Thunder App @lemmy.world snowe @programming.dev 1 yr. ago

Password limit is set to 60 characters

It seems like the password limit is set to 60 characters so I’m unable to login to my instance. There probably should be no limit in the app because each server could have different limits set.

18 comments

Why in the f do you need 60+ chars for a password?
- Computers get faster all the time, making brute force cracking of passwords easier all the time. Password managers don't care how long a password is. The task of filling it out is the same.
  
  60 character passwords with any amount of complexity would take effectively infinite time to brute, an 18 character password with complex characters would take millions of years... There is no reason to use 60, let alone more than
- Because there’s no reason not to and plenty of reason to?
I think 60 is the default max length set by the lemmy source code.
- Mine is 100+. As far as I remember, there is no limit set for admin passwords.
  
  So what I have noticed is 60 is the max according to the source code, but if you use a password manager that fills the field in for you, the browser in my case Firefox, ignores the limit and accepts the full length password.
  
  Hey there, like others have mentioned, I think this is a limitation on lemmy's end which limits the password length up to 60 characters.
  
  This is the source code for lemmy's backend if you're curious. If you think this is not the case, feel free to create a new issue on GitHub and we can take a further look into this! Let me know if you need any more clarification :D
Hi all,

Continuing the discussion from GitHub... Here is the PR I opened.

https://github.com/thunder-app/thunder/pull/766

However, there's still some discussion to be had about whether this is the right change.

@snowe, a couple questions...

Can you log in via Liftoff? They also have a 60 char limit. https://github.com/liftoff-app/liftoff/blob/3055896657ef05772dc5fa18c5b3ab285b93f54a/lib/pages/settings/add_account_page.dart#L199

When you say, "It seems like the password limit is set to 60 characters so I’m unable to login to my instance.", did you try logging in with a truncated password? Or are you just assuming that, if we limit the length, it won't work? I only ask because this Thunder discussion led us to find that truncating actually works for some users, which is what led to the original limit.

Thanks!!
- I believe Jerboa also has this character limit as mentioned in this PR. It seems like they truncate the password to take the first 60 characters if it's too long. This is what Thunder also follows as of right now, except it's shown explicitly to the user in the login modal
Its looking like this may be fixed. Here is a recent chat from micahmo in the thunder general chat on matrix

I Just noticed that this was posted by the snowe, the admin of programming.dev, which is the instance I use haha! Just thought it was cool that he used Thunder!

I read through that thread, and regardless of whether there's a limit or not, or there's an issue with the backend, etc., etc., I think it makes sense to remove the limit in Thunder. Specifically, snowe said this:

I can log in on every other app perfectly fine

If we were facilitating account creation, then sure maybe we should do a little more validation. But for login, I say let the user type whatever they want and let the backend handle it.

I'll open a quick PR to remove this limit. Of course, up to Hamlet, if you agree. 😊
PR'd!

https://github.com/thunder-app/thunder/pull/766

You've viewed 18 comments.