when using the password reset form (due to recent events), I noticed that the
form provides no feedback if you attempt to use a password longer than the current
limit of 15 characters (it just cuts off further input). This also applies to
a password change via the "Account Information" page. Since several well-known
password managers (e.g., 1Password, KeePass) generate quite longer passwords
by default, a copy&paste operation can result in the loss of multiple characters,
thus leaving users with incorrect credentials stored in their password database.
Currently I do not consider this a major issue since the same happens on logon
(too long strings being truncated), so logging in still works.
Some further remarks/recommendations:
- The limit is also applied on the mobile web version (as expected)
- I did not test what happens if a user just forces the web form to send a password
longer than 15 characters (e.g., by using a web proxy)
- Please consider increasing the max. password length to 20+ characters
- Use a well-tested implementation for the much-anticipated multi-factor authentication
upgrade (please do not build that yourself from scratch)
Thank you for your efforts to keep this platform a safe place!
Germany, Bayern
