Leave a legacy.

Bug with password reset/login page and password length

By: danatkinsontablet | 30-08-2017 12:16

Hi there,

I've noticed a problem relating to a difference between your password reset page and the login page.

On your password reset page, you (inexplicably!) restrict passwords to 25 characters in length. However this is not mentioned at all on the page. You only state the restrictions for minimum length, letters/numbers/symbols - no max length.

I use a password manager (best practice) to store my logins and usually my passwords are at least 30 characters long. When I created and pasted my password into your site, because your reset page has a max length of 25 characters on the input field, it simply truncates the rest of the password I created, and doesn't say a thing. So I update the password thinking I've now changed it to 30 characters but it's actually 25.

Then, on the login page, there is no restriction on password length, so I paste in my 30 character password and it fails - because you don't truncate your passwords on the login page.

This means that you've got a functionality difference between the reset and login pages. You restrict it on the reset page but not the login page. Further, you restrict passwords to 25 characters which is quite a small amount. I can't think of a good reason why you would restrict passwords to anything less than 100 characters. Ultimately, when the password goes into your system, it gets hashed (or it had better!) and converted into a string with a length that's the same as all the other passwords, so it has nothing to do with storage restrictions.

So, I have several points:

  1. You need to be up front about password length limits. You mention min 8 chars but don't mention max 25! You simply truncate a password longer without mentioning anything (UX flaw).
  2. Your login page has no restrictions on the password length. So if I create one in my password manager and paste it over, it's not cut cut off (UX flaw).
  3. There's no good reason why you restrict password length to that short. Seriously! If you have technical reasons, that's veryworrying (security flaw).

Thanks, Dan

Comments

by: keithwooldridge
on: 22-09-2017 20:54

Remembering such long passwords must be difficult in itself, but a good point well presented

by: reimon
on: 08-12-2017 21:08

nice

by: kamile_k
on: 04-11-2017 10:23

ok

by: mila27
on: 01-11-2017 10:42

good

by: sibtahmed
on: 28-10-2017 21:32

Good idea.

by: vladi2805
on: 28-10-2017 20:31

Completely agreed with Dan!

by: cass905
on: 23-10-2017 11:18

there's bugs everywhere after every update

by: chand311
on: 22-10-2017 00:33

Agreed with Dan.

by: yorkypaul
on: 27-09-2017 08:59

longer passwords give more protection and greater character choice

by: teddy_chitchat
on: 26-09-2017 08:16

Very good point made Dan - more & more people are taking the wise precaution to use password managers, so long complicated individual passwords for every log-in account aren`t a problem as one doesn`t need to remember them, just use the password manager to log-in. But the account one is logging in to does need to give clear & helpful guidelines to it`s customers on password protocol. I had exactly this problem (using the excellent 1Password manager) using a format of password that is not recognised, but no guidelines given as to what is accepted. GiffGaff - please include clear helpful instructions - & yes like Dan says, why reduce & limit the password length anyway. Teddy