Leave a legacy.

Bug with password reset/login page and password length

By: danatkinsontablet | 30-08-2017 12:16

Hi there,

I've noticed a problem relating to a difference between your password reset page and the login page.

On your password reset page, you (inexplicably!) restrict passwords to 25 characters in length. However this is not mentioned at all on the page. You only state the restrictions for minimum length, letters/numbers/symbols - no max length.

I use a password manager (best practice) to store my logins and usually my passwords are at least 30 characters long. When I created and pasted my password into your site, because your reset page has a max length of 25 characters on the input field, it simply truncates the rest of the password I created, and doesn't say a thing. So I update the password thinking I've now changed it to 30 characters but it's actually 25.

Then, on the login page, there is no restriction on password length, so I paste in my 30 character password and it fails - because you don't truncate your passwords on the login page.

This means that you've got a functionality difference between the reset and login pages. You restrict it on the reset page but not the login page. Further, you restrict passwords to 25 characters which is quite a small amount. I can't think of a good reason why you would restrict passwords to anything less than 100 characters. Ultimately, when the password goes into your system, it gets hashed (or it had better!) and converted into a string with a length that's the same as all the other passwords, so it has nothing to do with storage restrictions.

So, I have several points:

  1. You need to be up front about password length limits. You mention min 8 chars but don't mention max 25! You simply truncate a password longer without mentioning anything (UX flaw).
  2. Your login page has no restrictions on the password length. So if I create one in my password manager and paste it over, it's not cut cut off (UX flaw).
  3. There's no good reason why you restrict password length to that short. Seriously! If you have technical reasons, that's veryworrying (security flaw).

Thanks, Dan

Comments

by: keithwooldridge
on: 22-09-2017 20:54

Remembering such long passwords must be difficult in itself, but a good point well presented

by: yorkypaul
on: 27-09-2017 08:59

longer passwords give more protection and greater character choice

by: teddy_chitchat
on: 26-09-2017 08:16

Very good point made Dan - more & more people are taking the wise precaution to use password managers, so long complicated individual passwords for every log-in account aren`t a problem as one doesn`t need to remember them, just use the password manager to log-in. But the account one is logging in to does need to give clear & helpful guidelines to it`s customers on password protocol. I had exactly this problem (using the excellent 1Password manager) using a format of password that is not recognised, but no guidelines given as to what is accepted. GiffGaff - please include clear helpful instructions - & yes like Dan says, why reduce & limit the password length anyway. Teddy

by: seryl
on: 24-09-2017 00:11

ye, i agree with keithwooldridge, long passwords are annoying, but if there's an option of doing short and long, thats the best

by: bazuk
on: 18-09-2017 20:51
Edited
by: bazuk
on: 18-09-2017 20:51

this may cause more trouble than its worth, changing passwords, apps like Lastpass addon have their problems to login at times, nobody can remember such long,differcult passwords unless saving on notepad which is dangerous.Please reconsider

by: adammorris20
on: 14-09-2017 10:02

Good point Dan as I've had several problems logging in using the right password as I use the same for everything

by: kylepage93
on: 13-09-2017 15:59

internet spred is dreadful

by: sharky28
on: 09-09-2017 17:59

i agree with dan there should be a minimum and a maximun length for passwords

by: bluemoonbaz
on: 01-09-2017 09:04

Nice point Dan and hopefully this will get looked into

Supported