790
My password is not accepted because it is too long (feddit.org)
submitted 3 months ago by Kissaki@feddit.org to c/mildlyinfuriating@lemmy.world
207 comments fedilink hide all child comments

In password security, the longer the better. With a password manager, using more than 24 characters is simple. Unless, of course, the secure password is not accepted due to its length. (In this case, through STOVE.)

Possibly indicating cleartext storage of a limited field (which is an absolute no-go), or suboptimal or lacking security practices.

top 50 comments
sorted by: hot top controversial new old
[-] tarsisurdi@lemmy.eco.br 140 points 3 months ago* (last edited 3 months ago)

I once registered an account with a random ~25 characters long password (Keepass PM) for buying tickets on https://uhuu.com.br/

The website allowed me to create the account just fine, but once I verified my e-mail, I couldn't log into it due to there being a character limit ONLY IN THE LOGIN PASSWORD FIELD. Atrocious.

EDIT: btw, the character limit was 12

load more comments (2 replies)
[-] magic_lobster_party@fedia.io 72 points 3 months ago

What’s more frustrating is when the password creation page is silently cutting off too long passwords and don’t inform you about it.

[-] neilb@lemmy.ml 15 points 3 months ago

There’s a site I use that does that on the password reset page, but not when logging in. So when using a long password it’s as if the reset never works. Took me ages to figure out what was going wrong.

load more comments (3 replies)
[-] 4grams@awful.systems 53 points 3 months ago

This shit pisses me off so bad. I had an identity theft a few years back, took ages to undo, and my credit score is still impacted by it. At the time I moved to a password manager and all my passwords are 31 characters of garbage. I’ve got several, highly sensitive accounts that my passwords don’t work for, in fact one a bank, until fairly recently, had repurposed a phone number field in the DB so passwords were limited to 10 characters numeric only (I managed to get one of their IT folks on the horn to explain why the password was so awful).

I cannot believe we live in 2025 and we still haven’t figured out passwords.

[-] DarkSirrush@lemmy.ca 26 points 3 months ago

My bank forces a 6 digit PIN as a password.

Their 2fa is also email or text only.

At least we can set a unique username?

load more comments (9 replies)
[-] bleistift2@sopuli.xyz 11 points 3 months ago

We have figured out passwords. Management hasn’t figured out allocating resources to security, and governments haven’t figured out fining the crap out of such companies.

load more comments (6 replies)
[-] mcat@lemmy.world 46 points 3 months ago

My worst experience so far was a webpage that trimmed passwords to 20 characters in length without telling you. Good luck logging in afterwards...

[-] drewcarreyfan@lemm.ee 33 points 3 months ago

One of my favorite memories of how much Something Awful's sysadmins were absolutely amateur hour back in the early 2000s was the "lappy" to "laptop" debacle. Apparently Lowtax found the term "lappy" so annoying that he ordered his system administrator to do a find/replace for every instance of "lappy," replacing them with "laptop."

Unfortunately this included usernames and passwords, as well as anything that just managed to have the letters "lappy" in that order anywhere in the word. So, there was one user named 'Clappy' who woke up one day to find his name changed to 'Claptop.' Apparently this is also how people discovered that they were storing password unsalted in plain text in a fucking MySQL database, which if you're old enough, you probably already remember that the combination of MySQL and PHPmyAdmin were like Swiss cheese when it comes to site defense. :p

[-] 10OhmResistor@aussie.zone 11 points 3 months ago

That must have done a lot of dawizard to their reputation.

[-] JackbyDev@programming.dev 11 points 3 months ago

Flaptop Bird

load more comments (3 replies)
[-] UpperBroccoli 43 points 3 months ago

We have a customer, a big international corporation, that has very specific rules for their intranet passwords:

  • Must contain letters
  • Must contain numbers
  • Must contain special characters
  • No repeats
  • Passwords must be changed every two months
  • Not the same password as any of the last seven
  • PASSWORDS MUST BE EXACTLY EIGHT CHARACTERS LONG

I can only assume that whoever came up with these rules is either an especially demented BofH, or they have some really really weird legacy infrastructure to deal with.

[-] drewcarreyfan@lemm.ee 19 points 3 months ago

I am a designer, but I once did a project with a very very major and recognizable tech corporation that, no joke, implemented an 8 character limit on passwords for storage reasons.

This company made in the tune of tens of billions of dollars per year, and they were penny-pinching on literal bytes of data.

I can't say who it is, but their name begins with 'M' and ends in 'cAfee.'

[-] JackbyDev@programming.dev 10 points 3 months ago

If password length affects storage size then something has gone very wrong. They should be hashed, not encrypted or in plaintext.

load more comments (1 replies)
[-] OmegaLemmy@discuss.online 13 points 3 months ago

No repeats??? Like, you cant have 'aaaa123@' as a password?

You're just making it easier to brute force...

load more comments (3 replies)
load more comments (1 replies)
[-] Kissaki@feddit.org 36 points 3 months ago

I've had a case in the past where I reduced my password to the limit, but after account creation, I was not able to log in.

Turns out they had an off-by-one issue, and a password with a length slightly below the limit worked fine.

[-] valkyre09@lemmy.world 19 points 3 months ago

I once got locked out of an HP printer because it chopped off the last few characters of a password. Only figured it out because somebody had made a comment online about password length

load more comments (1 replies)
[-] Buffalox@lemmy.world 35 points 3 months ago* (last edited 3 months ago)

Your password MUST contain big and small letters, and contain at least 1 number character and 1 spacial character, it MUST be 8 characters long, and it MUST be typed on a German Cherry keyboard between 8-9 PM, using ONLY 1 finger while blindfolded and listening to ABBA music. BUT NO SPACES ALLOWED!!!
This is because of something called entropy we never even read about so we have zero understanding of it. Of course combined with lousy programming, so safety is all on you.

Making all these possibilities OPTIONAL would actually make for safer passwords (higher entropy), as would using multiple words separated by spaces. The only meaningful way to accept a password would be to test it against common bad passwords, and test the entropy to determine acceptable levels. There is no good reason a password couldn't be 10 words and at least 127 characters. There is no way that should stress a properly designed modern system.

[-] Kushan@lemmy.world 15 points 3 months ago

You have described all of the guidelines that NIST, Microsoft, GCHQ and a few other institutions now recommend for password security.

And yet I still have to have this argument with so-called security engineers and my favourite, compliance officers.

load more comments (1 replies)
[-] funkless_eck@sh.itjust.works 11 points 3 months ago

you forgot that you can only use a selection of special characters from a pre approved list of 10.

[-] WanderingThoughts@europe.pub 12 points 3 months ago

Had that yesterday.

"Must use special characters!"

"Okay, no problem. Here you go."

"Not that one! It's too special!"

"Dude, I haven't even touched extended ASCII yet."

load more comments (1 replies)
[-] 0x0@lemmy.dbzer0.com 9 points 3 months ago

I love when there are so many rules that my first few randomly-generated passwords are rejected.

load more comments (1 replies)
load more comments (2 replies)
[-] Jaybird@lemmy.world 33 points 3 months ago

How about creating a new account, letting bitwarden create a password, only for them to send me a clear text copy of that passwod in their confirmation email....

[-] AnUnusualRelic@lemmy.world 12 points 3 months ago

Here's your password, remember to write it down on your password post-it!

[-] pyre@lemmy.world 11 points 3 months ago

i thought that practice died like 20 years ago

load more comments (3 replies)
[-] tauren@lemm.ee 26 points 3 months ago

My favorite is when they don't have this check, but silently slice the string to meet the requirement, so that you can't login with the original password the next time.

[-] thermal_shock@lemmy.world 18 points 3 months ago* (last edited 3 months ago)

Wells Fargo used to do this. They cut my 16 character password to 8 and negated capitalization. Which is why I don't use them anymore

load more comments (1 replies)
load more comments (1 replies)
[-] 4am@lemm.ee 24 points 3 months ago* (last edited 3 months ago)

Don’t worry, pretty soon they will just block password managers from autofilling fields on their login page so that you HAVE to remember your password! Then you’ll be happy it can’t be that long, you can only fit so much on a post-it note on the side of your monitor

/s

EDIT: I think there should be a law against blocking password managers for filling in fields. Any brute force bots are going to submit HTTP requests directly anyway; no one is hitting the DOM to do that

load more comments (3 replies)
[-] dQw4w9WgXcQ@lemm.ee 23 points 3 months ago

For a system I worked on a few years ago I got the password requirement:

  • Only upper case letters A-Z, no letter or symbols.

  • Exactly 7 characters.

I was also recommended to make it a single word to make it memorable.

load more comments (4 replies)
[-] lennee@lemm.ee 23 points 3 months ago* (last edited 3 months ago)

funniest experience that ive had is that i made a psn (playstation network) account with a 64 (iirc, might have been 32, dont remember) character password. That worked making the account on my PC on their website. Never was able to log into that account on my playstation tho and the error message was just some generic error. Support didnt know what was going on and i didnt either until it dawned on me. The password was too long for the console. Changed the whole thing to a shorter one and now it works everywhere. Used to work on their website, not in the app, not on console. Fun.

[-] rei@lemmy.world 19 points 3 months ago

The password should be hashed anyway, which has a fixed output

[-] Scrollone@feddit.it 10 points 3 months ago

But there must be a (long) max length anyway, to prevent some kinds of attacks.

[-] olafurp@lemmy.world 10 points 3 months ago

Long here means a 400 page book as a password.

load more comments (2 replies)
[-] kepix@lemmy.world 18 points 3 months ago

i once used 20 for a bank. the website havent told me it was too long just clipped off 2 and accepted the rest. not even the banking support was able to help me. took me a few days to solve this by accident.

load more comments (2 replies)
[-] kibiz0r@midwest.social 15 points 3 months ago

Recently had a password that was acceptable for the account creation page on the website but too long for the login screen in the mobile app.

Took me a while to figure out that pasting into that field was just quietly dropping characters.

[-] nokturne213@sopuli.xyz 10 points 3 months ago

What is worse is when it does not quietly drop any characters and you have to keep resetting your password.

load more comments (2 replies)
[-] daggermoon@lemmy.world 14 points 3 months ago

I don't have it in me

[-] KiESi@lemm.ee 13 points 3 months ago

https://neal.fun/password-game/

load more comments (1 replies)
[-] lightnsfw@reddthat.com 13 points 3 months ago

If I have to create a password Ill need to remember and don't have access to my password manager for whatever reason I have a long phrase that's my go to but I have a system about adding numbers and characters to it based on the context of the log in. Sites with character limits really fuck that up.

[-] pennomi@lemmy.world 11 points 3 months ago

There should be a limit to prevent DoS attacks but really it should be like 1M characters or something.

[-] rumba@lemmy.zip 15 points 3 months ago

No, there should be no limit. The password should be salted and hashed stored on the server side they should be uniformly like 256 or 512 characters behind the scenes no matter if you send it 5 characters or 50,000. The password that is stored is just a mathematical representation of the password.

As far as DDOS, It doesn't matter what the limit is, you can send them millions of characters rven if they have a limit. If you're going to DDOS you're going to just use SYN flood, pings, for all of the matters you could send headers.

[-] pennomi@lemmy.world 21 points 3 months ago

Not DDOS, DOS. You can often crash an unprepared server with one request by telling it to hash more data than it has memory for. See this blog post for a well-known web framework. Let’s say I just sent it a 10GB password, it still has to process that data whether or not the hash eventually shortens to the database field length.

load more comments (2 replies)
load more comments (3 replies)
[-] SCmSTR 11 points 3 months ago

One time I worked a job where you had to make EXACTLY a 12 character password using only ten letters and two numbers.

load more comments (2 replies)
[-] eronth@lemmy.dbzer0.com 9 points 3 months ago

The password on my PC is something like 30 characters long. Back when win10 was first coming out, they were pushing getting an actual outlook account and tying that to your login. I was hesitant at first, but figured I'd try it out and see how that worked for me.

Turns out outlook accounts (at the time) had something like a 16 character limit on passwords. Bruh.

[-] zerosignal@lemmy.world 8 points 3 months ago

When I banked with wells fucking fargo they had issues similar to this. I had something like a 16 character password and I once forgot the last character and it accepted it anyway, so there was some kind of character limit that they didn't make obvious.

I also had a time I accidentally had caps lock on, and my password still was accepted. Their passwords were not case sensitive even though their password screen says they were.

load more comments (1 replies)
[-] syaochan@feddit.it 8 points 3 months ago

Obligatory https://neal.fun/password-game/

load more comments (4 replies)
load more comments
view more: next ›
this post was submitted on 17 May 2025
790 points (100.0% liked)

Mildly Infuriating

41772 readers
693 users here now

Home to all things "Mildly Infuriating" Not infuriating, not enraging. Mildly Infuriating. All posts should reflect that.

I want my day mildly ruined, not completely ruined. Please remember to refrain from reposting old content. If you post a post from reddit it is good practice to include a link and credit the OP. I'm not about stealing content!

It's just good to get something in this website for casual viewing whilst refreshing original content is added overtime.

Rules:

1. Be Respectful

Refrain from using harmful language pertaining to a protected characteristic: e.g. race, gender, sexuality, disability or religion.

Refrain from being argumentative when responding or commenting to posts/replies. Personal attacks are not welcome here.

...

2. No Illegal Content

Content that violates the law. Any post/comment found to be in breach of common law will be removed and given to the authorities if required.

That means: -No promoting violence/threats against any individuals

-No CSA content or Revenge Porn

-No sharing private/personal information (Doxxing)

...

3. No Spam

Posting the same post, no matter the intent is against the rules.

-If you have posted content, please refrain from re-posting said content within this community.

-Do not spam posts with intent to harass, annoy, bully, advertise, scam or harm this community.

-No posting Scams/Advertisements/Phishing Links/IP Grabbers

-No Bots, Bots will be banned from the community.

...

4. No Porn/ExplicitContent

-Do not post explicit content. Lemmy.World is not the instance for NSFW content.

-Do not post Gore or Shock Content.

...

5. No Enciting Harassment,Brigading, Doxxing or Witch Hunts

-Do not Brigade other Communities

-No calls to action against other communities/users within Lemmy or outside of Lemmy.

-No Witch Hunts against users/communities.

-No content that harasses members within or outside of the community.

...

6. NSFW should be behind NSFW tags.

-Content that is NSFW should be behind NSFW tags.

-Content that might be distressing should be kept behind NSFW tags.

...

7. Content should match the theme of this community.

-Content should be Mildly infuriating.

-The Community !actuallyinfuriating has been born so that's where you should post the big stuff.

...

8. Reposting of Reddit content is permitted, try to credit the OC.

-Please consider crediting the OC when reposting content. A name of the user or a link to the original post is sufficient.

...

...

Also check out:

Partnered Communities:

1.Lemmy Review

2.Lemmy Be Wholesome

3.Lemmy Shitpost

4.No Stupid Questions

5.You Should Know

6.Credible Defense

Reach out to LillianVS for inclusion on the sidebar.

All communities included on the sidebar are to be made in compliance with the instance rules.

founded 2 years ago
MODERATORS
LillianVS@lemmy.world
STRIKINGdebate2@lemmy.world
Tenthrow@lemmy.world