I will not mention the UK government site on which I have just encountered this, to protect the guilty:
Seriously? What is the point of only giving some of the requirements?
I will not mention the UK government site on which I have just encountered this, to protect the guilty:
Seriously? What is the point of only giving some of the requirements?
Lol, right. And what is the rationale for limiting a password to 20 characters? (genuinely curious if someone knows the answer)
Or, indeed, limiting the available special characters?
Usually because they stick the password into a fixed length varchar in the database. Mind you if they do their proper hashing and know the output length, shouldnāt be an issue either, but if they roll their own or donāt know the final length, they may just hack it off at a certain length. That is my guess.
And this because sometimes they are lazy and some special characters, if not properly handled, can lead to injections or inadequate pattern matching. I mean I can see parenthesis, semicolons, commas all being problematic. They are probably just saying āHell with handling all that, these are all you get to useā.
Wait, which alphabet did you use? Latin, Greek, Hebrew? You have to use at least one!
Thereās a thought - maybe Iāll try Greek next time they make me change my password.
A 20-character password is definitely not too long. However, a 20-character password can
provide you with good security. So, the 20 character password is a good length and is of
enough length.
It is āenoughā length, perhaps. Is it a good idea to limit it? Not really.
Why 20 characters? Historical reasoning, perhaps.
An MD5 hash can produce 2^128 possible hashes.
It turns out that 94^19 (Why 94?
94 = alphaAlphaNum~!@#$%^&*()_-+={[}]|\:;"'<,>.?/)
is smaller than 2^128, and 94^20 is larger than 2^128. So after 20 characters, MD5 hashes theoretically start becoming non-unique. (In actuality thatās probably not the case, but it was a mathematical certainty beyond that point.)
Now, the world (hopefully!) has moved on beyond MD5, but thatās probably the reason for 20 being the golden number by some websites standards.
these types of problems make my 1password subscription all the more worth it. Kidding aside, I used to work for a corporate security firm and we would monthly change passwords that met the requirements exactly. Youād be surprised at the sophistication of modern-day hacking software that can decode the most insconpicous passwords.
Surely proper hashing should deal with all of that too.
These reasons appear to point to not using proper hashing.
You are certainly right. You would be surprised at what people are doing for password management. Some roll their own hash algorithm (yikes) and some insist on encryption rather than hashing. We are also assuming that people take in a password and immediately hash then do their comparisons. Some have to carry the password a long a bit to hash and sync with other systems etc.
One company I joined even had clear text passwords. It is a wild west out there with tons of insecurity. After what I have seen in my career, I am surprised there isnāt more breaches.