My password is not accepted because it is too long
My password is not accepted because it is too long
In password security, the longer the better. With a password manager, using more than 24 characters is simple. Unless, of course, the secure password is not accepted due to its length. (In this case, through STOVE.)
Possibly indicating cleartext storage of a limited field (which is an absolute no-go), or suboptimal or lacking security practices.
At least they tell you. I signed up with websites that just cut the password after the 12th character. No way of signing in with the password again (not without trying a couple of times, at least)
when you varchar(24) and forget about the hash
If I have to create a password Ill need to remember and don't have access to my password manager for whatever reason I have a long phrase that's my go to but I have a system about adding numbers and characters to it based on the context of the log in. Sites with character limits really fuck that up.
I don't have it in me
We have a customer, a big international corporation, that has very specific rules for their intranet passwords:
- Must contain letters
- Must contain numbers
- Must contain special characters
- No repeats
- Passwords must be changed every two months
- Not the same password as any of the last seven
- PASSWORDS MUST BE EXACTLY EIGHT CHARACTERS LONG
I can only assume that whoever came up with these rules is either an especially demented BofH, or they have some really really weird legacy infrastructure to deal with.
This seems to be very common still
I once registered an account with a random ~25 characters long password (Keepass PM) for buying tickets on https://uhuu.com.br/
The website allowed me to create the account just fine, but once I verified my e-mail, I couldn't log into it due to there being a character limit ONLY IN THE LOGIN PASSWORD FIELD. Atrocious.
EDIT: btw, the character limit was 12
This shit pisses me off so bad. I had an identity theft a few years back, took ages to undo, and my credit score is still impacted by it. At the time I moved to a password manager and all my passwords are 31 characters of garbage. I’ve got several, highly sensitive accounts that my passwords don’t work for, in fact one a bank, until fairly recently, had repurposed a phone number field in the DB so passwords were limited to 10 characters numeric only (I managed to get one of their IT folks on the horn to explain why the password was so awful).
I cannot believe we live in 2025 and we still haven’t figured out passwords.
Being regected for being too long. What a conundrum.
Your password MUST contain big and small letters, and contain at least 1 number character and 1 spacial character, it MUST be 8 characters long, and it MUST be typed on a German Cherry keyboard between 8-9 PM, using ONLY 1 finger while blindfolded and listening to ABBA music. BUT NO SPACES ALLOWED!!!
This is because of something called entropy we never even read about so we have zero understanding of it. Of course combined with lousy programming, so safety is all on you.Making all these possibilities OPTIONAL would actually make for safer passwords (higher entropy), as would using multiple words separated by spaces. The only meaningful way to accept a password would be to test it against common bad passwords, and test the entropy to determine acceptable levels. There is no good reason a password couldn't be 10 words and at least 127 characters. There is no way that should stress a properly designed modern system.
Don’t worry, pretty soon they will just block password managers from autofilling fields on their login page so that you HAVE to remember your password! Then you’ll be happy it can’t be that long, you can only fit so much on a post-it note on the side of your monitor
/s
EDIT: I think there should be a law against blocking password managers for filling in fields. Any brute force bots are going to submit HTTP requests directly anyway; no one is hitting the DOM to do that
funniest experience that ive had is that i made a psn (playstation network) account with a 64 (iirc, might have been 32, dont remember) character password. That worked making the account on my PC on their website. Never was able to log into that account on my playstation tho and the error message was just some generic error. Support didnt know what was going on and i didnt either until it dawned on me. The password was too long for the console. Changed the whole thing to a shorter one and now it works everywhere. Used to work on their website, not in the app, not on console. Fun.
The password on my PC is something like 30 characters long. Back when win10 was first coming out, they were pushing getting an actual outlook account and tying that to your login. I was hesitant at first, but figured I'd try it out and see how that worked for me.
Turns out outlook accounts (at the time) had something like a 16 character limit on passwords. Bruh.
Obligatory https://neal.fun/password-game/
Then again, there's not much point to super long passwords. They'll be turned into hashes, commonly of 128, 196, or 256 bits length. When brute forcing, by a certain length, it's pretty much guaranteed there's a shorter combination computing to the same hash. And an attacker doesn't need your password, just some password that computes to the same hash. With 256 bit hashes a password with 1000 characters isn't more secure than one with 15 in any meaningful way.
Banks are the fucking worst for this. I assume it's because they're built on some 500 year old CICS mainframe.
oh. this has been a big pet peeve of mine for awhile. After starting to use password managers I figured I would standardize on the largest required characters only to find a source whos maximum characters were lower than anothers minimum characters.
I got a login on an IBM system. I logged in and moved to the change password mask. Changed my password to something filling out the 12 character new password field. Logged out, and got the login mask again. With an eight character password field.
When I banked with wells fucking fargo they had issues similar to this. I had something like a 16 character password and I once forgot the last character and it accepted it anyway, so there was some kind of character limit that they didn't make obvious.
I also had a time I accidentally had caps lock on, and my password still was accepted. Their passwords were not case sensitive even though their password screen says they were.
There is little point of having a long password. Online accounts don't have the same issues as encryption
Edit: for those curious, here is my source https://cybersecuritynews.com/nist-rules-password-security/
My rationale is that online accounts typically don't get brute forced due to rate limiting and not protection. The NIST guidelines don't specify requirements for online accounts specifically but it does recommend a password of 16 characters in general. I don't really see any need to go above that as you are just making it harder on yourself.
I had this problem with a fucking bank once. Even better are the sites that silently chop off characters after the internal limit, on the backend, but don't tell you or limit the characters on the frontend. I had a really fun time with that last scenario once, resetting my password over and over and having it never work until I decided to just try a shorter password.
In my opinion, an acceptable password length should be
Linln(alphabetSize^L)/ln(2) = (B bits of entropy). For a Bech32 character set (since it excludes ambiguous characters),alphabetSize = 32. A good password should have been 96 and 256 bits of entropy, with 128 bits being my personal preference. This meansL = (B)*ln(2)/ln(alphabetSize) = 128*ln(2)/ln(32) = 25.6 = 26 characters.That's… pretty close to what OP said they were restricted to, so maybe the person who set the 24 character restriction used a similar methodology.
At one point years ago my work finally caught up with the 21st century and allowed creation of passwords longer than the fixed 8 characters it had always been. So I said great, made up something that was around 12 or so that I could remember. Until I logged into some terminal legacy programs we were still using and wouldn't take that length. So yeah, I went back to 8 characters that wouldn't break things. They eventually migrated away from such old programs and longer passwords became mandatory since they'd work everywhere, but I thought it was funny that briefly I tried to do the right thing but IT hadn't thought out the whole picture yet.
YES, it pisses me off so much. Though I do kind see for some things having some upper limit of 256 for certain services. But I may be wrong in thinking that.
For example I want a secure bank password but I only need it so long. Mainly because unlike my E2EE service if they are servered a warrant or hacked through another service all my data is there. Basically I can only do so much.
There's a joke in there somewhere.
My bank does this 💀
Most likely it's just a validation not related to actual storage of the information.
It's something that can happen automagically when using a library. I wouldn't be too surprised if this length limitation is just a default of whatever registration solution they are using.My best experience... They allowed me to set a 100 characters password, but then changed the limits a year later, so that you couldn't even login anymore.
There was a game launcher for a popular game that required a minimum of 8 characters but only used the first 8 characters and it wasn't case sensitive. So something like PassWord12345!? could be entered when changing the password, but you could sign in with any of the following:
- password1234
- PassWord123499(#$%
- Password12345!?
- passWord12345!
- pASSword12345?!
- PassWord123499(#$%
- password
I haven't logged in for years so I'm not sure if it is still working that way.
Sounds like they're using bcrypt. Feeding more than 24 utf8 characters into bcrypt won't do anything useful. You can permit longer passwords (many sites do) but they'd be providing a false sense of security.
Bcrypt is still secure enough and 24 characters are fine as long as they're randomly generated by your password manager.
It can also be just a randomly chosen limit. I work as a software engineer on a custom management software for a big client. For whatever reason until recently, the limit for email addresses in the master data was 50 character. Why? No clue but someone had decided that randomly in the past. Now it was increased to 100. Why again? According to RFC 5321 a limit of 254 would be the most sensible one. But the people who come up with those requirements just don't care. They decided it to be 100 from now on for no apparent reason.
Then we have many input fields, that have a limit of 255 character. Why not 256? Why such a weird number in general? The people who use this software in production are most likely not the ones who usually think in powers of two. So why not make it 250 or 300 oder whatever?
Sometimes those limits are just arbitrary with no technical or logical reason to back them up. Which doesn't make it less stupid mind you.
Used to run into this more. Some legacy systems imposed password limits that seem archaic by modern standards. The authentication system was just supporting systems from before newer standards were created.
I think some of those compatibility layers outlived the systems they needed to be compatible with. The people that knew the system retired ages ago and the documentation was lost 3 or 4 "documentation system" changes ago.
Anyway, those have no place on the modern web.
I also hate these kind of websites.
too many people ITT not decrying passwords for certified session security keys on the 21st post quantum era.
smh.