[aur-dev] [PATCH] Remove maxlength on password fields

Stein Magnus Jodal stein.magnus at jodal.no
Thu Nov 24 17:19:29 EST 2011

>From c5798e0914075de8eba05ba57992ff23252bd491 Mon Sep 17 00:00:00 2001
From: Stein Magnus Jodal <stein.magnus at jodal.no>
Date: Thu, 24 Nov 2011 22:51:05 +0100
Subject: [PATCH] Remove maxlength on password fields

The password field for login had a maxlength of 128 chars, while the
password fields for account creation and modification, and for password
resetting, had a maxlength of 32 chars. After this change, they will all
behave in the same way.

Users with password managers will often use passwords longer than 32
characters, which was the previous maxlength when creating an account.
Because of the password length, they will copy-paste the password into
the browser. Most browsers does not notify the user that the text he
pasted was cut of after a limit. If the login form also cuts of the
password at the same length, the user will not notice anything until the
site is changed to accept longer passwords, and his full password no
longer matches the password the site has stored. In AUR's case, the
login form accepted passwords of 128 characters length, so users trying
to use longer passwords than 32 characters will notice the problem when
first trying to log in.

Setting a maximum length on input fields makes sense where the input is
stored directly to a database where the database field got a limited
length. In the case of password fields, limiting the length make little
sense as the password is hashed before being stored. The hash function's
output has constant length, irrespective of the length of the input.
 web/html/passreset.php       |    4 ++--
 web/lib/acctfuncs.inc.php    |    4 ++--
 web/lib/config.inc.php.proto |    1 -
 web/template/login_form.php  |    2 +-
 4 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/web/html/passreset.php b/web/html/passreset.php
index 82be3ef..0792f72 100644
--- a/web/html/passreset.php
+++ b/web/html/passreset.php
@@ -109,11 +109,11 @@ html_header(__("Password Reset"));
 					<td><?php echo __("Enter your new password:"); ?></td>
-					<td><input type="password" name="password" size="30"
maxlength="32" /></td>
+					<td><input type="password" name="password" size="30" /></td>
 					<td><?php echo __("Confirm your new password:"); ?></td>
-					<td><input type="password" name="confirm" size="30" maxlength="32" /></td>
+					<td><input type="password" name="confirm" size="30" /></td>
 			<br />
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
index 512e66c..b724580 100644
--- a/web/lib/acctfuncs.inc.php
+++ b/web/lib/acctfuncs.inc.php
@@ -84,7 +84,7 @@ function display_account_form($UTYPE,$A,$U="",$T="",$S="",

 	print "<tr>";
 	print "<td align='left'>".__("Password").":</td>";
-	print "<td align='left'><input type='password' size='30' maxlength='32'";
+	print "<td align='left'><input type='password' size='30'";
 	print " name='P' value='".$P."' />";
 	if ($A != "UpdateAccount") {
 		print " (".__("required").")";
@@ -93,7 +93,7 @@ function display_account_form($UTYPE,$A,$U="",$T="",$S="",

 	print "<tr>";
 	print "<td align='left'>".__("Re-type password").":</td>";
-	print "<td align='left'><input type='password' size='30' maxlength='32'";
+	print "<td align='left'><input type='password' size='30'";
 	print " name='C' value='".$C."' />";
 	if ($A != "UpdateAccount") {
 		print " (".__("required").")";
diff --git a/web/lib/config.inc.php.proto b/web/lib/config.inc.php.proto
index 1f19651..aef2e34 100644
--- a/web/lib/config.inc.php.proto
+++ b/web/lib/config.inc.php.proto
@@ -15,7 +15,6 @@ define( "URL_DIR", "/packages/" );
 define( "USERNAME_MIN_LEN", 3 );
 define( "USERNAME_MAX_LEN", 16 );
 define( "PASSWD_MIN_LEN", 4 );
-define( "PASSWD_MAX_LEN", 128 );

 # Default language for displayed messages in the web interface.
 define("DEFAULT_LANG", "en");
diff --git a/web/template/login_form.php b/web/template/login_form.php
index 21bdaa7..194083d 100644
--- a/web/template/login_form.php
+++ b/web/template/login_form.php
@@ -19,7 +19,7 @@ elseif (!$DISABLE_HTTP_LOGIN ||
(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS']))
 		print htmlspecialchars($_POST['user'], ENT_QUOTES);
 	} ?>" />
 	<label for="passwd"><?php print __('Password') . ':'; ?></label>
-	<input type="password" name="passwd" id="passwd" size="30"
maxlength="<?php print PASSWD_MAX_LEN; ?>" />
+	<input type="password" name="passwd" id="passwd" size="30" />
 	<input type="checkbox" name="remember_me" id="remember_me" />
 	<label for="remember_me"><?php print __("Remember me"); ?></label>
 	<input type="submit" class="button" value="<?php  print __("Login"); ?>" />

More information about the aur-dev mailing list