Cannot use a 128-character password
Closed this issue · 4 comments
An account cannot be created with a 128-character password.
The error message states that the password is too long, but does not indicate the maximum length.
It would be helpful if the upper limit on the password length were displayed in that message, to save security-conscious users (or at least those with a password manager!) from multiple failed account creation attempts.
Realistically, it's a minor issue, but it would be nice for it to be changed.
(Does the limit apply to the number of unicode code points, or the number of bytes in the password?)
Hi @patsytau. Thanks for reporting this issue. The limit and the validation message are the defaults provided by Rails's built-in has_secure_password. Apparently limitations of the BCrypt hash function mean that passwords are restricted to 72 bytes.
We could customize the error message in en.errors.messages.password_too_long in the locale file. However, I'm slightly curious why they chose not to include the limit in the default version of this message. Anyway, we'll certainly look into it!
Looking into this a bit further, it seems as if the validation error used to say "password is too long (maximum is 72 characters)", but in rails/rails#47708, it was simplified to "password is too long" because talking about the number of characters was deemed inaccurate from a locale/encoding point-of-view, i.e. because the BCrypt limit is 72 bytes not characters.
I suppose we could add custom versions of the error message in different locales and talk about a character limit, but I think I'd prefer to leave it as it stands. Worst case scenario, you can keep trying shorter passwords until the validation check passes...
@chrislo Do you have any thoughts...?
@floehopper it sounds like this could be a bit frustrating for folks who regularly use password managers to generate very long passwords automatically, but I'm inclined to leave it as it is rather than try to explain the difference between characters and bytes in the signup form validation error message. Perhaps if we get the sense this is causing more issues in the future we can link out to a FAQ entry or similar.
It's a minor issue that few people will experience, and for those people, it's likely to be easy to work around. Given the constraints you're under from BCrypt, it makes sense to leave it as-is.
Thanks for looking into it!