User passwords truncated?

[krussell]

I am using version 1.11.5, and ran into a problem when resetting passwords for users on the site. I was attempting to set long passwords based on several random words. The admin module accepted the passwords update, but I was unable to log in using the new password.

After a bit of investigation, it appears that the admin module is silently truncating the entered password to 25 characters (so when I attempted to log in with the longer password I thought I had set, it was not recognised).

If there is a specific reason for limiting the size of user passwords, would it be worth adding validation to the admin module password to ensure that users can only enter a maximum of 25 characters, and don't end up setting passwords that are different from the ones they think they are setting?

[velden]

Maybe worth creating a bug report?

http://dev.cmsmadesimple.org/bug/list/6

[staartmees]

a very long password of several words isn't much safer.

when you create a random password with e.g. http://strongpasswordgenerator.com/ of 16 characters and punctuations, you get a very strong password.

[krussell]

Agreed, may not be more secure, but a long password using conventional words can be secure and easy to remember, which is also important:
http://xkcd.com/936/

If CMSMS is limiting the password size at entry, this needs to be explicitly validated, so users don't mistakenly think that a longer password has been successfully set.

I will raise a report to see if this is a genuine bug, and not just something strange about my setup.

[Jo Morg]

Sorry but tat would be about a day (maybe less) to crack down with a dictionary attack. My 2 cents, FWIW....

[calguy1000]

The password fields in the admin adduser/edituser forms have a maxlength attribute of 25 chars. They have been this way for a very long time.

I researched... Javascript does not allow us to (reliably) preview the text that is about to be pasted into a text field to see if you are pasting in too many characters. Therefore for 2.0 I've disabled the paste ability on the admin (and frontend) password fields.

I also changed the 'bug report' to minor.

[paulbaker]

Therefore for 2.0 I've disabled the paste ability on the admin (and frontend) password fields.

Oh.

I suspect like a lot of people I use a password storage program (in my case Keepass) which generates strong(er) passwords. I just generate a new one, copy and paste it, and save the Keepass record. Job done.

Looks like staartmees might do something similar with his strong passwords site that (s)he mentioned.

Sounds like now, though, we won't be able to copy and paste in to the new user form? So it's going to be a pain to type a (say) 20 character password.....twice. And it might be tempting for some to shorten the password (to make it quicker to type) and so make their site less secure.

Can I vote you don't disable paste please?

What about simply adding some text "Max 25 characters" next to the password field? That would be enough for me to realise and probably for the OP too.

Or how about something like this which will turn the text box border red when you reach the character limit:
http://www.dynamicdrive.com/dynamicinde ... tinput.htm

Disabling pasting just it makes it more difficult for everybody IMHO.

[calguy1000]

Yeah I reversed that nopaste thing yesterday, and modified the maxlength attribute to be 100 chars...

[paulbaker]

Oh, cool. Thanks Calguy.

[krussell]

Thanks folks. That seems like a good outcome, regardless of whether you are trying to use long, memorable passwords or complex non-memorable passwords with a password manager (or a combination of both approaches).

I think the important point is that password security is not just about complexity, but also depends on how useable the password is. As pointed out above, making passwords too difficult to use will compromise security because users will cut corners.