FAO Lemmy.world admins: inconsistencies with long passwords causing issues with password managers

cross-posted from: https://lemmy.world/post/383055

Scroll to Update Three for a description of what turned out to be the problem, and potential solutions on Lemmy.world's end.

When I visit lemmy.world in either Firefox or Chrome, go to the log in page, enter my credentials, and press the Login button, it changes to a spinner and spins forever. No error is logged to the browser console when I press the button.

On the other hand, when using Jerboa on my phone, I can vote, comment and post just fine. That makes me think it's not an issue with this account.

I was briefly able to log in on my desktop a few days ago, but don't think I did anything differently when it worked.

Update

I tried again with my username lowercased, and with the password copied and pasted instead of autofilled, and it worked despite not working a few seconds earlier when I tried it the usual way. I'm going to log out and see which of the two things it was that made the difference.

Update Two

Copying and pasting the password while leaving the username with mixed case also let me in, so it's somehow related to the password manager autofill.

Update Three

I figured it out. I generated a password longer than lemmy.world's password length limit. When creating the account, it appears to have truncated it to sixty characters. When using the password manager to autofill Jerboa, it's also truncated it to sixty characters. When copying and pasting the password from the password manager manually, it truncated it to sixty characters, too. However, the browser extension autofill managed to include the extra characters, too, so the data in the textbox wasn't correct.

In case an admin or Lemmy developer sees this, I'd recommend:

  • Not limiting the password length. It should be hashed and salted anyway, so it doesn't increase storage requirements if it's huge.
  • Giving feedback when creating an account with a too-long password that it's invalid for being too long instead of simply truncating it. Ideally, the password requirements would be displayed before you'd entered the password, too.
  • As mentioned by one of the commenters, giving feedback when an incorrect password is entered.
ericjmorey,

This is being work out for a future version of Lemmy/Lemmy-ui https://github.com/LemmyNet/lemmy-ui/issues/1120

antik,
@antik@lemmy.world avatar

Hey folks, this seems to be a Lemmy issue and not really a Lemmy World issue. For these things you're better off posting to the Lemmy developers' github

https://github.com/LemmyNet/lemmy-ui/issues

Thank you

ericjmorey,

It's a known issue being worked out. https://github.com/LemmyNet/lemmy-ui/issues/1120

Seraphim,
@Seraphim@lemmy.world avatar

I think this website just hates me. I tried to login in Private Window by manually typing my password and I still get the spinner. I've even changed my password three times with last one using only alphanumeric characters and 14 characters long and nothing works. Only way I was able to login was when I requested password reset.

subtext,

To your point, the UX of having the site not tell the user when they have a password that is too long (or approaching too long), is definitely terrible. Especially for something with users as technologically adept as I’d assume Lemmy users are, and with how abundant password managers are, I doubt yours is the only experience like this.

But I disagree that the password max length needs to be increased. The actual work of hashing the password needs to be done by the server and if someone feeds in Atlas Shrugged as a password that might crash the server (unless other safeguards are put in place). I think 60 characters is enough to outlast the solar system even.

So definitely agree that the UX should be improved, but I’d disagree that we need to increase the max length.

subtext,

A 60 character password has something like 400 bits of entropy… I believe the NSA requires something like 128 bits of entropy for their highest security documents. The amount of security provided by a 60 character password would cost something on the order of $10^111 ($6 * 2^(400-32)) in 2021 dollars[1], or $10^29 for every one of the 10^82 atoms in the universe[2].

So I don’t think anyone is cracking your 60 character password any time soon.

[1] - https://blog.1password.com/cracking-challenge-update/ [2] - https://www.livescience.com/how-many-atoms-in-universe.html

s38b35M5,
@s38b35M5@lemmy.world avatar

I had a personal banking online account that silently truncated my long password to their unstated maximum character count. I'd change my password and then auto-type would fail. I played with it, dropping characters until it succeeded to find the count then edit my new password profile for that one account.

To each their own, but I'd agree that 60+ characters is a tad excessive for a pseudo-anonymous social media account.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • support@lemmy.world
  • DreamBathrooms
  • everett
  • osvaldo12
  • magazineikmin
  • thenastyranch
  • rosin
  • normalnudes
  • Youngstown
  • Durango
  • slotface
  • ngwrru68w68
  • kavyap
  • mdbf
  • InstantRegret
  • JUstTest
  • ethstaker
  • GTA5RPClips
  • tacticalgear
  • Leos
  • anitta
  • modclub
  • khanakhh
  • cubers
  • cisconetworking
  • provamag3
  • megavids
  • tester
  • lostlight
  • All magazines
    •