Forum Password Limit

@james Would it be possiable for you to remove the 18 char limit?

image

3 Likes

A bit of insight why password limits exists:

It is very likely it is not possible to remove the 18 character limit without changing the password hashing function.

One of the most popular and recommended password hashing algorithms, bcrypt, has an absolute maximum on the length it can hash. Depending on how/if they salt their passwords, it is very very easy for a user to hit that limit, though 18 characters does seem a bit extreme.

Password limits also can exist to prevent a user from accidently (or maliciously) causing a DOS attack on the authentication server. Longer length passwords take more time to hash. If they are long enough they can be exponentially longer to hash, which means less requests per minute and a potential 5xx error. Though, again 18 characters seems a bit extreme.

1 Like

Okay why is this a huge problem

Because “let me in I want to play boundless now” is actually a more secure password than “5&$ghAd432”.

Wow you just gave away a pass I’m hoping it’s fake

Sorry, I was a bit remiss in the way I had stated what I said, I know that limits need to exist for various reasons, thou not for the reason you mentioned. Since I find it hard to believe one can cause a DoS attack using a modestly long password (about 40 to 50 chars) unless they set the amount of rounds used to something quite high

I should have stated “Would it possiable for you to change the 18 char limit to 50 char”

Are you really that worried someone will crack your 18 character password?

Not really, but I have changed my policy of how I handle passwords now that I have started using KeePassXC and OnlyKey, And as part of the change in how I handle passwords, I am trying to update all of my passwords to be between 25 to 75 chars where possiable.

1 Like

Yeah, there is a big different between “no limit” and a limit of 50 characters. Which is why I did say 18 characters seemed a bit extreme.

Reading material:
https://www.acunetix.com/vulnerabilities/web/long-password-denial-of-service/
https://www.djangoproject.com/weblog/2013/sep/15/security/
https://owasp.deteact.com/cheat/cheatsheets/Password_Storage_Cheat_Sheet.html

But the reality is that someone trying to steal your Boundless credentials is very low risk. Your Boundless credentials only gives a user access to your Boundless forum account (which the only PII it has attached to it is your email address). It has no access to payment data or game data as both of those are locked behind the game servers which require Steam or PSN to access. Both of which has full 2FA support. 18 characters with no 2FA is very likely “good enough” for your forums account. You cannot by any means (that I am aware of) complete an account take over with only your forum credentials.

I would say the only real forum accounts that are remotely “high value targets” are that of Wonderstuck employers and Leader-ranked users. If the devs of the game are comfortable with the level of protection they have their own accounts, I would not say anyone else should have worry about their own personal accounts. I really hate to throw this up since I hate when other people mention, but increasing password length is no where near a high priority against content for the game.

3 Likes

Thank you, I always like reading materials. Since I am always wanting to learn more.

I assumed it would have been a very easy thing, as in just having to go into a config file and adjust a value, but if it is harder to do then just changing a value, then i don’t care enough about it at that point.

To remedy this, Django’s authentication framework will now automatically fail authentication for any password exceeding 4096 bytes.

:rofl: ok I think we’re good here.

That is very interesting though it’s amazing the **** people come up with.

1 Like