The online racing simulator
GAME password max length / characters allowed
Hi.
This is not a "bug", just a suggestion.

After last 20th February hacking at Linux Mint forums, I am changing all my passwords to "strong" ones (using keepass), containing all sorts of characters/numbers/symbols/punctuation/etc.

After changing my GAME password just 5 minutes ago (website told me it was successfully changed), I went straight into LFS and couldn't obviously create/join a server.

So I tried to update my password in LFS, but it kept me saying that it doesn't match, and I'm sure it does (even if it's unreadable).
I then went to my account details and changed it again to a very stupid one, but i told me that it was too short, showing a reminder about its min length.



Can we have this textual info expanded so it eventually shows a max length (if any) and the characters allowed?

Thanks.
#2 - Ian.H
There should _never_ be a MAX length for a password! There's simply no reason for this to happen. If there is, then the system has been designed insecurely from the outset. Just saying.. as I recently found this to be an issue with certain big companies that should know better and definitely makes you wonder what format the password would have been stored in (I never created an account there in the end due to this).

Love keepass though, have used it for years.. and I save the kdbx file within my ownCloud client sync dir so I can share it across various devices (not quite as easy with my iPhone however as I have to add the file via iTunes, but the MiniKeePass app on there works nicely too, even if a bit more effort is involved to use it).


Cheers..

Ian
** Best answer **
I've updated the registration and details pages now with a bit more info.

Though I agree you should be able to use an entire phonebook as a password, there are upper limits with LFS. For us it's due to packet sizes. Game passwords are sent in typical LFS packets which are limited in size. But I agree it could be implemented in a stronger manner.
Web passwords are sent to a separate, locked down host that only hashes passwords, very strongly. Also using a packet structure with an upper limit for password. But I think 48 bytes is long enough tbh. With no character type limitation. If you're worried about THAT being broken, then I can enable two factor auth for you Wink (the one-time pass kind, like e.g. Google authenticator tool produces)
#4 - Ian.H
I guess my main reasoning for the no max length is that once you bcrypt the password, the resulting length is constant, regardless of actual password length (heck, even if you were insane and just used bog standard MD5 hashing, the result is constant, though perish the thought of MD5!).

I can kind of understand with regards to game packet sizes though, and 48 bytes as you say, is probably far more than most would ever dream of using (I think one of my local council's sites required no more than 10 chars, and no special chars.. WTF!? Wink ).



Cheers..

Ian
Quote from Ian.H :There should _never_ be a MAX length for a password!...

Well, today I've just stumbled on a login form with a 16 max characters password limit, and few days ago on another one with a 20 char limit. Go figure.

Anyway thanks Victor, issue solved.

FGED GREDG RDFGDR GSFDG