Passwords with >50 chars mean that you can't log in

[Colonel_mortis]

If you use a password manager to generate a password that is more than 50 characters, and paste it into the password field when setting/changing your password, you will then be unable to use it to log into your account, and have to reset your password to regain access.

I reported this in a ticket, but apparently it's "by design". The original contents of my ticket are as follows:

On the registration, password change and password reset pages, you cap passwords at 50 characters. I don't see the point of doing this, and would be in favour of removing an arbitrary limit, but I accept that a 50 character password is (as long as it's remotely sensible) sufficiently strong for any purpose. However, that limit is sent to the browser as the maxlength attribute on the password field.

The problem with a maxlength attribute is that, even when applied to a password field, content that is pasted into it is truncated to that max length. If I generate my 64 char password using a password manager (which doesn't autofill it into the field), and paste it into the password field, it is therefore truncated to a 50 char password with no indication that this has happened. I then save the 50 char password on the site, as well as the 64 char password in my password manager.

When I come to log in, I paste in my 64 char password into the login form, and it pastes in its entirety because there is no max length on the login form (and there must not be one, because passwords created before you introduced the max length can be more than 64 chars). The password therefore doesn't match what is stored in the db, because it's 14 characters too long.

Proposed solutions, in order of my preference:

• Remove the arbitrary limit on password length, or increase it to a value larger than password managers would ever generate, such as 500.
• Reduce the arbitrary limit to ≥72, which is the length that the passwords are truncated to for use with blowfish anyway, so even if the password is truncated without the user's knowledge it doesn't actually make any difference.
• Remove the maxlength attribute from the html for password fields, and process it exclusively on the server (or using JS), so users receive an error when their password is too long, rather than it just being truncated.

 

To clarify, there is no visual indication that there is a length limit of 50 characters, so the user has absolutely no reason to suspect that their password won't have been updated correctly, or to suspect that the password length was the reason for their account being inaccessible.