
Ask HN: Why is PayPal's password length limit still a thing? - _drew_
With over 227 million active paypal accounts why is there seemingly no pressure on them to stop enforcing a password length limit?
======
MichaelGG
I've no insight to PayPal. But MS Live aka Passport aka Microsoft Account has
a 16 char, limited character set limitation. I spoke with people that worked
on the system. Basically, sometime a long time ago, someone made some code
that checked this. And over the years, many other parts of the pipeline ended
up coding it and depending upon the same restriction. They're aware of it, but
it's not a worthwhile time investment versus other work. People don't get
hacked because of the limit, they get hacked via phishing, reuse, etc.
Spending time testing, debugging, fixing old code across disparate systems
with possibly different owners is a big cost. There's higher priority work to
be done, even within security.

~~~
tlb
One would hope that plaintext passwords aren't fed through a long pipeline of
legacy systems. As soon as it's hashed, which is the first thing you should
do, length is no longer an issue.

~~~
Someone1234
Microsoft have over five different places you can change a password (all of
which conform to the same set of business rules). That's the issue, it isn't a
pipeline issue, it is that Microsoft consolidated tons of different services
under a Microsoft Account so have a ton of redundant ways of doing something.

Microsoft Accounts/.Net Account/Passports, are a huge mess in general that
Microsoft need to fix. Password length restrictions still may not go away even
if they did (for backwards compatibility reasons with older software/hardware
still around).

~~~
teh_klev
Oh don't get me started about this mess. I use Skype for the browser rather
than any of the installable clients. There are days when it's simply not
possible to login when you're redirected around that whole MS "live login"
thing.

Every other time I've logged into to a MS site (say my dev account for VS
Community) some other login for something else run by MS breaks...then I have
to go hunting down cookies to delete. I've wasted tens of hours of my life
over the past few years on this crap.

------
eyeball
I also enjoy sites that prevent pasting into password fields. Makes using a
password manager a pita.

~~~
oasisbob
Is this restriction more common in certain countries?

In the US, I've fortunately never seen paste blocked on a login page.
Wondering why.

~~~
adrr
Its common in the US, i see it every couple weeks. It effected me last night
on the Costco Travel site when creating an account. It let me paste the
password but not the confirm password field.

------
oliwarner
When people make excuses like "engineering time to overhaul the database" I'm
slightly aghast.

They should only need to store a hashed password (of whatever length they
like). The actual length of my password shouldn't matter because it shouldn't
be stored. Expanding the forms to go from 16 characters to 160 characters
should not incur a storage problem.

If that _is_ an issue, they have bigger problems than only allowing 16
characters.

------
throwawayReply
Note that bcrypt has a maximum length well below some of the lengths mentioned
in this thread:

[https://security.stackexchange.com/questions/39849/does-
bcry...](https://security.stackexchange.com/questions/39849/does-bcrypt-have-
a-maximum-password-length)

Given this, it seems reasonable to restrict input below a length where the
password will become (effectively) truncated by blowfish.

That length is also well above 10 characters however.

~~~
lightbyte
A common method I've seen to get around that is to first hash the password
with something like SHA512 before applying bcrypt. This allows you to use
longer passwords as well as setting them all to a constant length for bcrypt
(which can potentially remove a ddos vector).

------
tracker1
Two of three bank sites I log into regularly are limited to 8 alphanumeric
characters, I'm frankly unsure if they even distinguish letter case.

It's probably time to start holding these sites accountable, however anything
that could be proposed as regulation by the gov't on this would be a
clusterfuck in implementation details, so I have bad feelings all around. I
agree that there should be "unlimited" or reasonably limited (64-256 character
limit) in input, since hashing will take care of the rest. Personally, I'd
love to be able to use pass-phrases, ie, "Because, cookies are awesome!" ...
Most of my "really" secure passphrases are like that (password manager, authy,
etc).

~~~
vorpalhex
Some DBMS' do require a limit... eventually. I think 256 is a reasonable
bound, since that allows very generous pass phrases.

And actually, the NIST password recommendations are very reasonable, at least
currently.

~~~
maxk42
You failed the test. Back to Security 101 with you!

The point being made is that all passwords should be hashed and a hash is
going to be fixed-length. Therefore there should be no limit on password
length beyond, say the limit of the total HTTP POST size -- but you're not
using a megabyte-long password, are you?

~~~
lmm
What meaningful distinction are you drawing between a 1mb limit and a 256
character limit?

~~~
sli
They aren't. They're just referring the the POST request size limit (which
isn't hard set at one megabyte, but that's not their point, either).

------
skookumchuck
I learned long ago in programming that setting arbitrary limits seems simpler
to code, but in the end it is more work. You need to deal with error messages,
error recovery, user instructions, and complaints from users. It's so much
simpler to just allocate memory for whatever size the data happens to be.

Then, you just have to deal with one generic "out of memory" situation.

~~~
MichaelGG
So on a modern machine that might mean a user can submit a 1GB password?

~~~
Klathmon
Your server should still have POST size limitations and other limits to
prevent DoS.

~~~
cdancette
I'm not sure relying on max POST size for password length is a good practice.
It would be hell to debug without a good documentation.

~~~
skookumchuck
> max POST size [...] hell to debug [...]

As I was saying :-)

------
paulpauper
Paypal is so strict that even if one knew the password and email they could
still could not spend. Paypal forces phone verification if they don't like the
IP, which is very common. The phone must match the ID of the paypal account
holder, so using a throwaway number will not work.

~~~
matt_wulfeck
So again if they take it so seriously why enforce such an arbitrary limit on
password length?

~~~
tracker1
Probably weird arbitrary rules around legacy systems... I don't know about
PayPal specifically, they're really too young that it shouldn't be an issue. I
know other banks with account federation have had some systems running that
are severely limited. It's weird all the way around tbh.

I do hope the new NIST recommendations get more weight moving forward, but
banking tends to rely on other authentication/validation routes beyond just
the password to strengthen things. Which is probably okay.. unless your device
is found, and not password protected itself, with a relatively secure
password. Even then...

~~~
sli
2FA would be great, so long as SMS isn't the only option every time. I've
moved to a much more tech savvy bank these days, but there was a long while
were my bank's website was, by a hilariously wide margin, the least secure
website that I regularly visited. It was in fact one of my reasons for
switching banks (the other reasons are not relevant here).

------
illvm
Battle.net passwords are also not case sensitive and have a strange complexity
requirement for similar reasons. Too many code bases implemented it this way
and it's hard to fix it without breaking compatibility with older software.

------
giarc
Same goes for my Bank of Montreal in Canada. I have a credit card through
them, and when I signed up (5-6 years ago) password criteria was 6 characters,
no more, no less.

~~~
deft
AFAIK it's also only numbers...

~~~
hodl
Prime numbers, in ascending order only.

------
lazyjones
I wouldn't be surprised if they shared plaintext passwords with other
entities. They are very useful for identification across multiple accounts.

