wants in, they'll crack the password or steal it via some other means. Instead of relying on a strong password, you need to be relying on additional proof factors for sign in. Proper MFA with actual secure implementation is far more secure than any password scheme. And additionally, hardware key authentication is even more secure. If you are signing into an account and storing important data there, you do not want to rely on passwords to keep that data secure.

The reason for the character limit on passwords is often to prevent malicious attacks via data dumping in the password dialogue box. Longer numbers take more CPU cycles to properly salt and encrypt. Malicious actors may dump as many characters in a password system as they wish if they wanted to take down a service or at least hurt performance.

Additionally, even if you just used lowercase letters, an 18 character password would take 12 RTX 5090s approximately 284 thousand years to crack according to the recent Hive Systems report.

24 characters is more than enough to be secure as far as passwords alone go. Just know that, nobody is out here brute forcing passwords at any length these days, there are infinite more clever ways of hacking accounts than that.

[-] daggermoon@lemmy.world 1 points 2 months ago

I don't have it in me

[-] 4am@lemm.ee 1 points 2 months ago* (last edited 2 months ago)

Don’t worry, pretty soon they will just block password managers from autofilling fields on their login page so that you HAVE to remember your password! Then you’ll be happy it can’t be that long, you can only fit so much on a post-it note on the side of your monitor

/s

EDIT: I think there should be a law against blocking password managers for filling in fields. Any brute force bots are going to submit HTTP requests directly anyway; no one is hitting the DOM to do that

load more comments (3 replies)
[-] Kissaki@feddit.org 1 points 2 months ago

I've had a case in the past where I reduced my password to the limit, but after account creation, I was not able to log in.

Turns out they had an off-by-one issue, and a password with a length slightly below the limit worked fine.

load more comments
this post was submitted on 17 May 2025
29 points (100.0% liked)

Mildly Infuriating

41264 readers
88 users here now

Home to all things "Mildly Infuriating" Not infuriating, not enraging. Mildly Infuriating. All posts should reflect that.

I want my day mildly ruined, not completely ruined. Please remember to refrain from reposting old content. If you post a post from reddit it is good practice to include a link and credit the OP. I'm not about stealing content!

It's just good to get something in this website for casual viewing whilst refreshing original content is added overtime.

Rules:

1. Be Respectful

Refrain from using harmful language pertaining to a protected characteristic: e.g. race, gender, sexuality, disability or religion.

Refrain from being argumentative when responding or commenting to posts/replies. Personal attacks are not welcome here.

...

2. No Illegal Content

Content that violates the law. Any post/comment found to be in breach of common law will be removed and given to the authorities if required.

That means: -No promoting violence/threats against any individuals

-No CSA content or Revenge Porn

-No sharing private/personal information (Doxxing)

...

3. No Spam

Posting the same post, no matter the intent is against the rules.

-If you have posted content, please refrain from re-posting said content within this community.

-Do not spam posts with intent to harass, annoy, bully, advertise, scam or harm this community.

-No posting Scams/Advertisements/Phishing Links/IP Grabbers

-No Bots, Bots will be banned from the community.

...

4. No Porn/ExplicitContent

-Do not post explicit content. Lemmy.World is not the instance for NSFW content.

-Do not post Gore or Shock Content.

...

5. No Enciting Harassment,Brigading, Doxxing or Witch Hunts

-Do not Brigade other Communities

-No calls to action against other communities/users within Lemmy or outside of Lemmy.

-No Witch Hunts against users/communities.

-No content that harasses members within or outside of the community.

...

6. NSFW should be behind NSFW tags.

-Content that is NSFW should be behind NSFW tags.

-Content that might be distressing should be kept behind NSFW tags.

...

7. Content should match the theme of this community.

-Content should be Mildly infuriating.

-The Community !actuallyinfuriating has been born so that's where you should post the big stuff.

...

8. Reposting of Reddit content is permitted, try to credit the OC.

-Please consider crediting the OC when reposting content. A name of the user or a link to the original post is sufficient.

...

...

Also check out:

Partnered Communities:

1.Lemmy Review

2.Lemmy Be Wholesome

3.Lemmy Shitpost

4.No Stupid Questions

5.You Should Know

6.Credible Defense

Reach out to LillianVS for inclusion on the sidebar.

All communities included on the sidebar are to be made in compliance with the instance rules.

founded 2 years ago
MODERATORS
LillianVS@lemmy.world
STRIKINGdebate2@lemmy.world
Tenthrow@lemmy.world