Roll20 uses cookies to improve your experience on our site. Cookies enable you to enjoy certain features, social sharing functionality, and tailor message and display ads to your interests on our site and others. They also help us understand how our site is being used. By continuing to use our site, you consent to our use of cookies. Update your cookie preferences .
×
×

Cookie Preferences

We use Cookies to help personalize and improve Roll20. For more information on our use of non-essential Cookies, visit our Privacy Policy here.
Create a free account

Password length restrictions: three bugs for the price of one

  1. Community Forums
  2. Bug Reports & Technical Issues
  3. Password length restrictions: three bugs for the price of one
1584249415

Edited 1584249568
Steg
Permalink for 8218203 Quote
When you sign up for an account here and use a password manager to generate a sensible length password the following error message is displayed (complete with paragraph HTML elements):     <p>Password must be between 4 and 40 characters long</p> There are three bugs exposed by that error message: 1. Minimum password length is only 4 characters (should be 12 or 16 depending) 2. Maximum password length is only 40 characters. I use 128 character passwords by default via a password manager. There's no sensible reason to have such an unreasonably short maximum password length -- why don't you want me to have a secure password? I really  hope you're hashing using brcypt/scrypt/argon2/pbkdf2 and not an unsalted hash algorithm like MD5 or any of the SHAs. And please please don't tell me the passwords are stored using reversible encryption... 3. Error message has HTML tags visible.
1585037358
Peter L.
Permalink for 8296762 Quote
Nice to see that I'm not the only one irritated by this.
1585523513
Jeff L.
Roll20 Team
Permalink for 8347176 Quote
Hi Steve, Thank you very much for bringing these issues to our attention.&nbsp; We take account security seriously, and password guidance and restrictions for users is a key component of that.&nbsp; The character length limitations are meant as guidelines, and you are correct in saying that an upper limit is unnecessary; we will work on getting that removed as soon as possible or, more likely, increased to a number just bordering on what would be reasonable to send in an http request. I'll address your points individually: The lower boundary is an absolute minimum, and we will strongly consider increasing that. As mentioned above, there is no need for an arbitrarily low upper limit.&nbsp; I will address your point on password storage; passwords are immediately hashed using bcrypt, and we have and will continue to steadily increase the difficulty of the hash on a regular basis. This is indeed a bug related to a the String sanitization component of software that was upgraded somewhat recently.&nbsp; We will resolve this as well. If you have any more questions, feel free to respond or reach out to <a href="mailto:team@roll20.net" rel="nofollow">team@roll20.net</a> . Thanks again, Jeff
You must Login to your Roll20 Account to post a reply.