It seems like the password limit is set to 60 characters so I’m unable to login to my instance. There probably should be no limit in the app because each server could have different limits set.
Why in the f do you need 60+ chars for a password?
Computers get faster all the time, making brute force cracking of passwords easier all the time. Password managers don’t care how long a password is. The task of filling it out is the same.
60 character passwords with any amount of complexity would take effectively infinite time to brute, an 18 character password with complex characters would take millions of years… There is no reason to use 60, let alone more than
Have you heard about pass phrases ?
Also, none of those is a sane reason to limit password length. A huge point of hashing is having short, constant length strings on output no matter the input. There’s no limitation or database issue there.
The only reason to limit password length is actually security (for bad algorithms) and DoS, but that requires a limit in the thousands.
Because there’s no reason not to and plenty of reason to?
Hi all,
Continuing the discussion from GitHub… Here is the PR I opened.
https://github.com/thunder-app/thunder/pull/766
However, there’s still some discussion to be had about whether this is the right change.
@snowe, a couple questions…
- Can you log in via Liftoff? They also have a 60 char limit. https://github.com/liftoff-app/liftoff/blob/3055896657ef05772dc5fa18c5b3ab285b93f54a/lib/pages/settings/add_account_page.dart#L199
- When you say, “It seems like the password limit is set to 60 characters so I’m unable to login to my instance.”, did you try logging in with a truncated password? Or are you just assuming that, if we limit the length, it won’t work? I only ask because this Thunder discussion led us to find that truncating actually works for some users, which is what led to the original limit.
Thanks!!
I believe Jerboa also has this character limit as mentioned in this PR. It seems like they truncate the password to take the first 60 characters if it’s too long. This is what Thunder also follows as of right now, except it’s shown explicitly to the user in the login modal