Password 8-255 characters

[Russinating]

Just bought something from the Samsonite website and when creating an account it asks for a password that's 8-255 characters long. I'm not that much of an expert on these things but that sounds like they're storing passwords unencrypted as TINYTEXT.

Would there be any other reason why you would set a limit on password lengths? I know some companies set a limit of say 16, but I assume that's to make people choose memorable ones to get less password reset requests. But 255 seems oddly coincidental!

 

[kaku]

I would do a "forgot my password" and see what comes back. Either way it does strike me as a bit suspicious.

 

[Mynight]

Edit: nevermind being thick .

I do hate when websites limit your password length. Companies house is horrific for not allowing special characters.

 

[peterwalkley]

A developer likely just picked a number they liked for the width of a database column

"Funny" characters often get excluded because people are too thick/lazy/paranoid to handle SQL injections attacks properly - and writing a regular expression to check for things like sequences of funny characters gets error-prone really fast.

 

[planty]

A developer likely just picked a number they liked for the width of a database column

This would suggest that the passwords are not being hashed, which was the OP's point.

 

[Trucamo]

That does sound suspicious, they should not have limits on password length as any length password should be hashed to a constant length.

You could always report them to http://plaintextoffenders.com/

 

[peterwalkley]

This would suggest that the passwords are not being hashed, which was the OP's point.

Doh ! I meant input field size, honest. 255 should be more than enough even for people using things like key pass to generate random passwords. Usual way to tell for sure is go to the password reset screen and see if you get your original back.

 

[Russinating]

The reset password provides a link but that doesn't really prove anything either way.