[aur-dev] [PATCH] Remove maxlength on password fields

Lukas Fleischer archlinux at cryptocrack.de
Fri Nov 25 06:16:44 EST 2011 

On Thu, Nov 24, 2011 at 11:19:29PM +0100, Stein Magnus Jodal wrote:
> >From c5798e0914075de8eba05ba57992ff23252bd491 Mon Sep 17 00:00:00 2001
> From: Stein Magnus Jodal <stein.magnus at jodal.no>
> Date: Thu, 24 Nov 2011 22:51:05 +0100
> Subject: [PATCH] Remove maxlength on password fields
> 
> The password field for login had a maxlength of 128 chars, while the
> password fields for account creation and modification, and for password
> resetting, had a maxlength of 32 chars. After this change, they will all
> behave in the same way.
> 
> Users with password managers will often use passwords longer than 32
> characters, which was the previous maxlength when creating an account.
> Because of the password length, they will copy-paste the password into
> the browser. Most browsers does not notify the user that the text he
> pasted was cut of after a limit. If the login form also cuts of the
> password at the same length, the user will not notice anything until the
> site is changed to accept longer passwords, and his full password no
> longer matches the password the site has stored. In AUR's case, the
> login form accepted passwords of 128 characters length, so users trying
> to use longer passwords than 32 characters will notice the problem when
> first trying to log in.
> 
> Setting a maximum length on input fields makes sense where the input is
> stored directly to a database where the database field got a limited
> length. In the case of password fields, limiting the length make little
> sense as the password is hashed before being stored. The hash function's
> output has constant length, irrespective of the length of the input.

Out of curiosity - why would you need a password with more than 32
characters? If you use a password manager and create random passwords
anyway, there's no need to create such long passwords. Assuming that
your password contains lower-case and upper-case letters, as well as
numbers, you won't gain any extra security when using passwords longer
than ~22 characters (it'll be easier to brute-force a MD5 collision than
finding the correct password in this case). Even if we used SHA-1,
passwords with a length of 27 characters would already give you the
maximum amount of security possible.

After all, this patch still sounds reasonable to me. There's (almost) no
loss of performance if we accept longer passwords.

I'll rebase this on the style changes I'm currently working on. Thanks!

> ---
>  web/html/passreset.php       |    4 ++--
>  web/lib/acctfuncs.inc.php    |    4 ++--
>  web/lib/config.inc.php.proto |    1 -
>  web/template/login_form.php  |    2 +-
>  4 files changed, 5 insertions(+), 6 deletions(-)
> 
> diff --git a/web/html/passreset.php b/web/html/passreset.php
> index 82be3ef..0792f72 100644
> --- a/web/html/passreset.php
> +++ b/web/html/passreset.php
> @@ -109,11 +109,11 @@ html_header(__("Password Reset"));
>  				</tr>
>  				<tr>
>  					<td><?php echo __("Enter your new password:"); ?></td>
> -					<td><input type="password" name="password" size="30"
> maxlength="32" /></td>
> +					<td><input type="password" name="password" size="30" /></td>
>  				</tr>
>  				<tr>
>  					<td><?php echo __("Confirm your new password:"); ?></td>
> -					<td><input type="password" name="confirm" size="30" maxlength="32" /></td>
> +					<td><input type="password" name="confirm" size="30" /></td>
>  				</tr>
>  			</table>
>  			<br />
> diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
> index 512e66c..b724580 100644
> --- a/web/lib/acctfuncs.inc.php
> +++ b/web/lib/acctfuncs.inc.php
> @@ -84,7 +84,7 @@ function display_account_form($UTYPE,$A,$U="",$T="",$S="",
> 
>  	print "<tr>";
>  	print "<td align='left'>".__("Password").":</td>";
> -	print "<td align='left'><input type='password' size='30' maxlength='32'";
> +	print "<td align='left'><input type='password' size='30'";
>  	print " name='P' value='".$P."' />";
>  	if ($A != "UpdateAccount") {
>  		print " (".__("required").")";
> @@ -93,7 +93,7 @@ function display_account_form($UTYPE,$A,$U="",$T="",$S="",
> 
>  	print "<tr>";
>  	print "<td align='left'>".__("Re-type password").":</td>";
> -	print "<td align='left'><input type='password' size='30' maxlength='32'";
> +	print "<td align='left'><input type='password' size='30'";
>  	print " name='C' value='".$C."' />";
>  	if ($A != "UpdateAccount") {
>  		print " (".__("required").")";
> diff --git a/web/lib/config.inc.php.proto b/web/lib/config.inc.php.proto
> index 1f19651..aef2e34 100644
> --- a/web/lib/config.inc.php.proto
> +++ b/web/lib/config.inc.php.proto
> @@ -15,7 +15,6 @@ define( "URL_DIR", "/packages/" );
>  define( "USERNAME_MIN_LEN", 3 );
>  define( "USERNAME_MAX_LEN", 16 );
>  define( "PASSWD_MIN_LEN", 4 );
> -define( "PASSWD_MAX_LEN", 128 );
> 
>  # Default language for displayed messages in the web interface.
>  define("DEFAULT_LANG", "en");
> diff --git a/web/template/login_form.php b/web/template/login_form.php
> index 21bdaa7..194083d 100644
> --- a/web/template/login_form.php
> +++ b/web/template/login_form.php
> @@ -19,7 +19,7 @@ elseif (!$DISABLE_HTTP_LOGIN ||
> (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS']))
>  		print htmlspecialchars($_POST['user'], ENT_QUOTES);
>  	} ?>" />
>  	<label for="passwd"><?php print __('Password') . ':'; ?></label>
> -	<input type="password" name="passwd" id="passwd" size="30"
> maxlength="<?php print PASSWD_MAX_LEN; ?>" />

You should try to configure your MUA not to break long lines when
sending patches... The best alternative is to use `git send-email` :)

> +	<input type="password" name="passwd" id="passwd" size="30" />
>  	<input type="checkbox" name="remember_me" id="remember_me" />
>  	<label for="remember_me"><?php print __("Remember me"); ?></label>
>  	<input type="submit" class="button" value="<?php  print __("Login"); ?>" />
> -- 
> 1.7.5.4

More information about the aur-dev mailing list