Failing Forward

While working today, I set about to expire various passwords to various hosts, accounts, web services, et cetera.  One of the websites we use here is called SiteGround.

They fail.  In my personal or professional use from here on out, I will not be visiting that site again if I can at all avoid it unless they really change their tune in a big way – and here’s why:

There is absolutely no reason I (as a web developer) should ever limit my users’ ability to come up with long, complex, secure passphrases for my website.  Additionally, I see no reason that, as an administrator, I should be asked by a third party to trim my passwords.  I could understand if there were hard limits involved, mind you:

• Maximum input length to *MySQL’s PASSWORD(), MD5(), or SHA() functions
• Limits on the sizes of GET and POST variables

These are two very good reasons for capping the length of any user-submitted data.  But, if you’re familiar with these sorts of things, you know that it’s not likely anyone will be miffed by those caps anyway.  Using a generic (sufficiently random) password generator with all 52 letters (upper case and lower), ten digits (zero through nine inclusive), hyphens and underscores, even just a ten character passphrase is less than one combination in one quintillion.  Yes, that’s “quintillion” – that’s a million trillions.  The only thing I can think of to even come close to analoging the ridiculous odds against anyone brute-forcing a 10 character base 64 passphrase is the following quote from the new **Star Trek movie (which, by the way, I highly recommend):

“The notion of transwarp beaming [brute forcing that password] is like hitting a bullet with a smaller bullet while wearing a blindfold, whilst riding a horse.

I’m no cryptographer, for sure.  I’m just a lowly web developer – but even I know, at around 10 or 20 characters (at base 64), you’re far more likely to be the victim of a social hack than you are of someone compromising the password randomly or programmatically (excepting vulnerabilities in the hashing algorithm itself).  But that’s not the point.  The point is that there is no decent justification for capping user password sizes other than in scenarios similiar to those listed above.  SiteGround’s code monkeys wasted time imposing a maximum string length and generating the above error message.

Have you ever come across similarly pointless restrictions?  Have you yourself been made to enforce things like this?  I’d love to hear about it.

*Insert your favorite DBMS (and it’s suite of hashing/encryping functions) here.

**I feel compelled to disclose that I am not, nor have I ever been, a Star Trek fan.  Until last Friday.

Update: A certain [undisclosed] financial institution is also limiting their passwords – to 12 characters.

Update: Apparently MySpace limits their passwords to 10 alphanumeric characters (found this out through work).