Passwords are limited to 20 characters.
Description
Passwords "must be between 8 and 20 characters". 20 is too few for a decent passphrase.
There should be no need for such a low upper limit
it won't take any extra space in the database since all password hashes will be the same length
if the speed to generate a hash is an issue, surely it would only become so at something over 100 characters.
Environment
Observed this on password reset form in translate.zanata.org
Activity
Show:
Luke Brooker
August 20, 2015, 1:26 AM
Sounds reasonable to me.
Luke Brooker
August 20, 2015, 1:26 AM
Sounds reasonable to me.
Sean Flanigan
August 20, 2015, 1:18 AM
Good point. See https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Password_Length
We need some sort of limit to make sure the hashing doesn't lead to a denial of service attack, but I think we could to afford to hash, say, 1024 characters.
Luke Brooker
August 20, 2015, 12:48 AM
Agreed. Limiting to 20 characters is not great.
Ready for Release
Your pinned fields
Click on the next to a field label to start pinning.