Upgrade StoragePassword length limited to 32 characters
When registering a new account on zotero.org with a fairly strong long password, I got this error message:
'***************************************' is more than 32 characters long
From a security standpoint, 32 characters is now considered an arbitrary limit that prevents users using longer passphrases for their account, and it is generally considered bad practice to limit users in password complexity.
Technically speaking, a password should of course never be stored as-is in a database, it is customarily hashed with some hashing algorithm. The resulting hash has a fixed length, regardless of the password used.
The only technical explanation for a maximum length on a password I can think of, is that the password is stored in plain text on the backend servers in a field with a maximum of 32 characters, but I assume that this is not the case.
Is there a reason to maintain this limit of 32 characters? I would suggest increasing the limit to 512 characters (to prevent abuse).
'***************************************' is more than 32 characters long
From a security standpoint, 32 characters is now considered an arbitrary limit that prevents users using longer passphrases for their account, and it is generally considered bad practice to limit users in password complexity.
Technically speaking, a password should of course never be stored as-is in a database, it is customarily hashed with some hashing algorithm. The resulting hash has a fixed length, regardless of the password used.
The only technical explanation for a maximum length on a password I can think of, is that the password is stored in plain text on the backend servers in a field with a maximum of 32 characters, but I assume that this is not the case.
Is there a reason to maintain this limit of 32 characters? I would suggest increasing the limit to 512 characters (to prevent abuse).
This is an old discussion that has not been active in a long time. Before commenting here, you should strongly consider starting a new discussion instead. If you think the content of this discussion is still relevant, you can link to it from your new discussion.
I will note one other thing though. You can change your password to a seemingly unlimited length after logging in (under your account settings). Unfortunately, doing so appears to lock you out of your account (until you reset the password).
@jdhoek Thanks for pointing this out, and for assuming (correctly) that it's just a front end thing, not a fundamental security issue. It was only a (very old) form validation sanity check. Nothing is stored in plain text. I've increased the limit to 500.