Password Limits?

Discussion in 'General Topics' started by KookyMan, Jan 11, 2009.

Thread Status:
Not open for further replies.
  1. KookyMan

    KookyMan Registered Member

    Joined:
    Feb 2, 2008
    Posts:
    367
    Location:
    Michigan, USA
    Hey Administrators,

    I was wondering if you could provide the rules of allowed passwords either here, or more usefully on the password change page.

    Every time I change my password, I always end up having to reset it to a provided default.

    Is there length Minimum/Maximum, Required Characters, etc?

    Thanks
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    There are no "enforced" special requirements for passwords in standard vBulletin, (i.e. must contain mixed case, be of certain length, minimum of X letters vrs numbers). The only restriction enforced by the software is that the password should not be identical to the username.

    Over time we've tested various combinations and all typical passwords work. Say 8-12 chars, mixed case with and without numbers.

    I've never heard of people not being able to successfully change their passwords. Are you doing something extreme, like a very long password or perhaps using unprintable (multi-byte international character set?) chars or similar? You could possibly overflow the routine that hashes the password if you use a very long one or real non-typical chars, but I have no examples that don't work.

    You can have a secure password without getting too complex. Something along this style is secure and always works: Jg6$xA[4v%O3

    If a password like that never works for you, then something else entirely is going on when you change your password.

    What do you mean by "provided default"? Having a password change emailed to you or something else?
     
  3. KookyMan

    KookyMan Registered Member

    Joined:
    Feb 2, 2008
    Posts:
    367
    Location:
    Michigan, USA
    'provided default' would be having the password change emailed, usually through the 'lost password' procedure.

    As for what kind of passwords I've been trying, I've tried 15+ character ones, Aa-Zz, 0-9, no specials, no spaces. I want to say I've even tried a 12 char. Anymore, I don't consider 15 to be too 'far out' when it comes to passwords, and I figure most modern systems should be able to handle it. (I have found a couple that don't support more than 10, but all I can imagine is they are storing plaintext passwords and have their database set up for a field length of 10 char.)

    The troubling thing to me is not necessarilly that I am not using an acceptable password (IE one that can't actually authenticate me during login), but the fact that the board accepts and gives me a successful response setting the password, however it doesn't work. I was wondering if the password setting routine is truncating the password entered to its own limits (say, keeping only the first 10 char) but when I attempt to authenticate, its hashing the entire entered text, which does match the password as entered to set, but casuing a non-match. I did have that happen on one site, and discovered if I pasted in my 15 character password but deleted the last X characters, it would suddenly work.
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    No, it's not truncating at that short a level. I just ran tests up to 48 chrs long with mixed case letters, numbers and symbols, and they all worked fine. Both Firefox and Opera, with and without Javascript enabled, as well. I've checked the entry fields on the password change form and they are set to a 50-chr length maximum. (The only possible limitation I can think of is on special characters outside the printable ASCII range, some of which may not work, so, I'd limit the use of special characters to just symbols available on a standard keyboard.)

    Passwords aren't stored in the database as plain text. vBulletin does multiple MD5 hashes on what's entered in the password fields and stores just a fixed length (32 chr) hash.

    I can't see any reason why you can't enter and successfully change a 12 or even 15 chr password. If these didn't work on a global basis for all users, (we're just using standard vBulletin forum authentication code here), I'm sure this problem would be well known by now, yet it's never been reported before. I can't imagine what it is, but, it doesn't appear to be a problem with our forum software.

    My best suggestion is to try a different browser, even just as a one time test, and see if it works. Maybe there is some kind of password manager, text filtering going on with your base setup, and a different browser with no special utilities would work.
     
Thread Status:
Not open for further replies.