this post was submitted on 09 Sep 2024
595 points (99.5% liked)

Programmer Humor

19463 readers
376 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 1 year ago
MODERATORS
 

Edit: @Successful_Try543@feddit.org solved it. It says "one special character". Not "at least one".

you are viewing a single comment's thread
view the rest of the comments
[–] refalo@programming.dev 28 points 1 month ago (2 children)

Now imagine how many services just silently cut off your password at 8 characters and people never notice.

UltraVNC is very guilty of this.

[–] Scoopta@programming.dev 16 points 1 month ago

Wells Fargo cuts to 14 on their sign in page but not on their change password page, ask me how I know

[–] Buddahriffic@lemmy.world 12 points 1 month ago (2 children)

Once upon a time, battle.net passwords weren't case sensitive. I used upper and lower case letters in my password then one day realized I didn't hit shift for one of the caps as I hit enter out of habit, but then it still let me in instead of asking for the password again.

It was disappointing because it takes more work to remove case-sensitivity than to leave it. I can't think of any good reason to remove it. At least the character limit had a technical reason behind it: having a set size for fields means your database can be more efficient. Better to use the size of a hash and not store the password in plaintext, so it's not a good reason, but at least it's a reason.

[–] lud@lemm.ee 12 points 1 month ago* (last edited 1 month ago) (2 children)

It's possible that the passwords want through an old ass cobalt system or something that forced everything to be capitalized so to solve that they made everything non case sensitive.

But even that sounds insane as the passwords should have been hashed.

[–] ulterno@lemmy.kde.social 1 points 1 month ago

What if they got hashed by that cobalt system :P

[–] NotAnonymousAtAll@feddit.org 7 points 1 month ago (1 children)

At least the character limit had a technical reason behind it: having a set size for fields means your database can be more efficient.

If that is the actual technical reason behind it, that is a huge red flag. When you hash a password, the hash is a fixed size. The size of the original password does not matter, because it should not be stored anyway.

[–] Buddahriffic@lemmy.world 3 points 1 month ago (1 children)

Correct, hence the sentence after the one you quoted :)

If any service can recover your password and send it back to you rather than just resetting it for you to set a new one, don't rely on that service for anything you want to keep secure. And certainly don't reuse a password there, though you shouldn't be reusing passwords anyways because who knows what they are and aren't storing, even if they don't offer password recovery.

[–] NotAnonymousAtAll@feddit.org 3 points 1 month ago (1 children)

Sorry, didn't want this to look like an attack or disagreement. Just wanted to highlight that point, because arbitrary maximum sizes for passwords are a pet peeve of mine.

[–] Buddahriffic@lemmy.world 3 points 1 month ago (1 children)

Yeah no worries and agreed. I hate seeing commercial sites using worse password sanitization practices than I used for my first development website that wasn't even really intended for anyone else to log in to and any max length suggests the password is either stored or processed in plaintext.

IMO it should even be hashed on the client side before being sent so that it doesn't show up as plaintext in any http requests or logs. Then salted and hashed again server side before being stored (or checked for login).

[–] SpaceCowboy@lemmy.ca 2 points 1 month ago (1 children)

IMO it should even be hashed on the client side before being sent so that it doesn’t show up as plaintext in any http requests or logs. Then salted and hashed again server side before being stored (or checked for login).

But if someone got that hashed version they could hack the client to have client side hashing code just send that hashed value to the server. You'd want to have the server to send a rotating token of some sort to use for encrypting the password on the client and then validate it on the server side that it was encrypted with the same token the server sent.

Seems complicated to me... https is probably has good enough encryption, so eh, whatever.

[–] Buddahriffic@lemmy.world 1 points 1 month ago

Yeah, if they are able to intercept traffic or access the logs, they probably already have other access to the account without needing the password. If you don't reuse passwords, then your other accounts will be safe from that.