Page 1 of 1

te4.org silently destroys excess password characters.

Posted: Tue Oct 21, 2014 5:04 am
by tilkau
I went to register, and did my usual thing -- bring up KeePassX and use it's password generation system to generate a 32-character password.
However, when I tried to login ingame, it kept rejecting it.
Finally I spotted this:
password: PR:whgQPs^V>@ZlC)6huMJ3rpnf^^)
In the email I was sent.

The length of the above quoted password is 30, not 32 -- the final two characters are missing. Meaning the password stored in my password wallet was different from the actual password needed to login!

Before I noticed that, I had decided to change my password to something shorter -- 16 characters long. With that, I managed to successfully login in-game.

IMO an appropriate fix would be to a) indicate the allowed size of the password (I guess it is 2-30 just like the forums), and b) actually validate the password length and give an error when appropriate.

Re: te4.org silently destroys excess password characters.

Posted: Thu Oct 23, 2014 3:22 am
by Red
Not having dealt with password programs in the past, I don't know how feasible this is, but wouldn't it make more sense to just allow passwords of any length?

Re: te4.org silently destroys excess password characters.

Posted: Thu Oct 23, 2014 11:57 pm
by tilkau
Red wrote:Not having dealt with password programs in the past, I don't know how feasible this is, but wouldn't it make more sense to just allow passwords of any length?
It's actually a database problem: The field is set to width 30, so that's all the space there is available to store the password. With most conventional databases, you cannot use arbitrary-length fields without substantial inefficiency.
Having a fixed width is therefore extremely common. It's only a problem when the website doesn't specify *what* that maximum is.

Just in case you are talking about KeePassX, -it- does allow arbitrarily long passwords.