Maximum password length limit
Every time you restrict a user to something, ask yourself why you are doing it and to whom this will be better. Violation of this rule leads to strange and sometimes harmful restrictions. One example is the maximum password length.
With the restriction of the length below, everything is clear, but who needs a restriction above? Let the user enter at least 200 characters, if he wants, the freak will be nice. Sorry for the bytes in the POST request? Place in the database? But you (I hope!) Keep the password hash, which is always of a constant length! Do you think that hashing 200-character passwords will kill server performance? Not funny.
With all this, the creator of the site makes the user:
Not only that, this input field carefully does not allow to enter more than 16 characters, but also its size is adjusted. I entered the seventeenth character. Nothing has changed on the screen at all. I do not know whether the scrolling happened and the circles crawled to the left, or the password was cut off. I'm not sure that the field size is 16 characters. Or do I count the circles?
Of course, this is not so scary. Just think, the server will carefully cut the password. I can safely enter my 18 characters each time and not notice the inconvenience. However, some well-known sites in their unfriendly went further:
I changed the password to my favorite 18-character and looked up at the screen when I saw the circles. I did not notice that the 17th and 18th circle did not appear, because the site decided that there were too many of them. I, of course, also did not count the circles. The situation is aggravated by the fact that there is no warning about the maximum password length. As a result, I myself did not notice how I changed the password not to the one I wanted, but to a shorter one.
')
Wishing to visit the site next time, I naively entered the same 18 characters in the login form:
If you count the circles, you will notice that there are 18 of them. Apparently, this form was written by another expert who did not consider it necessary to make the same length restriction (very reasonable if there were no restriction anywhere). Opank - you entered the wrong password, try again. Once again, of course, also without length limitations.
I used password recovery twice, writing off everything at first to my curvature (but this should be contrived - in the password setting form, enter the wrong one twice). Only for the third time I noticed that when changing the password, the circles are quietly cut off.
Through a search, I found a similar story in a recent article, The 21st Century Digital Dinosaur . I think there will be more such stories (including the untold ones) than the developers might think. By adding a stupid restriction, you can lose a customer out of the blue, while spending time writing extra code to test this restriction.
With the restriction of the length below, everything is clear, but who needs a restriction above? Let the user enter at least 200 characters, if he wants, the freak will be nice. Sorry for the bytes in the POST request? Place in the database? But you (I hope!) Keep the password hash, which is always of a constant length! Do you think that hashing 200-character passwords will kill server performance? Not funny.
With all this, the creator of the site makes the user:
- Perceive and comprehend the extra information;
- Worry about whether his favorite password does not exceed the specified limit;
- Twice the characters in the 12-character password to make sure everything is fine;
- Come up with a new password, if your loved one was longer (not all living people will come up with a purely computer solution to remove the last characters of the password: it can become inconsistent).
Not only that, this input field carefully does not allow to enter more than 16 characters, but also its size is adjusted. I entered the seventeenth character. Nothing has changed on the screen at all. I do not know whether the scrolling happened and the circles crawled to the left, or the password was cut off. I'm not sure that the field size is 16 characters. Or do I count the circles?
Of course, this is not so scary. Just think, the server will carefully cut the password. I can safely enter my 18 characters each time and not notice the inconvenience. However, some well-known sites in their unfriendly went further:
I changed the password to my favorite 18-character and looked up at the screen when I saw the circles. I did not notice that the 17th and 18th circle did not appear, because the site decided that there were too many of them. I, of course, also did not count the circles. The situation is aggravated by the fact that there is no warning about the maximum password length. As a result, I myself did not notice how I changed the password not to the one I wanted, but to a shorter one.
')
Wishing to visit the site next time, I naively entered the same 18 characters in the login form:
If you count the circles, you will notice that there are 18 of them. Apparently, this form was written by another expert who did not consider it necessary to make the same length restriction (very reasonable if there were no restriction anywhere). Opank - you entered the wrong password, try again. Once again, of course, also without length limitations.
I used password recovery twice, writing off everything at first to my curvature (but this should be contrived - in the password setting form, enter the wrong one twice). Only for the third time I noticed that when changing the password, the circles are quietly cut off.
Through a search, I found a similar story in a recent article, The 21st Century Digital Dinosaur . I think there will be more such stories (including the untold ones) than the developers might think. By adding a stupid restriction, you can lose a customer out of the blue, while spending time writing extra code to test this restriction.
Source: https://habr.com/ru/post/82753/
All Articles