Changing Passwords: A Warning for New Users
A lightweight and easy-to-use password manager
Brought to you by:
dreichl
Menu
▾
▴
I've used KeePass for a while now. After taking some time getting used to the process, I fell in love with both the concept and KeePass. I then spent a couple hours a night for a couple of nights changing my lousy passwords for generated passwords. I encountered a very frustrating issue. I hope that this post serves as a cautionary tale.
After changing passwords on several sites, one site bit me. After I changed the password, I logged out and attempted to log back in. The site would not accept my new password. After doing a "Forgot Password", I'd change the password again and have the same problem. After much debugging, I determined that the "Change password" field and the logon's "Enter Password" fields accepted different max lengths.
When I changed my password, I made it, say, 25 characters long. I finally noticed that the login password field would only accept a max of 20 characters. The two hashes would never match.
When I change a password now, I log into the site using another browser. If I'm successful, I'm done. If not, I determine the length restriction and change password again on the first browser. The "Old Password" field accepts the longer length too. I've encountered a couple of sites like this. Even previously safe sites will cause trouble when they update the "Change password" page but not the login page.
I hope this tale will save even a single new user the headaches I suffered. It would make an already tedious task harder. Perhaps when changing multiple passwords, you do it normally, log in, change password, log out, try to log in again. If you encounter a problem, check the length. It may save you some time and frustration.
It is really much worse than you understand. Sites change their criteria. Tech support never knows. Not only is length changed, but also acceptable characters. I've had to change my login here twice because of changing criteria. I've finally made a 16 characters no symbols fallback in the generator.
And, it gets worse. If you have logins from apps, there is no reason to believe that the criteria for an Android app logging in somewhere will be the same as for the Windows application. I've been able to login with my android device through the browser using the password, but failed with the same password using their app.
Finally, I have only twice had Tech support who had an answer where they could tell me what symbols were excluded. Both times they were wrong.
Remarks: A randomly generated 20 character, case insensitive alphanumeric password (e.g. digits and lower case letters) has an quality of 103 bits This is more than enough quality for most applications and can tolerate some additional weakening to improve readability and usability. Relatively few pages won't accept a 20 character password (admittedly there are some, and some don't tell you).
If the page requires special characters there is plenty of quality headroom in a 100 bit password to dither the first or last character to comply with site specific password character set requirements.
For randomly generated passwords:
[1] Quality = L*log2(N)
where:
N = character set size
L = password length
Quality of a randomly generated:
20 character case insensitive alphanumeric password is 103 bits
16 character case insensitive alphanumeric password is 83 bits
12 character case insensitive alphanumeric password is 62 bits
(i.e. 21 bits of quality per 4 randomly generated case insensitive alphanumeric characters)
The KeePass quality estimator which relies on a sample size of 1 to estimate quality may show some variability.
[1] See the Wikipedia article on Password Strength for additional details.
Last edit: wellread1 2014-12-11
This whole thread should probably have been headed "Websites - a warning to users" :)
Just like @SteveShank I've seen exactly the same problems and others like it. Some websites will instruct you "Provide a password of at least 12 characters" and when you obey and provide one of, say, 20 characters they object. Then you start the trial and error of knowing what the lower limit is but no idea of what theire upper limit is. And what do they consider a 'character'? Oh, don't get me started ... !
@SteveShank: I'm aware of those. Not the Android thing. I don't access any websites via a phone, smart or otherwise. Try this on for size. A site says my password must conform to the following:
at least 8 characters, Upper, Lower, Digit.
I enter 20 character password to those criteria. Nope. I finally find out it has a 15 character max. Kesafi, I guess they figured they were forcing me UP to 8 characters. No need to go much further than that.
@wellread1: Yes. I know the math. The 25 was just an example. And plenty of sites are under 20. (I was going to list several here. But I decided to try to increase their lengths and suffered the very frustration that started my rant.)
One last treat for everyone. A site my work required me to use that housed highly sensitive data had this password requirement:
"Your password must be exactly 8 characters and consist solely of letters and numbers." For some reason, I chose to change my random password often. One time for a lark, I entered only lowercase plus digits. And got in! (That's 8*Log(36)/Log(2)=41 bits!) Fortunately, they've seen the light and now require 10-32 characters and the full character set.
Really it was less aggravating before I discovered password managers and just used really, really bad passwords. ;>
I share your frustration of poorly designed websites. Truncating passwords during the change password operation should never happen. Such sites are troubling especially because they raise the serious possibility that the bad site design carries over into the company's protection of client data. Problems of this nature should be brought to the attention of the company. They can't be intentional.
I also am uncomfortable with posts on the forum that discuss excessively long (or complex) passwords as if they were necessary or normal. I am likely to comment when I see such posts.
While I wouldn't recommend a 41bit password, an online attack would be difficult. For the attack on a 41 bit password to have a 1% chance of success would require 700_guesses/second 24/7 for 1 year. Adding two randomly generated case insensitive alphanumeric characters would increase the attack difficulty by a factor of 1300 and so on. The real problem of 8 character passwords is that human generated passwords of this length will have much lower quality than 41bits.
Last edit: wellread1 2014-12-12
I had one site that would allow a 20 character password on the change page, but the login page had a 16 character limit on the field.
cheers, Paul