CosmicRot

Cosmic horror bimboy // 28 // tired

  • he/they/xe

I'm so fucking autistic and I really love pathetic wet cat characters and making art and doing creative shit. Please god let me be less perpetually exhausted so I can make creative shit.


βœ¨πŸ’€ Website [Under construction] πŸ’€ ✨
cosmicrot.com/
βœ¨πŸ’€ Ko-fi πŸ’€ ✨
ko-fi.com/cosmicrot
Vgen [commissions]
vgen.co/cosmicrot

Lizstar
@Lizstar

One of my biggest pet peeves of all time is password restrictions.

It's the stupidest shit and I never fucking understand it.

Today's stupid fucking password restriction is "your password must be between 8-15 characters"

why is the maximum so low. I an understand having it be like, not unlimited so they can't execute some fucking code or whatever the hell. But 15?!

I've said this before, I'll say it again. If I want my password to be "cat", warn me, tell me it's a bad idea, but let my password be fucking "cat". Don't make me go scrounging for a special character, cause you KNOW all anyone does with that shit is just add an ! at the end of their usual password. It just makes it less secure.


You must log in to comment.

in reply to @Lizstar's post:

The one thing that I want from my password manager is for it to automatically put an exclamation point at the end of a generated password. It cannot possibly know what the acceptable "special" characters are, so I can't just let it go whole-hog on special chars. Just add the one known good character at the end so that we can "satisfy the entropy requirement" and get on with shit already. Don't make me find the saved password, Edit, click the eyeball, unclick selecting the entire password, click at the end, type "!", save, sync, force the browser extension to syn…

The one I use let's me pick which special characters to use, or at least it has a couple options for common and uncommon ones. Most of the time I hadn't had an issue. Though, being able to set generation rules to be more specific would be nice.

Honestly they terrify me, as do most forms of 2FA. I have to use public terminals sometimes. The chance I wind up unable to access some sites due to needing a phone for authenticator or text message 2FA is already nonzero, I absolutely refuse to risk email access on a generated password I won't remember on my own.

(Of course that has nothing to do with not knowing they exist. But like... consider the prevalence of "password reset" email scams. They wouldn't be fishing so heavily in that pond if it weren't vast.)

Ahh, that's fair, I rarely if ever use public computers, I pretty much just use my home computer, I've had a couple of passwords cracked in the past that I had to reset a few times and that's what really sold me on them. I now make my passwords as long and as complicated as any given site allows and let the manager remember it.

I especially hate when they limit the character set for reasons I hope are arbitrary, like if I want a a "." in my password that shouldn't be a problem but for some reason I'm not allowed to do that sometimes.

Honestly, having a maximum length on a password, especially one this low, smell of trouble.

The safe way to store a password is to hash it. If your password is cat and the hash function is MD5, the hash is d077f244def8a70e5ea758bd8352fcd8. When a user try to login, you don't check if their password in the database is cat. You check if the hash of their password is cat.

The thing with hash is they are fixed length. MD5 hash are always 32 characters long. On the database side, you choose how many character each column of a table will have before adding data. Using a hash simplify this step as the hash of the password is always the same length. If they aren't hashing the passwords, 8 to 15 looks a lot like what could happen.

Hashing is mainly useful in case of data breach. If an hacker steal the database, they lookup your account password and they don't see cat, they see an hash.

As other commenters have suggested, this kind of password restriction is an almost sure sign they are storing whatever you enter as your password in plaintext in their (old) database. So when-not-if their DB gets popped, it's over. Hope you didn't reuse that email address and password anywhere else 😬

Really you should be able to use the text of a SQL injection attack, or the youtube URL to 'Never Gonna Give You Up', or anything as your password. It should be treated as a completely opaque and untouchable string that exists only for as long as it takes for their website to send it to their backend and hash it.