Passwords are limited to 20 characters.

Description

Passwords "must be between 8 and 20 characters". 20 is too few for a decent passphrase.

There should be no need for such a low upper limit

  • it won't take any extra space in the database since all password hashes will be the same length

  • if the speed to generate a hash is an issue, surely it would only become so at something over 100 characters.

Environment

Observed this on password reset form in translate.zanata.org

Activity

Show:
Luke Brooker
August 20, 2015, 1:26 AM

Sounds reasonable to me.

Luke Brooker
August 20, 2015, 1:26 AM

Sounds reasonable to me.

Sean Flanigan
August 20, 2015, 1:18 AM

Good point. See https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Password_Length

We need some sort of limit to make sure the hashing doesn't lead to a denial of service attack, but I think we could to afford to hash, say, 1024 characters.

Luke Brooker
August 20, 2015, 12:48 AM

Agreed. Limiting to 20 characters is not great.

Ready for Release
Your pinned fields
Click on the next to a field label to start pinning.

Assignee

Alex Eng

Reporter

David Mason