471
top 50 comments
sorted by: hot top controversial new old
[-] hth@lemmy.world 135 points 1 year ago* (last edited 1 year ago)

Anytime you see a password length cap you know they are not following current security standards. If they aren't following them for something so simple and visible, you'd better believe it's a rat infested pile of hot garbage under the hood, as evidenced here.

[-] Primarily0617@kbin.social 66 points 1 year ago* (last edited 1 year ago)

you have to limit it somewhere or you're opening yourself up for a DoS attack

password hashing algorithms are literally designed to be resource intensive

[-] confusedbytheBasics@lemmy.world 13 points 1 year ago* (last edited 1 year ago)

Edited to remove untrue information. Thanks for the corrections everyone.

[-] Primarily0617@kbin.social 10 points 1 year ago* (last edited 1 year ago)

Incorrect.

They're designed to be resource intensive to calculate to make them harder to brute force, and impossible to reverse.

Some literally have a parameter which acts as a sliding scale for how difficult they are to calculate, so that you can increase security as hardware power advances.

load more comments (4 replies)
[-] adambowles@lemmy.world 6 points 1 year ago

Hashes are one way functions. You canā€™t get from hash back to input

load more comments (2 replies)
load more comments (6 replies)
[-] crunchyoutside@kbin.social 57 points 1 year ago

Are you saying that any site which does not allow a 27 yobibyte long password is not following current security standards?
I think a 128 character cap is a very reasonable compromise between security and sanity.

[-] Mrduckrocks@lemmy.world 50 points 1 year ago

Atleast this is reasonable, I have seen some website don't allow more than 6 character.

load more comments (1 replies)
[-] Saneless@lemmy.world 24 points 1 year ago

At least it's 128

I had a phone carrier that changed from a pin to a "password" but it couldn't be more than 4 characters

load more comments (2 replies)
[-] tdawg@lemmy.world 24 points 1 year ago

In theory yes. But in practice the DB will almost always have some cap on the field length. They could just be exposing that all the way forward. Especially depending on their infastructure it could very well be that whatever modeling system they use is tightly integrated with their form generation too. So the dev (junior or otherwise) thought it would be a good idea to be explicit about the requirement

That said, you are right that this is still wrong. They should use something with a large enough cap that it doesn't matter and also remove the copy telling the use what that cap is

[-] TheButtonJustSpins@infosec.pub 32 points 1 year ago

Hashing will make every password the same length.

[-] intensely_human@lemm.ee 15 points 1 year ago

Right but that puts a limit on the hash algorithmā€™s input length. After a certain length you canā€™t guarantee a lack of collisions.

Of course the probability stays low, but at a certain point it becomes possible.

[-] brygphilomena@lemmy.world 7 points 1 year ago

Collisions have always been a low concern. If, for arguments sake, I.hate.password. had a collision with another random password like kag63!gskfh-$93+"ja the odds of the collision password being cracked would be virtually non-existent. It's not a statistically probable occurrence to be worried about.

load more comments (1 replies)
[-] tdawg@lemmy.world 7 points 1 year ago

yup yup. Forgot we were talking about a protected field and not just raw data

[-] BorgDrone@lemmy.one 22 points 1 year ago

You misunderstand the issue. The length of the password should not have any effect on the size of the database field. The fact that it apparently does is a huge red flag. You hash the password and store the hash in the db. For example, a sha256 hash is always 32 bytes long, no matter how much data you feed into it (btw, donā€™t use sha256 to hash passwords, it was just an example. Itā€™s not a suitable password hashing algorithm as itā€™s not slow enough).

[-] tdawg@lemmy.world 6 points 1 year ago

ur absolutely right. Idk why I was thinking about it like a normal text/char field

[-] intensely_human@lemm.ee 22 points 1 year ago

At my job they just forced me to use a minimum 15-character password. Apparently my password got compromised, or at least that was someoneā€™s speculation because apparently not everyone is required to have a 15-char password.

My job is retail, and I type my password about 50 times a day in the open, while customers and coworkers and security cameras are watching me.

I honestly donā€™t know how Iā€™m expected to keep my password secure in these circumstances. We should have physical keys or biometrics for this. Passwords are only useful when you enter them in private.

[-] captainlezbian@lemmy.world 11 points 1 year ago

Yeah you should have a key card. Like not even from a security perspective but from an efficiency one. Tap a keycard somewhere that would be easily seen if an unauthorized person were to even touch or even swipe it if need be. Iā€™m sick and tired of passwords at workplaces when they can be helped

[-] smokie12@feddit.de 5 points 1 year ago

Ask your boss to get you a yubikey

load more comments (1 replies)
[-] skullgiver@popplesburger.hilciferous.nl 5 points 1 year ago* (last edited 11 months ago)

[This comment has been deleted by an automated system]

load more comments (2 replies)
[-] baseless_discourse@mander.xyz 53 points 1 year ago

I know this a a joke, but please use a password manager, it is such a game changer.

Bitwarden is free and E2E encrypted and if you want additonal feature, they only cost 10 bucks pre year. You can even use it with anonaddy to hide your email, which is also totally free and open source.

[-] nodiet@feddit.de 10 points 1 year ago

What are those premium features? I never felt like I was missing something from the free bitwarden

[-] TheButtonJustSpins@infosec.pub 7 points 1 year ago

You can have it generate 2FA TOTP.

[-] baseless_discourse@mander.xyz 7 points 1 year ago

2FA one time code was the reason I got premium (and obviously support FOSS project). It is a slight security downgrade, but a whole lot of QOL upgrade.

I also imagine hardware key support like yubikey would be very appealing for many.

load more comments (1 replies)
[-] lea@mlem.lea.moe 7 points 1 year ago

yubikey/fido2 support is what I'd probably consider premium for

load more comments (2 replies)
[-] qaz@lemmy.world 9 points 1 year ago

Iā€™m already using Bitwarden but I hadnā€™t heard about anonaddy, thanks for the tip!

[-] baseless_discourse@mander.xyz 6 points 1 year ago* (last edited 1 year ago)

They work like a miracle together https://bitwarden.com/blog/add-privacy-and-security-using-email-aliases-with-bitwarden/

What is even more surprising is that even the free tier is perfectly usable, but consider paying if you have the money to support them.

[-] justlookingfordragon@lemmy.world 35 points 1 year ago

I know it's annoying that the password "doesn't match", but ... a 128 character limit?! I'd like to see THAT fully utilized lol.

(PS: the sentence above is exactly 128 characters, just for a comparison.)

...and I bet once you want to change it you get the "your new password can not be the old password" error message just because.

[-] Super_Stone@feddit.de 24 points 1 year ago

An acquaintance of mine has a 36 characters long passcode for his tablet that he manually puts in every time he wants to use it.

And you can use password managers to make secure passwords without ever having to input them yourself.

[-] muzzle@lemmy.world 25 points 1 year ago

That is a very good idea if you want to disincentivise yourself from using your tablet

[-] Super_Stone@feddit.de 6 points 1 year ago

He doesnt use it outside of school stuff and even then prefers to write things on paper, I dont think that he has to make disincentives.

load more comments (1 replies)
[-] turbulentMagma@lemm.ee 35 points 1 year ago

One is clearly uppercase 'i' and the other lowercase 'L'

[-] Kolanaki@yiffit.net 22 points 1 year ago

This is even more infuriating than getting "password incorrect" going in and getting a recovery password, then trying to change passwords to the one you initially used and getting "new password can't be the same as old password."

[-] Snipe_AT@lemmy.atay.dev 19 points 1 year ago
load more comments (1 replies)
[-] finn_der_mensch@discuss.tchncs.de 17 points 1 year ago

Those are L.hateā€¦ and i.hateā€¦, am I seeing that correctly?

[-] CanadaPlus@lemmy.sdf.org 7 points 1 year ago

Is there a software gore community yet?

[-] Mannivu@feddit.it 9 points 1 year ago* (last edited 1 year ago)
[-] CommunityLinkFixer@lemmings.world 12 points 1 year ago

Hi there! Looks like you linked to a Lemmy community using a URL instead of its name, which doesn't work well for people on different instances. Try fixing it like this: !softwaregore@lemmy.world

[-] koinu@lemmy.world 7 points 1 year ago

On the connect for lemmy app, it thinks it's a user lol.

load more comments (4 replies)
load more comments (1 replies)
[-] MrJameGumb@lemmy.world 4 points 1 year ago

Seems like they don't consider a period to be a "special character"

[-] NewNewAccount@lemmy.world 20 points 1 year ago

Thatā€™s not the issue here as the special character check passes. Itā€™s the validation between the two fields thatā€™s broken.

[-] Taxxor@lemm.ee 22 points 1 year ago

Most probably not broken at all.

I.hate.password.
l.hate.password.

The first is a capital i, the second is a lower case L.

[-] glibg10b@lemmy.ml 13 points 1 year ago

I noticed as well. I tested for it by zooming in and seeing if their tops align with the top of the h. Capital I is shorter than lower case L

[-] NewNewAccount@lemmy.world 12 points 1 year ago

So OP is a big fat phony?

[-] cokane_88@lemmy.world 4 points 1 year ago

OP here, reading all the comments and theories as to why the I or L or whatever isn't a match. I copy and pasted it after it didn't like my typing skills, tried it twice and no go... I believe the periods aren't an acceptable special character even though they technically are. It also would not accept spaces in-between words, I was first gonna use "I hate password" for my password but no go there.

The password it accepted was weak AF, two "stupid-words" strung together.

[-] Polydextrous@lemmy.world 18 points 1 year ago

No, one is an uppercase ā€œIā€ while the other is a lowercase ā€œL.ā€ lI ā€” you can see the difference when you compare it to the nearby ā€œh.ā€

[-] MrJameGumb@lemmy.world 7 points 1 year ago

Ah, so OP was up to shenanigans??? I should have suspected as much from that mischievous miscreant!!!

load more comments (1 replies)
load more comments
view more: next ā€ŗ
this post was submitted on 25 Jul 2023
471 points (100.0% liked)

Mildly Infuriating

35422 readers
248 users here now

Home to all things "Mildly Infuriating" Not infuriating, not enraging. Mildly Infuriating. All posts should reflect that.

I want my day mildly ruined, not completely ruined. Please remember to refrain from reposting old content. If you post a post from reddit it is good practice to include a link and credit the OP. I'm not about stealing content!

It's just good to get something in this website for casual viewing whilst refreshing original content is added overtime.


Rules:

1. Be Respectful


Refrain from using harmful language pertaining to a protected characteristic: e.g. race, gender, sexuality, disability or religion.

Refrain from being argumentative when responding or commenting to posts/replies. Personal attacks are not welcome here.

...


2. No Illegal Content


Content that violates the law. Any post/comment found to be in breach of common law will be removed and given to the authorities if required.

That means: -No promoting violence/threats against any individuals

-No CSA content or Revenge Porn

-No sharing private/personal information (Doxxing)

...


3. No Spam


Posting the same post, no matter the intent is against the rules.

-If you have posted content, please refrain from re-posting said content within this community.

-Do not spam posts with intent to harass, annoy, bully, advertise, scam or harm this community.

-No posting Scams/Advertisements/Phishing Links/IP Grabbers

-No Bots, Bots will be banned from the community.

...


4. No Porn/ExplicitContent


-Do not post explicit content. Lemmy.World is not the instance for NSFW content.

-Do not post Gore or Shock Content.

...


5. No Enciting Harassment,Brigading, Doxxing or Witch Hunts


-Do not Brigade other Communities

-No calls to action against other communities/users within Lemmy or outside of Lemmy.

-No Witch Hunts against users/communities.

-No content that harasses members within or outside of the community.

...


6. NSFW should be behind NSFW tags.


-Content that is NSFW should be behind NSFW tags.

-Content that might be distressing should be kept behind NSFW tags.

...


7. Content should match the theme of this community.


-Content should be Mildly infuriating.

-At this time we permit content that is infuriating until an infuriating community is made available.

...


8. Reposting of Reddit content is permitted, try to credit the OC.


-Please consider crediting the OC when reposting content. A name of the user or a link to the original post is sufficient.

...

...


Also check out:

Partnered Communities:

1.Lemmy Review

2.Lemmy Be Wholesome

3.Lemmy Shitpost

4.No Stupid Questions

5.You Should Know

6.Credible Defense


Reach out to LillianVS for inclusion on the sidebar.

All communities included on the sidebar are to be made in compliance with the instance rules.

founded 1 year ago
MODERATORS