2

passwords shorter than 72 characters considered longer

Submitted by 161 in support

hello emma don't know if you are still here but I found this kinda curious,

when I input a password-string with high ANSI characters it says it is more than 72 characters e.g. if i input úÑF½=õF6èÆê¼¾(bõAÔÑ!ìªÒÄY\ÍvX5goFÚØÈÙ±LØ]ûzQÚï}ö¯fÓq»ÖßïxÍÁáèFu¤T:1q'®X¹ (which keepass says is 72 characters long) as my password, it returns "This value is too long. It should have 72 characters or less."

similar results are achieved when I input 71, 70 character long strings and potentially even lower

thankyou

Comments

You must log in or register to comment.

1

emma wrote (edited )

Not a bug. The bcrypt password hashing algorithm that Postmill uses has a hard limit of 72 bytes, not characters. In UTF-8, every character in ASCII is one byte, while characters outside of ASCII consist of two bytes or more.

Of course, the error message could make this distinction clear, but I'm not sure how to accomplish that without making it more confusing. Maybe we should just block multibyte characters altogether.

1

dale wrote

Blocking multibyte characters would probably raise the barrier to non-English users. Adding a byte counter and a small disclaimer stating "not all characters are one byte" might work but also does give away information about the user's password in plain sight.