Weak password? I'm confused

Forums › Off topic › Weak password? I'm confused

ANglEAUT

altered-ego
2436 posts

Uber Geek
+1 received by user: 842

Trusted

Lifetime subscriber

#303657 25-Feb-2023 22:32

❓ Why is this system telling me that 40 random characters is a weak password?

Yes, this 12 character password is strong?

Please keep this GZ community vibrant by contributing in a constructive & respectful manner.

michaelmurfy

meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator

ID Verified

Trusted

Lifetime subscriber

#3041997 25-Feb-2023 22:39

“Cannot extend 40 characters”

Highly likely they’ve got limitations that can’t support longish passwords. In those cases I’ll do any number between 5-10 less than what their maximum requirements are as the password is still long and secure.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

Behodar

11096 posts

Uber Geek
+1 received by user: 6075

Trusted

Lifetime subscriber

#3042001 25-Feb-2023 22:55

That password doesn't exceed 40 characters. I can see no logical reason for it to have failed.

I remember back in the days of reusing the same password for everything, one of the Linux password libraries would always tell me that my password, a random string of letters and numbers, was based on a dictionary word. I'm sure no dictionary word starts with "fn7".

nzkc

1634 posts

Uber Geek
+1 received by user: 1041

#3042003 25-Feb-2023 23:07

Whilst it says "cannot exceed 40 chars" your password is 40 chars. I'd have deleted one character at a time till it accepted it.

As for it showing the 12 char password as secure vs your 40 one as not. I expect that is just poor UI and they're _really_ saying its invalid (outside of their requirements).

ANglEAUT

altered-ego
2436 posts

Uber Geek
+1 received by user: 842

Trusted

Lifetime subscriber

#3042005 25-Feb-2023 23:11

Tried removing just 1 character & it still failed.

Sweet spot seems to be 13-25 characters with a result of "stronger"

Please keep this GZ community vibrant by contributing in a constructive & respectful manner.

nzkc

1634 posts

Uber Geek
+1 received by user: 1041

#3042006 25-Feb-2023 23:12

ANglEAUT:

Tried removing just 1 character & it still failed.

Sweet spot seems to be 13-25 characters with a result of "stronger"

🤷

1024kb

1197 posts

Uber Geek
+1 received by user: 519

ID Verified

Lifetime subscriber

#3042008 26-Feb-2023 00:06

Just because the form field captures passwords, that does not, by any means, imply that the web designer had any knowledge or understanding of password security.

Megabyte - so geek it megahertz

New World

Shop on-line at New World now for your groceries (affiliate link).

wellygary

8810 posts

Uber Geek
+1 received by user: 5287

#3042021 26-Feb-2023 07:53

My first guess would be it doesn’t like the ^ .... ; they’ve already said not to use <> and others so I’m guessing their are a few other “special special” chars not acceptable

rscole86

4999 posts

Uber Geek
+1 received by user: 462

Moderator

Trusted

Lifetime subscriber

#3042022 26-Feb-2023 07:55

They may have set a character limit on that field that's actually less than their password limit. Unless we're looking at your first and last name there?

I think Three Now had a similarly unintelligent password expectations, where the error messages had no relationship to what was being entered.

duckDecoy

946 posts

Ultimate Geek
+1 received by user: 432

Subscriber

#3042147 26-Feb-2023 11:41

Why would they have a 40 char limit? Are they not hashing the user password so they never store the users actual password?

Hammerer

2480 posts

Uber Geek
+1 received by user: 802

Lifetime subscriber

#3042154 26-Feb-2023 12:02

I’d guess that one of the characters is acting as a delimiter and they’re ignoring everything before that character. It is probably the caret (^) which, although it is not a punctuation character, is often used as if it is punctuation.

P.S. I went back to look at the password and it would make sense that the caret is delimiting so your password fails because only 7 characters are evaluated.

Geektastic

18009 posts

Uber Geek
+1 received by user: 8465

Trusted

Lifetime subscriber

#3042459 26-Feb-2023 22:52

I have seen a few recently that cause issues with (in my case Apple's) automatic password generation.

Apple might suggest 45G7-N321-B7F4 for example, which seems pretty secure for most uses.

The site however might insist on Special Characters as well, which Apple won't insert.

Sometimes I have also seen instances where suggested passwords from say One Password have the "wrong" special characters in because for some reason something like & has been disallowed.

AliExpress

Shop now on AliExpress (affiliate link).

neb

11294 posts

Uber Geek
+1 received by user: 10018

Trusted

Lifetime subscriber

#3042520 27-Feb-2023 01:54

ANglEAUT:

Translated:

This server supports SQL injection! See if you can get in and have some fun! Hint: use doubled-up escaped chars, URI encoding, ...

Edited to add: Oh gawd, it's Oracle Cloud isn't it? You'd think they of all sites would know about this stuff.