Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Raise Password length to 80 #4558

Closed
halfdan opened this issue Jan 20, 2014 · 8 comments
Closed

Raise Password length to 80 #4558

halfdan opened this issue Jan 20, 2014 · 8 comments
Assignees
@tsteur
Labels
Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc. Help wanted Beginner friendly issues or issues where we'd highly appreciate community's help and involvement.
Milestone
Backlog (Help wan...

Comments

@halfdan
Copy link
Member

halfdan commented Jan 20, 2014

The password length is currently kept between 6 and 26 characters. There's really no reason to restrict people in the maximum length of their password. I propose to either completely remove the arbitrary restriction (max characters) or increase it to at least 50.
@anonymous-matomo-user
Copy link

I would definitely vote for lifting any restriction on that. Why would anyone even want to restrict more secure passwords?

@gaumondp
Copy link

25 letters would take 550 years to brake at 1000 guesses/second.

http://www.explainxkcd.com/wiki/index.php/936:_Password_Strength

And a simple sleep(5) in case of bad password would take infinite -1. ;)

Dali

@halfdan
Copy link
Member Author

halfdan commented Jan 20, 2014

@daliDev, complexity is hardly the point here. A bcrypt approach would definitely make things more secure than the currently used md5. The point here though is that there simply is no reason to have a maximum length for passwords.

@mattab
Copy link
Member

mattab commented Jan 21, 2014

These checks are there to make sure the user does not by mistake set the password to some super long string without realizing. Maybe it's a weak justification...

If you do want longer password, no problem, there is a config setting to disable these extra checks: http://piwik.org/faq/troubleshooting/faq_112/

I dont want to simply remove the max length check because, we'd have to change translation string.

@halfdan
Copy link
Member Author

halfdan commented Jan 21, 2014

@mattab: That is hardly a solution. The restriction is completely arbitrary and the config setting disables a whole lot of other things as well. It would also disable the minimum length and allow really weak passwords. That's not a solution - sorry.

Changing the translation string isn't really an issue - the warning is only shown when a password is too short. Translation strings are also no reason to not improve Piwik.

People that entered long strings can simply reset their password.

@halfdan halfdan added this to the Future releases milestone Jul 8, 2014
@martin-ueding
Copy link

If you worry that passwords are too strong, give them a feedback of the number of characters inserted. In case you use a password manager and copy the string into it, it would just cut if off in case maxlength is used in the HTML form.

@gaumondp A weak hashing algorithm with a sleep workaround might work as long as the database is not breached. Once the database is breached, you will have a bunch of MD5 hashes in the wild with restricted password entropy. They can be cracked on GPUs rather easily. So a stronger hash is the better solution.

@mattab
Copy link
Member

mattab commented Sep 20, 2014

Thanks for posting, I agree and increasing priority since it is an easy change. Pull requests are welcome too 👍

@mattab mattab modified the milestones: Short term, Long term Sep 20, 2014
@mattab mattab added the Help wanted Beginner friendly issues or issues where we'd highly appreciate community's help and involvement. label Sep 20, 2014
tsteur added a commit that referenced this issue Nov 10, 2014
@tsteur
refs #4558 increased allowed password length from 26 to 80. wondering…
19befc5 
… if any test fails
tsteur added a commit that referenced this issue Nov 10, 2014
@tsteur
refs #4558 fix an integration test as password can be longer now
8139bb7
@tsteur tsteur mentioned this issue Nov 10, 2014
Merged
@tsteur tsteur self-assigned this Nov 10, 2014
@mattab mattab changed the title Raise Password length to 50 Raise Password length to 80 Nov 11, 2014
@mattab
Copy link
Member

mattab commented Nov 11, 2014

Done in #6632 👍

@mattab mattab closed this as completed Nov 11, 2014
@mattab mattab mentioned this issue Jun 16, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tsteur tsteur

Labels
Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc. Help wanted Beginner friendly issues or issues where we'd highly appreciate community's help and involvement.
Projects
None yet
Milestone
Backlog (Help wanted)
Development

No branches or pull requests
6 participants
@halfdan @tsteur @mattab @martin-ueding @gaumondp @anonymous-matomo-user