/

/

Copy link to issue

summary

Passwords are limited to 20 characters.

Description

Passwords "must be between 8 and 20 characters". 20 is too few for a decent passphrase.

There should be no need for such a low upper limit

it won't take any extra space in the database since all password hashes will be the same length
if the speed to generate a hash is an issue, surely it would only become so at something over 100 characters.

Environment

Observed this on password reset form in translate.zanata.org

Activity

Show:

Luke Brooker

August 20, 2015, 12:48 AM

Copy link to comment

Agreed. Limiting to 20 characters is not great.

Sean Flanigan

August 20, 2015, 1:18 AM

Copy link to comment

Good point. See https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Password_Length

We need some sort of limit to make sure the hashing doesn't lead to a denial of service attack, but I think we could to afford to hash, say, 1024 characters.

Luke Brooker

August 20, 2015, 1:26 AM

Copy link to comment

Sounds reasonable to me.

Luke Brooker

August 20, 2015, 1:26 AM

Copy link to comment

Sounds reasonable to me.

Ready for Release

Assignee

Assignee

Alex Eng

Reporter

Reporter

David Mason

Labels

Labels

Tested Version/s

Tested Version/s

None

Components

Components

Sprint

Sprint

None

Fix versions

Fix versions

Affects versions

Affects versions

Priority

Priority

Medium

Configure