What is with bad password requirements (lemmy.blahaj.zone)

submitted 1 day ago* (last edited 18 hours ago) by NullNet@lemmy.blahaj.zone to c/cybersecurity@infosec.pub

23 comments fedilink hide all child comments

Small rant incomming. I just went to look at applying to Walmart, and when going to make an account their password requirements were 8-11 characters. What kinda nonsense is that? Some terribly made backend I'd assume. It's bad enough I gotta make a million accounts when applying to jobs but then you got my PII sitting behind such terrible password requirements it makes me wonder where else they are cutting corners on security.

top 23 comments

sorted by: hot top controversial new old

[-] sangriaferret@sh.itjust.works 7 points 13 hours ago

Have fun

[-] Jerry@feddit.online 15 points 18 hours ago

You're absolutely right.

A worse example, pharmacy.amazon.com only uses a 4-digit passcode to log in, and it's a pharmacy site!

[-] scott@lem.free.as 44 points 1 day ago

All stored passwords should be salted and hashed. That means each one uses the same amount of space, regardless of original length.

There should definitely be a minimum length but not a maximum (within limits; let's not break web standards or the laws of thermodynamics).

[-] 14th_cylon@lemm.ee 25 points 23 hours ago

but not a maximum

well if there is, at least be glad when they tell you. i once met a system that let you enter whatever, and then just ignored anything behind nth (where n was ~10) character...

[-] Fribbtastic@lemmy.world 15 points 18 hours ago* (last edited 16 hours ago)

Oh, let me tell you about Playstation that I had the pleasure of having to deal with it.

I needed to log in to my Playstation account but it told me that my username or password was wrong. Okay, send me a reset link. I got the link and set my new password.

I use Bitwarden and my password generator is set to 32 characters by default.

I generate a new password, paste that into the new password field, click okay and everything is fine, password changed. I save that new password in my vault and go back to the login site. I use the just changed credentials: Wrong username or password.

Well, turns out that the Password reset field is limited to 30 characters but the problem is that NOWHERE is it stated that your password has a max length. Not to mention that they don't tell you that your password was modified and cut short. The login password field, however, does allow more than 30 characters.

This means that you generate a 32-character password and paste that into the password reset field, this then gets cut short to 30 characters, click save and then use the same password on the login, which is 32 characters. This now obviously doesn't work because those passwords aren't the same.

Fun times. The worst part is that the first support person just went "Well, everything looks fine on our side. Sucks for you. Goodbye".

[-] Hamartiogonic@sopuli.xyz 5 points 22 hours ago* (last edited 22 hours ago)

I’ve once had a password that was over 200 characters long. That was in a custom email server where the admin either didn’t know or care about limitations. I mean, if you can have a super long password, then why not. I just kept on going until I felt like it was secure enough.

I used a randomly generated character soup, so there’s no way I’m ever going to memorize that nightmare of a password. Even if I print it on paper and hand to you, there’s a pretty good chance that you wouldn’t be able to type it correctly without restoring to OCR.

[-] subignition@fedia.io 3 points 18 hours ago

I entered a gold tier password for Golden Sun: The Lost Age so I have that shit locked down

[-] LostXOR@fedia.io 2 points 17 hours ago

At that point why not use key based authentication?

[-] Fosheze@lemmy.world 4 points 11 hours ago

Pastes private key into password box.

[-] NullNet@lemmy.blahaj.zone 7 points 1 day ago

you mentioned salting and hashing that reminds me of places that use to put companies on blast for storing passwords in plaintext.

[-] ohwhatfollyisman@lemmy.world 23 points 23 hours ago

... 8-11 characters.

they wanted to one up their retail competitor 7-11, maybe?

[-] ohwhatfollyisman@lemmy.world 6 points 23 hours ago

... 8-11 characters.

shouldn't be a problem. take the dwarves and Snow White as a minimum. throw in the evil stepmom, woodsman, and magic mirror if you need them.

[-] graycube@lemmy.world 8 points 20 hours ago

If you allow unlimited length inputs of any kind, someone will break your system. 11 is way too short. But you do need some sort of maximum, even if it is very large.

[-] invertedspear@lemm.ee 14 points 14 hours ago

If you’re storing the password in the form the user entered it, you’re doing it wrong already.

[-] graycube@lemmy.world 3 points 9 hours ago

Even if you aren't storing it, if you allow unlimited length someone will break your stuff.

[-] hemko@lemmy.dbzer0.com 14 points 1 day ago

Excuse me what the fuck? You need to make an account in Walmart to apply for a job?

[-] Empricorn@feddit.nl 6 points 16 hours ago* (last edited 16 hours ago)

I just went to look at applying to Walmart

I'm assuming they meant online. I don't know what it's like where you are, but basically every employer requires an account to submit an application...

[-] hemko@lemmy.dbzer0.com 1 points 11 hours ago

That's fucking cancer ngl

[-] OmegaLemmy@discuss.online 9 points 23 hours ago

There needs to be a law to forbid passwords not providing 64 character max

[-] Hamartiogonic@sopuli.xyz 9 points 22 hours ago

Why stop there? 128 or 256 sound much nicer. Actually, while you’re at it, 4096 should be enough to fit a short story.

[-] cynar@lemmy.world 3 points 18 hours ago

There are use cases where long passwords could be problematic. 64 would be long enough for most purposes, but short enough not to cause issues for things like microcontrollers.

It should be paired with a strongly recommended larger value, however.

[-] subtext@lemmy.world 6 points 15 hours ago

The new NIST recommendations give a recommendation of at least a 64 character maximum.

Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters.

https://pages.nist.gov/800-63-4/sp800-63b.html#passwordver

[-] shortwavesurfer@lemmy.zip 0 points 20 hours ago* (last edited 20 hours ago)

I use my password manager to generate 32 character or 64 character passwords whenever possible.

That's actually a good part of why I trust cryptocurrency over my bank because my bank has all sorts of personally identifiable information and stupid short password requirements where cryptocurrency has no personally identifiable information and seeds are extremely long and complex.

this post was submitted on 28 Nov 2024

57 points (96.7% liked)

cybersecurity

3306 readers

172 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Be kind
Limit promotional activities
Non-cybersecurity posts should be redirected to other communities within infosec.pub.

Enjoy!

founded 1 year ago

MODERATORS

shellsharks@infosec.pub

tweedge@infosec.pub