Real available password length when creating one......

  • DNS Benchmark v2 is Finished and Available!
    Guest:
    That's right. It took an entire year, but the result far more accurate and feature laden than we originally planned. The world now has a universal, multi-protocol, super-accurate, DNS resolver performance-measuring tool. This major second version is not free. But the deal is, purchase it once for $9.95 and you own it — and it's entire future — without ever being asked to pay anything more. For an overview list of features and more, please see The DNS Benchmark page at GRC. If you decide to make it your own, thanks in advance. It's a piece of work I'm proud to offer for sale. And if you should have any questions, many of the people who have been using and testing it throughout the past year often hang out here.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.

  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

J

JimB

Active member
Oct 13, 2023
32
6
In SN 1040, Steve talks about his use of 64 random, entropic character passwords and the thought occurs....how does one know just what the limit is for that particular site? I suppose you could inspect the page code to see if the programmer has the code lines to limit password length but that becomes cumbersome and virtually unreachable for those who have zero skills to do that.

Wouldn't it be nice to know how many, and what kind, of characters are allowed without having a text block password creation guide available to tell you. And for all you know, if the limit is 10 and you plug in a 64 character password that gets truncated....well, that's all you get.
 
Well, yes it's annoying that sites have weird limitations on passwords, but NONE of them should truncate, if they're well designed. (Not saying they don't as evidenced by past reports for MS Outlook.) The proper design is to have a form that accepts the password, and a declared maximum length, and won't accept more characters beyond that length. It may also limit the character class, to screen out problematic characters for the transmission of the password or ones that can lead to issues later (emoji maybe), but in the end the password is converted to bytes (binary) and then run through a hashing algorithm which only accepts binary and could care less how much of it you present. (There is the idea that more takes longer and more CPU cycles, so a site might enforce a lower limit, but realistically, anything under 2K is probably not an issue.) Of course a 2K password would use more data if the site allowed them as well, and bandwidth eventually costs money, so it's just another limit the site applies to keep costs down.
 
This is complicated to pull off on some web sites. Couple years back I discovered the password rating feature in KeepassXC, so I went through my lower scored passwords and upgraded them. Or tried to.

There were a couple sites, I'd like to say Experian or Equifax, that let me change my password to a really long (16+chars with extra characters), but not use it to log in. Essentially, sites may not test passwords end to end.\

Another site let me change it, but I can't use it to log in. I can 'forget my password', setting another, which let me in one time, but the new password doesn't persist on a second pass, and I have to 'forget my password' each time now. They aren't handling an exception somewhere in their back end.

Kudos to sites that do permit really long passwords and have change/reset password functionality that works.
 
It's a mess. I don't mind UID/password but it would be nice if the whole ecosystem were standardized so you'd know what to expect. And I'd really like it if the UID were treated as a first element of the password.....just as complex without using email or some other PII data. And I'd like for someone to implement SQRL somewhere besides Steve's site.
 
Last edited:
Rocky Beach said:
There were a couple sites, I'd like to say Experian or Equifax, that let me change my password to a really long (16+chars with extra characters), but not use it to log in. Essentially, sites may not test passwords end to end.\
Click to expand...
I had an issue like that for a while with an app on my phone. It seems at some point, they updated their policy was updated to have a smaller max password length, but I somehow had a password longer than that length set. As I have my password manager generate passwords in the range of 21-25 characters, sometimes if I have my password manger fill in the password for me, it somehow ignores the max password length check, or is truncated (maybe I pasted it manually, or the password manger is not ignoring the max length), but the full length is saved, making me unable to log in with my password. Somehow I was able to fail the password requirement hard enough to have the requirement box appear instead of it just accepting what I was putting in.

I had an interesting case with Cloudflare. I had a password that didn't meet the specs (maybe they updated to make it more strict after the one I was using was set, and I didn't have a special character or number in my password or a special character I was using was suddenly banned, I can't remember the reason now), and at some point, the password you enter on the login screen needed to meet the rules, which meant in my case, as I had a password that didn't meet the new rules, I couldn't use my password to login until I did the change password feature.
 
You must log in or register to reply here.

Similar threads

C
Password / Login Managers for Android phones/mobile devices
Replies
3
Views
2K
Security
JimB
J
J
Use a max length password.... or not?
Replies
11
Views
3K
Security
JimB
J
L
Interesting password complexity tables
Replies
2
Views
2K
Security
miquelfire
miquelfire
J
grc.com not really save
Replies
3
Views
1K
Security
PHolder
P
S
  • Question
‘Real’ spoofing. Using a ‘real’ PayPal URL to pull a scam.
Replies
4
Views
2K
Security
MichaelRSorg
MichaelRSorg
Top Bottom
Back