@halfdan opened this issue on January 20th 2014

The password length is currently kept between 6 and 26 characters. There's really no reason to restrict people in the maximum length of their password. I propose to either completely remove the arbitrary restriction (max characters) or increase it to at least 50.

@anonymous-piwik-user commented on January 20th 2014

I would definitely vote for lifting any restriction on that. Why would anyone even want to restrict more secure passwords?

@gaumondp commented on January 20th 2014

25 letters would take 550 years to brake at 1000 guesses/second.


And a simple sleep(5) in case of bad password would take infinite -1. ;)


@halfdan commented on January 20th 2014

@dalidev, complexity is hardly the point here. A bcrypt approach would definitely make things more secure than the currently used md5. The point here though is that there simply is no reason to have a maximum length for passwords.

@mattab commented on January 21st 2014

These checks are there to make sure the user does not by mistake set the password to some super long string without realizing. Maybe it's a weak justification...

If you do want longer password, no problem, there is a config setting to disable these extra checks: http://piwik.org/faq/troubleshooting/faq_112/

I dont want to simply remove the max length check because, we'd have to change translation string.

@halfdan commented on January 21st 2014

@mattab: That is hardly a solution. The restriction is completely arbitrary and the config setting disables a whole lot of other things as well. It would also disable the minimum length and allow really weak passwords. That's not a solution - sorry.

Changing the translation string isn't really an issue - the warning is only shown when a password is too short. Translation strings are also no reason to not improve Piwik.

People that entered long strings can simply reset their password.

@martin-ueding commented on September 20th 2014

If you worry that passwords are too strong, give them a feedback of the number of characters inserted. In case you use a password manager and copy the string into it, it would just cut if off in case maxlength is used in the HTML form.

@gaumondp A weak hashing algorithm with a sleep workaround might work as long as the database is not breached. Once the database is breached, you will have a bunch of MD5 hashes in the wild with restricted password entropy. They can be cracked on GPUs rather easily. So a stronger hash is the better solution.

@mattab commented on September 20th 2014

Thanks for posting, I agree and increasing priority since it is an easy change. Pull requests are welcome too :+1:

@mattab commented on November 11th 2014

Done in #6632 :+1:

This issue was closed on November 11th 2014
Powered by GitHub Issue Mirror