It seems like the password limit is set to 60 characters so I’m unable to login to my instance. There probably should be no limit in the app because each server could have different limits set.

    • woelkchen@lemmy.world
      link
      fedilink
      arrow-up
      10
      arrow-down
      2
      ·
      1 year ago

      Computers get faster all the time, making brute force cracking of passwords easier all the time. Password managers don’t care how long a password is. The task of filling it out is the same.

      • Yer Ma@lemm.ee
        link
        fedilink
        arrow-up
        6
        arrow-down
        3
        ·
        1 year ago

        60 character passwords with any amount of complexity would take effectively infinite time to brute, an 18 character password with complex characters would take millions of years… There is no reason to use 60, let alone more than

        • woelkchen@lemmy.world
          link
          fedilink
          arrow-up
          5
          arrow-down
          2
          ·
          1 year ago

          Why make excuses for maximum password lengths? Just let people decided on their own if they want 200 character passwords or not.

          • Yer Ma@lemm.ee
            link
            fedilink
            arrow-up
            4
            arrow-down
            2
            ·
            1 year ago

            Well, there could be very reasonable reasons for the limit, like keeping the hash tables sane, or keeping databases from needing unnecessary padding, but there really isn’t any reasonable reason for needing 60+ characters in passwords

            • woelkchen@lemmy.world
              link
              fedilink
              arrow-up
              4
              arrow-down
              2
              ·
              1 year ago

              Well, there could be very reasonable reasons for the limit, like keeping the hash tables sane, or keeping databases from needing unnecessary padding, but there really isn’t any reasonable reason for needing 60+ characters in passwords

              And how is this the duty of a client app to police that? OP says it’s about being able to log into their own instance and the client app is blocking this.

        • Amju Wolf@pawb.social
          link
          fedilink
          arrow-up
          2
          ·
          1 year ago

          Have you heard about pass phrases ?

          Also, none of those is a sane reason to limit password length. A huge point of hashing is having short, constant length strings on output no matter the input. There’s no limitation or database issue there.

          The only reason to limit password length is actually security (for bad algorithms) and DoS, but that requires a limit in the thousands.

        • snowe@programming.devOP
          link
          fedilink
          arrow-up
          3
          ·
          1 year ago

          Gotcha, well admin passwords are created without using the interface, so it would not be affected by the frontend limits anyway.

      • darklightxi@lemmy.worldM
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        Hey there, like others have mentioned, I think this is a limitation on lemmy’s end which limits the password length up to 60 characters.

        This is the source code for lemmy’s backend if you’re curious. If you think this is not the case, feel free to create a new issue on GitHub and we can take a further look into this! Let me know if you need any more clarification :D

        • snowe@programming.devOP
          link
          fedilink
          arrow-up
          2
          arrow-down
          1
          ·
          1 year ago

          I think that check must be bypassed for admin passwords, or it was instituted after I created programming.dev, because my password is 100 characters and I can log in on every other app perfectly fine. Even if that was the limit, it still should be enforced by the backend on login, not on the frontend, except for maybe initial account creation.

          • darklightxi@lemmy.worldM
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            I think that check must be bypassed for admin passwords, or it was instituted after I created programming.dev

            That could be a possibility - we can do some tests to verify if that’s the case. I found this related issue which might indicate that all auth flows through the same logic.

            Even if that was the limit, it still should be enforced by the backend on login, not on the frontend

            Unfortunately, that might not be the case. Dessalines mentioned in this comment that the backend doesn’t truncate overly long passwords, and throws an error instead. Although, as you mentioned, this might be bypassed for admin users.

            Either way, I think we can take a deeper look at this and verify this information! Feel free to create a new issue for this on GitHub if you’re able to so that we can track this issue better.

  • micahmo@programming.devM
    link
    fedilink
    arrow-up
    3
    arrow-down
    1
    ·
    1 year ago

    Hi all,

    Continuing the discussion from GitHub… Here is the PR I opened.

    https://github.com/thunder-app/thunder/pull/766

    However, there’s still some discussion to be had about whether this is the right change.

    @snowe, a couple questions…

    Thanks!!

    • darklightxi@lemmy.worldM
      link
      fedilink
      arrow-up
      4
      ·
      1 year ago

      I believe Jerboa also has this character limit as mentioned in this PR. It seems like they truncate the password to take the first 60 characters if it’s too long. This is what Thunder also follows as of right now, except it’s shown explicitly to the user in the login modal

  • shortwavesurfer@monero.town
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    Its looking like this may be fixed. Here is a recent chat from micahmo in the thunder general chat on matrix

    I Just noticed that this was posted by the snowe, the admin of programming.dev, which is the instance I use haha! Just thought it was cool that he used Thunder!

    I read through that thread, and regardless of whether there’s a limit or not, or there’s an issue with the backend, etc., etc., I think it makes sense to remove the limit in Thunder. Specifically, snowe said this:

    I can log in on every other app perfectly fine

    If we were facilitating account creation, then sure maybe we should do a little more validation. But for login, I say let the user type whatever they want and let the backend handle it.

    I’ll open a quick PR to remove this limit. Of course, up to Hamlet, if you agree. 😊