Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generator: Maximum password length limited to 128 chars (in Version 2.6.0) instead of 999 (in Version 2.3.*) #5206

Closed
buhtz opened this issue Jul 31, 2020 · 5 comments
Closed

Generator: Maximum password length limited to 128 chars (in Version 2.6.0) instead of 999 (in Version 2.3.*) #5206

buhtz opened this issue Jul 31, 2020 · 5 comments
Labels
bug

Comments

@buhtz
Copy link

buhtz commented Jul 31, 2020

I used Version 2.3.* on Windows and Linux.

When generating new passwords and customizing the length of the password I did not use the slider because it is limited to 128 chars. I used the text/number-entry field on the right of the slider and typed "999" into it because it was the highest accepted number by that dialog. This works for a lot of online portals.

After an update to Version 2.6.0 the entry field is limited to "128", too.

This lower my security. Please fix this asap.
@buhtz buhtz added the bug label Jul 31, 2020
@droidmonkey
Copy link
Member

No it doesn't

@buhtz
Copy link
Author

buhtz commented Aug 1, 2020

No it doesn't

Very valuable reply.
The entropie is different between 128 or 999 characters.

So what is your argument?

@droidmonkey
Copy link
Member

droidmonkey commented Aug 1, 2020
edited

That is just simple math and totally irrelevant, obviously the longer the key the more entropy you have (if it is random). The real reason it doesn't matter is because after a certain length it is quite literally IMPOSSIBLE to brute force a password. Currently, that length hovers around 15-18 characters when using only random lower/upper letters and numbers. Adding more to the character set decreases the length requirement. So yes, a 128 character password is extreme overkill, and anything above that provides absolutely no additional "protection".

@buhtz
Copy link
Author

buhtz commented Aug 2, 2020

15-18 is based on low evidence because it is theoretical and without the knowledge of all factors.

We do not know what (e.g. level of CPU power) the goverments have in there basements today or in one year.

It is theoretical evident that 15-18 is secure. For how long?
Based on the same "simple math" it is evident that more then 18 is more secure.
Simple.

Please leave it to the user what level of security is needed.

Technical (for you) it its not a big deal to make that field 999 or more characters long.

@luni3359
Copy link

While I agree that making such an enormous password is simply overkill (most websites won't actually let you have a password that long), I don't think it's wrong to let users choose the length of their passwords, especially because it was already a feature. You could say it counts as future-proofing.

Also, on the argument that we don't know the CPU power governments have, which let me tell you is ridiculous, it doesn't matter how powerful they are if the server they are attacking can't handle the absurd amount of tries needed to crack a password that long. Quantum computing is the closest threat we have to making traditional password lengths obsolete and even then I guarantee we will not be seeing them operating anything close to it in our lifetimes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@droidmonkey @buhtz @luni3359