Password Entry Limit - why just why?

RomanNose · 5 Jan 2014 at 02:12

I use keepass.
It is extremely infuriating. Also isn't it a sign their security is bad? Doesn't everything hash to the same length iirc?

Rroff · 5 Jan 2014 at 02:21

Lightnix said:
Admittedly having a 13-byte (104-bit) hash would be pretty crap in this day and age. However, I'm fairly sure having a fixed-length hash for any given hashing algorithm is standard, at least with the ones I'm familiar with (e.g. SHA256 always produces a 256-bit/32-byte digest). If you start allowing the length of the password to influence the length of the digest in an obviously correlated (i.e. longer password = longer hash) way then you're giving away information about the hashed data which is a bad thing because it reduces the size of the space an attacker would have to search through in order to brute force the password and would make short, easy to attack passwords obvious.

Ah didn't put my point clearly - wasn't complaining about fixed length hashes (that makes sense) but just that theres still a suprising number of systems where people could be putting in 20-30+ char passwords and thinking they are being extra secure but their password is still being stored as an <128bit hash the same as if someone put 1234 in - while their password is a bit harder to guess its no more secure against brute force than a much shorter password.

Phantom Shadow · 5 Jan 2014 at 02:39

Nothing I hate more than getting my password emailed to me in plain text after I register, even if it is hashed for storage it makes me very suspicious.

Deehjay · 5 Jan 2014 at 02:52

I find the ones with 8 minimum really irritating.

Leprechaun312 · 5 Jan 2014 at 03:05

i find they usualy have a 16 char limit, thew ones i have come across of note are battlenet and Origin/EA, it is annoying, but it is just save database space

DaleTheWhale · 5 Jan 2014 at 03:14

Rilot said:
Just be happy you don't have to deal with some of the password policies I have at work.
One of our partner websites that I need to use has the following:
6 - 10 chars
Must have 1 capital, 1 number, 1 special
Forced password change every month
Cannot use the previous 100 passwords

So, what most people at work do is, write the password on a post-it note and stick it to their screens.......

Password for the UNIX level at work requires harsher requirements than this, we cannot re-use a password we have before, ever, must be 11 characters+ & include 1 Upper case, lower, number and special character.

We need to renew our accounts ever 6 months as well, damn you HP. :mad:

helmet · 5 Jan 2014 at 03:16

Due to how their technology stores a record in the database, which then comes down to who they hired to code the platform which then comes down to where and how they host it which then comes down to £ per person.
You could set one of these methods up for yourself, tick away at it for a few months and then see how much money you'd be willing to throw at it at which point I think you'd get an idea of why this problem ain't such a big deal.
Just like the loaf of bread, £.

Energize · 5 Jan 2014 at 17:39

Deehjay said:
I find the ones with 8 minimum really irritating.

Because you'd prefer to have a password that can be broken in seconds? :confused:

Feek · 5 Jan 2014 at 17:48

I had to set up a microsoft account yesterday and it had a 16 character limit on password which surprised me.