View Issue Details

IDProjectCategoryView StatusLast Update
0001041HTML & PERLBug Report - Interfacepublic2008-03-27 21:40
ReporterIndy13 Assigned ToDerIdiot  
Status resolvedResolutionfixed 
Product Version 
Target VersionFixed in Version 
Summary0001041: Password is limited to 8 chars, yet it's not mentioned anywhere
DescriptionSetting an account password longer than 8 characters has no effect as only the first 8 characters are taken into account.
Example: if you set "123456789" as password you only need to type "12345678" to log in successfully.

Also if your password is 8 characters or more, anything you type after the first 8 characters to log in doesn't matter.
Example: your password is "12345678" and you type "12345678asd" to log in; the log in will be successfull.

Password limit should be mentioned both on the signup page and profile page and perhaps increased.
TagsNo tags attached.



2008-03-26 22:52

administrator   ~0001865

This is caused by the currently used unix crypt() for password hashes.
In the long run a move to another hashing scheme is probably a good idea.
So far there are no plans to address this issue.


2008-03-26 23:11

administrator   ~0001866

i think we allow 16 characters for input though. that is indeed rather confusing exp. would need to check that first though to confirm it, but i saw some 16 character checks in adb_auth


2008-03-27 21:40

administrator   ~0001873

knew it. twice in the code there were checks for 16 character. aside of the inconsistent maxlength of the password field. it's restricted to 8 character now for signup and password change in the profile. that should make it clear

Issue History

Date Modified Username Field Change
2008-03-26 20:22 Indy13 New Issue
2008-03-26 22:52 exp Note Added: 0001865
2008-03-26 23:11 DerIdiot Note Added: 0001866
2008-03-27 21:40 DerIdiot Note Added: 0001873
2008-03-27 21:40 DerIdiot Status new => resolved
2008-03-27 21:40 DerIdiot Resolution open => fixed
2008-03-27 21:40 DerIdiot Assigned To => DerIdiot