We’ve all been there.

  • unixfreak@feddit.uk
    link
    fedilink
    English
    arrow-up
    7
    arrow-down
    8
    ·
    edit-2
    1 year ago

    If a password input form asks any of these questions, consider the website or service compromised right from the beginning. The reason for this, is that it means they are not storing salted/hashed passwords and your password will be stored as plain text on their servers. There’s no reason for any limitations on a password. In the event of a breach, your password will be visible in any database dumped by a hack. Always makes me wince when a password form complains about password length, as it really should not matter. When you hash a password, it will be stored in the database at a specific string length;

    Eg; using sha-1 hashing:

    pass123 = 5f1e04b7fc8d7067346b77bdbb6a4d4f9f4abace28f15c2b265c710b120393b2
    password321 = 8852ab05d5b32f9efd3dcbf69edcfd65464e64c8e5e8310239871e02380e81b3
    
    • OdinsonThor@lemmy.ca
      link
      fedilink
      English
      arrow-up
      12
      ·
      1 year ago

      All of those things can be verified before storing the password in any way, encrypted or not, and checking them would be a requisite before storing it.

      While it’s true that they don’t have a significant impact on the hash generated, they make it significantly more difficult for anyone to guess your password. It’s much easier to guess password321 than something like Or^9L%u&QQ12XxI@. And that has nothing to do with how the password is ultimately stored.

      • unixfreak@feddit.uk
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        1 year ago

        Of course, requiring at least one symbol or upper case letter etc is a good idea, along with a minimum length. Many websites won’t let you use a password longer than a certain amount of characters. The only reason for that limitation is that they are storing the database field as plaintext, and anything longer will not fit into that column.

    • PeeJay@lemmy.world
      link
      fedilink
      English
      arrow-up
      8
      arrow-down
      1
      ·
      edit-2
      1 year ago

      That’s just not true, all of these things can be achieved without saving the password as plain text

      • unixfreak@feddit.uk
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        1 year ago

        How is it not true? If a site is saying for example, “password must be less than 20 characters” – that is purely a limitation based on the size of the database field, which you can only assume it’s being adding to that field as plain text. A hash will always be the same length and password length would not matter.

        • PeeJay@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          I’ll keep my aswer short, but first of all, usually this format enforcement is done on the client before it is ever sent to the backend, there are many reasons to limit the maximum length other than string length limitations on the database ( not that I can think of many actual good reasons).

          Second of all, the client should send the actual password to the backend (allowing you validate these same password requirements on your backend), not the hashed password, hashing the password on the client side would be no better than storing the password as “plain text”.

          And never is the “plain text” password stored in any database, only sent over to the backend and hashed, every time you set a new password, or log in using an existing one.

    • Pleonasm@programming.dev
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      1 year ago

      My favorite password is the string “a”, but I never get to use it anywhere due to these ridiculous restrictions 😔 Can you tell me which online services you administer so I can sign up for them and enjoy unfettered use of my favorite password?