My password is not accepted because it is too long (feddit.org)

submitted 2 months ago by Kissaki@feddit.org to c/mildlyinfuriating@lemmy.world

93 comments fedilink hide all child comments

In password security, the longer the better. With a password manager, using more than 24 characters is simple. Unless, of course, the secure password is not accepted due to its length. (In this case, through STOVE.)

Possibly indicating cleartext storage of a limited field (which is an absolute no-go), or suboptimal or lacking security practices.

(page 2) 43 comments

sorted by: hot top controversial new old

[-] mcat@lemmy.world 1 points 2 months ago

My worst experience so far was a webpage that trimmed passwords to 20 characters in length without telling you. Good luck logging in afterwards...

load more comments (3 replies)

[-] dQw4w9WgXcQ@lemm.ee 0 points 2 months ago

For a system I worked on a few years ago I got the password requirement:

Only upper case letters A-Z, no letter or symbols.
Exactly 7 characters.

I was also recommended to make it a single word to make it memorable.

[-] Regrettable_incident@lemmy.world 0 points 2 months ago

PASSWOR

[-] MrPozor@discuss.tchncs.de 0 points 2 months ago

'Sorry but this password is already taken'

load more comments (1 replies)

[-] lightnsfw@reddthat.com 0 points 2 months ago

If I have to create a password Ill need to remember and don't have access to my password manager for whatever reason I have a long phrase that's my go to but I have a system about adding numbers and characters to it based on the context of the log in. Sites with character limits really fuck that up.

[-] foggy@lemmy.world 0 points 2 months ago

Okay so I agree with you that a longer password is better but this in no way indicates clear text password storage.

[-] Kissaki@feddit.org 1 points 2 months ago

Password hashes always have the same length.

Why is there a limit at 24? It may be an arbitrary limit set, or it may be because they don't store more.

load more comments (28 replies)

[-] pennomi@lemmy.world 0 points 2 months ago

There should be a limit to prevent DoS attacks but really it should be like 1M characters or something.

[-] rumba@lemmy.zip 0 points 2 months ago

No, there should be no limit. The password should be salted and hashed stored on the server side they should be uniformly like 256 or 512 characters behind the scenes no matter if you send it 5 characters or 50,000. The password that is stored is just a mathematical representation of the password.

As far as DDOS, It doesn't matter what the limit is, you can send them millions of characters rven if they have a limit. If you're going to DDOS you're going to just use SYN flood, pings, for all of the matters you could send headers.

[-] pennomi@lemmy.world 0 points 2 months ago

Not DDOS, DOS. You can often crash an unprepared server with one request by telling it to hash more data than it has memory for. See this blog post for a well-known web framework. Let’s say I just sent it a 10GB password, it still has to process that data whether or not the hash eventually shortens to the database field length.

load more comments (1 replies)

[-] Jaybird@lemmy.world 0 points 2 months ago

How about creating a new account, letting bitwarden create a password, only for them to send me a clear text copy of that passwod in their confirmation email....

load more comments (1 replies)

[-] syaochan@feddit.it 0 points 2 months ago

Obligatory https://neal.fun/password-game/

[-] Trainguyrom@reddthat.com 1 points 2 months ago* (last edited 1 month ago)

When that was first making the rounds I shared it with my coworkers. Most of my coworkers enjoyed it for a few minutes then moved on. One of my coworkers sent me a teams message 3 days later of the win message

load more comments (2 replies)

[-] skullgiver@popplesburger.hilciferous.nl 0 points 2 months ago

Sounds like they're using bcrypt. Feeding more than 24 utf8 characters into bcrypt won't do anything useful. You can permit longer passwords (many sites do) but they'd be providing a false sense of security.

Bcrypt is still secure enough and 24 characters are fine as long as they're randomly generated by your password manager.

[-] Kissaki@feddit.org 0 points 2 months ago

Do you have a source for the 24?

I can find a 72 byte limit. (Wikipedia, article) That's three times as many [ascii] utf8 characters I could use.

[-] possiblylinux127@lemmy.zip -1 points 2 months ago

Utf8 isn't ASCII. It takes up more space.

[-] oo1@lemmings.world 0 points 2 months ago

You've got to stop all those who put: abcdefghijklmnopqrstuvwxyz

That's my password for most things, any hackers die of RSI before they get in.

load more comments (1 replies)

[-] FlashMobOfOne@lemmy.world -1 points 2 months ago

There's a joke in there somewhere.

load more comments

this post was submitted on 17 May 2025

29 points (100.0% liked)

Mildly Infuriating

41039 readers

207 users here now

Home to all things "Mildly Infuriating" Not infuriating, not enraging. Mildly Infuriating. All posts should reflect that.

I want my day mildly ruined, not completely ruined. Please remember to refrain from reposting old content. If you post a post from reddit it is good practice to include a link and credit the OP. I'm not about stealing content!

It's just good to get something in this website for casual viewing whilst refreshing original content is added overtime.

Rules:

1. Be Respectful

Refrain from using harmful language pertaining to a protected characteristic: e.g. race, gender, sexuality, disability or religion.

Refrain from being argumentative when responding or commenting to posts/replies. Personal attacks are not welcome here.

...

2. No Illegal Content

Content that violates the law. Any post/comment found to be in breach of common law will be removed and given to the authorities if required.

That means: -No promoting violence/threats against any individuals

-No CSA content or Revenge Porn

-No sharing private/personal information (Doxxing)

...

3. No Spam

Posting the same post, no matter the intent is against the rules.

-If you have posted content, please refrain from re-posting said content within this community.

-Do not spam posts with intent to harass, annoy, bully, advertise, scam or harm this community.

-No posting Scams/Advertisements/Phishing Links/IP Grabbers

-No Bots, Bots will be banned from the community.

...

4. No Porn/Explicit

Content

-Do not post explicit content. Lemmy.World is not the instance for NSFW content.

-Do not post Gore or Shock Content.

...

5. No Enciting Harassment,

Brigading, Doxxing or Witch Hunts

-Do not Brigade other Communities

-No calls to action against other communities/users within Lemmy or outside of Lemmy.

-No Witch Hunts against users/communities.

-No content that harasses members within or outside of the community.

...

6. NSFW should be behind NSFW tags.

-Content that is NSFW should be behind NSFW tags.

-Content that might be distressing should be kept behind NSFW tags.

...

7. Content should match the theme of this community.

-Content should be Mildly infuriating.

-The Community !actuallyinfuriating has been born so that's where you should post the big stuff.

...

8. Reposting of Reddit content is permitted, try to credit the OC.

-Please consider crediting the OC when reposting content. A name of the user or a link to the original post is sufficient.

...

Also check out:

Partnered Communities:

1.Lemmy Review

2.Lemmy Be Wholesome

3.Lemmy Shitpost

4.No Stupid Questions

5.You Should Know

6.Credible Defense

Reach out to LillianVS for inclusion on the sidebar.

All communities included on the sidebar are to be made in compliance with the instance rules.

founded 2 years ago

MODERATORS

LillianVS@lemmy.world

STRIKINGdebate2@lemmy.world

Tenthrow@lemmy.world