-
-
Notifications
You must be signed in to change notification settings - Fork 6.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
auth/sign_up Password maxlength too small, inconsistently checked #25390
Comments
This is a duplicate of #20653, #13152 and #24654 — essentially bcrypt which is what's used for hashing passwords doesn't accept more that 72 bytes of data, or at least only consumes the first 72 bytes of a password, anything beyond that doesn't actually increase security, hence limiting; it's an underlying issue in Devise: heartcombo/devise#5307 |
@ThisIsMissEm Thank you for referencing those issues and summarising the current situation. Clearly the matter of handling
|
You could add the min & max length options here:
Making the placeholder parametised might be a little more difficult & would require updating localisations but could be doable too I think. |
Steps to reproduce the problem
...
Expected behaviour
Long passwords in each field should be accepted
Actual behaviour
Long passwords are truncated in one field, yet accepted in the other, creating an error.
Detailed description
The code for the Password field specifies constraints which are not mentioned elsewhere, i.e.
minlength="8"
andmaxlength="72"
, resulting in long passwords entered in the field being silently truncated.The code for the Confirm password field has no such limitations.
While it can be argued that this minimally satisfies the requirement to have the same password entered into each field, it has several shortcomings:
While a discussion of what constitutes a "long" password in this time of long random passwords stored in a password managers and the security of these passwords depending mostly on breaches and length is outside the scope of this issue, Postel's law seems an appropriate guiding principal for any properly handled password storage.
Conversely, the lack of
maxlength
for the Confirm password_ field invites unnecessary opportunities for unintended consequences.I suggest that both fields have
minlength="8"
andmaxlength="1024"
, and that these constraints be explicitly advertised on the page. If the actual security of passwords and avoidance of account takeovers using breach data are desired, then I suggest checking against Pwned Passwords (which deserves a feature request).Specifications
Mastodon v4.2.0
Mastodon v4.1.2+nightly-20230609
Mastodon v4.1.2+glitch
Mastodon v4.1.0
Mastodon v4.0.2
Mastodon v4.0.2+glitch
The text was updated successfully, but these errors were encountered: