New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Generator: Maximum password length limited to 128 chars (in Version 2.6.0) instead of 999 (in Version 2.3.*) #5206
Comments
No it doesn't |
Very valuable reply. So what is your argument? |
That is just simple math and totally irrelevant, obviously the longer the key the more entropy you have (if it is random). The real reason it doesn't matter is because after a certain length it is quite literally IMPOSSIBLE to brute force a password. Currently, that length hovers around 15-18 characters when using only random lower/upper letters and numbers. Adding more to the character set decreases the length requirement. So yes, a 128 character password is extreme overkill, and anything above that provides absolutely no additional "protection". |
15-18 is based on low evidence because it is theoretical and without the knowledge of all factors. We do not know what (e.g. level of CPU power) the goverments have in there basements today or in one year. It is theoretical evident that 15-18 is secure. For how long? Please leave it to the user what level of security is needed. Technical (for you) it its not a big deal to make that field 999 or more characters long. |
While I agree that making such an enormous password is simply overkill (most websites won't actually let you have a password that long), I don't think it's wrong to let users choose the length of their passwords, especially because it was already a feature. You could say it counts as future-proofing. Also, on the argument that we don't know the CPU power governments have, which let me tell you is ridiculous, it doesn't matter how powerful they are if the server they are attacking can't handle the absurd amount of tries needed to crack a password that long. Quantum computing is the closest threat we have to making traditional password lengths obsolete and even then I guarantee we will not be seeing them operating anything close to it in our lifetimes. |
I used Version 2.3.* on Windows and Linux.
When generating new passwords and customizing the length of the password I did not use the slider because it is limited to 128 chars. I used the text/number-entry field on the right of the slider and typed "999" into it because it was the highest accepted number by that dialog. This works for a lot of online portals.
After an update to Version 2.6.0 the entry field is limited to "128", too.
This lower my security. Please fix this asap.
The text was updated successfully, but these errors were encountered: