Unable to log in with password longer than 50 characters

[Xandaros]

Hello,

I registered yesterday and found myself unable to log in from my other machine. Turns out that, when registering (or changing your password), the input boxes are limited to 50 characters. Anything above that simply gets trimmed off.

The log in box on the main page does not have any such restrictions and will happily accepts my 64 character password. What happens next is that I registered with a 50 character password, but try to log in with a 64 character long password. Which is obviously a mismatch.

I may be paranoid for uses such long passwords, but this is clearly a bug. Please fix.
By the way: Why the limit? Looks like you compute the MD5 (insecure, btw) hashes on the client, anyway. On a side note - do you even salt them? Not that it matters with MD5...

[Cinisajoy]

Most places require passwords between 8 and 20 characters.

[eschwartz]

Most places warn you...


That being said, I have never bothered with a 64-character password.
15-20 characters are meaningfully secure already, how much more secure can you get?


On a vaguely similar note (I think), the GnuPG people still tell everyone that RSA-4096 is not really worth it.

[Cinisajoy]

Quote:

Originally Posted by eschwartz

On a vaguely similar note (I think), the GnuPG people still tell everyone that RSA-4096 is not really worth it.

Please translate this from geek to English.
You confused "the people".

[eschwartz]

Would you know a crypto if it bit you?
Have you ever used an SSH key to remotely login to another computing device via the command line?




Have you ever worried about cryptographically signing your messages or files to prove it was you who wrote it?
Examples:
https://www.gnupg.org/
https://emailselfdefense.fsf.org/en/

[Cinisajoy]

Only if it is quiz.


In answer to your question, nope never have.
I have had no need to prove I am me.

[eschwartz]

Snowden fled to save your soul (from NSA exploitation), you unappreciative... something.

[Xandaros]

Yes, you're absolutely right - nobody needs passwords longer than 50 characters. People who do that are stupid, let's screw them over by making it so anyone using a password longer than 50 characters is unable to login without warning. Sounds like a very good idea.

...

This is not about whether it makes sense to use such long passwords, this is about how the site handles them.

[eschwartz]

I am not saying you are stupid.

I was commenting in response to Cinisajoy -- I said that while it is true many places have an 8-20 character restriction, they warn you of that fact.

Doing proper error checking is ALWAYS necessary.




Given that few people use 50+ characters, I am not completely flabbergasted that the handling for such cases has a bug... but again, I still don't think it is fair to accuse me saying that it is your fault, merely because I said it is unnecessary to use passwords of that length.

I hope I am still allowed to wander in the direction of vaguely, ever-so-slightly offtopic? It is customary in these parts, after all.

[Cinisajoy]

Quote:

Originally Posted by Xandaros

Yes, you're absolutely right - nobody needs passwords longer than 50 characters. People who do that are stupid, let's screw them over by making it so anyone using a password longer than 50 characters is unable to login without warning. Sounds like a very good idea.

...

This is not about whether it makes sense to use such long passwords, this is about how the site handles them.

He was not calling you stupid. He was talking to me at that point because I couldn't translate his post.

[Sweetpea]

Quote:

Originally Posted by eschwartz

Given that few people use 50+ characters, I am not completely flabbergasted that the handling for such cases has a bug... but again, I still don't think it is fair to accuse me saying that it is your fault, merely because I said it is unnecessary to use passwords of that length.

I use a password generator, it generates nice sentences I now have several passwords that are way longer than 20 characters (needless to say, I can't function without my password manager anymore)

You must know this one!

https://xkcd.com/936/

[eschwartz]

Yes, I know that one, and it's kind of silly the way dictionary attacks make those far easier than they look (to people who don't realize it is a comic).

I think most people don't realize what Randall was actually saying. People are lousy at generating entropy, but they still think they can do it -- so they do.

Given a string of x length, generated by either correct horse battery staple (CHBS) or pseudorandom characters (`strings /dev/urandom`), pseudorandom always wins.
You can pack a lot more entropy into smaller space. And your password manager is remembering it anyway.

But people being people, who tend to write things down on post-it-notes the webcomic-not-security-analysis is making the point that you will be better served by CHBS than by exchanging "a" --> "@" ad nauseam.
Of course there are other rules too, chiefly the adage about the bear.
Also the one about (not) using MD5.

[Cinisajoy]

To the OP,
My best advice is shorten your password for Mobileread.
That way you can log in from any device.

[Xandaros]

Right, so... When I did in my last post here is called an exaggeration. You may have heard of it before, but if not: https://en.wikipedia.org/wiki/Exaggeration (Also a fair amount of sarcasm)
I was mere trying to express my annoyance that people seem to fail to see the point of this post. (I even included that bit about me being paranoid in the first post. Take a hint...)

@Sweetpea: Yes, I remember that one!

@eschwartz: I also use a password generator. That's why I can afford to use insanely long and unique passwords everywhere. It's just a shame that there are so many websites that handle long passwords very poorly. (This being one of them)

@Cinisajoy: There is no way for me to not shorten it, considering it being trimmed down caused me to being unable to log in in the first place. I did generate a new, exactly 50 character long, password, though.
Whatever the case, you are missing the point, though. I'm not looking for a solution to this problem. The solution is obvious: Use a shorter password.
I am also not concerned about the security. 50 characters is plenty, the MD5 issue is about as bad as t gets, anyway. (Might as well store them in plain text at this point)

No - this is in the Feedback subforum and I'm giving feedback about a bug I encountered on the website and hope that someone fixes it. It's not like this can be solved by removing 28 characters from some files or anything... oh, wait.

[Cinisajoy]

Glad you didn't need my solution but someone else might.
Perhaps someone will put a password length warning now that they know about the problem.

Oh and there are free drinks in the lounge area.