New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Raise Password length to 80 #4558
Comments
I would definitely vote for lifting any restriction on that. Why would anyone even want to restrict more secure passwords? |
25 letters would take 550 years to brake at 1000 guesses/second. http://www.explainxkcd.com/wiki/index.php/936:_Password_Strength And a simple sleep(5) in case of bad password would take infinite -1. ;) Dali |
@daliDev, complexity is hardly the point here. A bcrypt approach would definitely make things more secure than the currently used md5. The point here though is that there simply is no reason to have a maximum length for passwords. |
These checks are there to make sure the user does not by mistake set the password to some super long string without realizing. Maybe it's a weak justification... If you do want longer password, no problem, there is a config setting to disable these extra checks: http://piwik.org/faq/troubleshooting/faq_112/ I dont want to simply remove the max length check because, we'd have to change translation string. |
@mattab: That is hardly a solution. The restriction is completely arbitrary and the config setting disables a whole lot of other things as well. It would also disable the minimum length and allow really weak passwords. That's not a solution - sorry. Changing the translation string isn't really an issue - the warning is only shown when a password is too short. Translation strings are also no reason to not improve Piwik. People that entered long strings can simply reset their password. |
If you worry that passwords are too strong, give them a feedback of the number of characters inserted. In case you use a password manager and copy the string into it, it would just cut if off in case @gaumondp A weak hashing algorithm with a |
Thanks for posting, I agree and increasing priority since it is an easy change. Pull requests are welcome too 👍 |
Done in #6632 👍 |
The password length is currently kept between 6 and 26 characters. There's really no reason to restrict people in the maximum length of their password. I propose to either completely remove the arbitrary restriction (max characters) or increase it to at least 50.
The text was updated successfully, but these errors were encountered: