PDA

View Full Version : Bug: long passwords can't login



Ben James Ben
02-10-2006, 07:23 PM
I believe that there is a bug with both the web site and forum if a user has a long password (over 20 characters).

If you try to log into the main site, the password box only accepts 20 characters. If your password is longer, you are unable to log in. You get an error saying that the username/password isn't valid.

If you try to log into the forum, you get the same error. However, you get directed to an error page where you can try to login again. This particular page does accept longer passwords, and you are then able to log into the forum. So, the workaround is to log in twice to the forum (but this still doesn't help you login to the main site).

I've seen this bug for the past year and a half, but because I've only participated on the forum and because there is the workaround noted above, I never really knew what the bug was about. I've never been able to log into the main site (until I changed to a shorter password today), but I never understood why.

I guess that the remedies are either: 1. fix the forms in both places to accept longer passwords; or 2. don't allow users to set their password to too-long passwords. I'd prefer remedy #1.

Ben

(Sorry if this bug has already been posted. I searched the forum but didn't see it mentioned earlier.)

Edit: two years -> year and a half

Cuddy
02-10-2006, 07:41 PM
No offense, but why would you want a 20+ character long password in the first place? I'm no Tech Admin (that'd be in Graham's area), but I don't think there will be any rule set on how long a password can be, but I'd like to know how many users actually have a passwords (to ANY site) that is 20 or more characters long.

Ben James Ben
02-10-2006, 07:59 PM
I'm not offended. The reasons for having a 20+ character password are that, if you do it right:
1. the password is more secure (because it's so long)
2. the password is easier to remember

Longer passwords are easier to remember if you use word phrases as your password. For example, "My voice is my passport. Verify me." would make a good, long, difficult to guess password (except for the fact that it's a line from a movie). It's also easy to remember, much easier than a short, cryptic password like "a!32Xi.e9".

However, my guess is that less than 1 out of 300 users would think of using a 20+ character password.

Graham
02-10-2006, 08:58 PM
Theoretically having more characters in your password would make it more secure in that there are more possible combinations. However when you use all phrases it somewhat makes the length pointless since someone could use an algorithm that that tests phrases such as the one you just mentioned.


Anyway, it shouldn’t be too much of a problem to fix. Someone will probably look into it this weekend.

Steven
02-10-2006, 10:53 PM
Here's the issue with phrase passwords... despite their length, they are easier to crack than shorter passwords that are alphanumeric and contain symbols. The reason being is that since the phrase contains dictionary words, a password cracker can pick up on them pretty easily. Where I used to work, the sysadmin regularly ran a password cracker on all user accounts, and phrase passwords were indeed cracked.

I use a pronouncable password, but certain letters I'd replace with numbers or symbols, like "p@5$w0rd", for example. Not once did my passwords get cracked. They are still easy for me to remember, and if I accidently said it out loud, not all was lost.

As far as the "bug", I fixed it so there is no longer a limit in the box.

Marc
02-11-2006, 01:20 AM
I personally use a password that is easy for me to remember that uses a simular technique as Steven mentioned.

Using a brute force password cracker at 1,000 attempt per second, I estimate that it will take about 32,000,000,000,000,000,000,000,000,000,000,000,000 , 000,000,000,000,000,000,000,000,000,000,000,000,00 0,000 years to crack.

Dictionary password crackers is the most basic kind and will take anywhere from seconds to minutes to crack any word set or phrase.

An enhanced dictionary cracker will use capital letters starting from all capital letters, then just the first letters of the word and working on.

A particularly good cracker will then sub for @ for a, 1 for i, capital letters, misspelled words ect. Time consuming but reasonable for long passwords that have a few subs.

A brute force cracker will basically start with 1 charactor passwords and use every possible charactor. Then it will use 2 and use every possible combo, and so on. These are most effective for shorter passwords as it takes a significant more time for every added charactor.

A good password is at least 6 charactors long and uses at least 2 subs. Going on with password as an example here are a few variations that are easy to remember and effective.
"p@ssw0rd"
"P@SSW0RD"
"PaSSwOrd"
"pa$$word"
"pa55word"