Password Length Registration Bug

There are some websites that allow you to enter any password length when registering, but when you later sign in, the sign in fails, telling you that the password is incorrect. These websites automatically sign you in straight after registration, and everything seems fine. However these websites truncate the long password you enter, and store that in the database (they probably store a hash of the truncated password, for the more technically savvy). This truncation, means that next time you sign in, it will fail, telling you the password in incorrect.

The solutions are:

  1. Allow any length password (the hash is finite in length anyway so it doesn’t matter)
  2. Allow a long password, say 64 characters, and tell the user if their password is too long on registration. Only register them once their password is less than or equal to the maximum length of password

If you’re a website owner and I’ve emailed you a link to this article, it’s because your registration process has failed this test.

Current Culprits

  • www.chroniclelive.co.uk (Been alerted: true)

Copyright Technology Wales 2016

Leave a Reply

Your email address will not be published. Required fields are marked *