With the recent security breaches in some major websites (in this case, LinkedIn, but I feel pretty safe just going with “recent” and assuming there’ll have been one around the time you read this,) password security is getting a little bit more attention.
OK, I said “a little” – as one developer told me, “LinkedIn’s password leaked so I had to change my password 30 times,” to which I replied, correctly, “no, you changed the same password 30 times.” In the age of kick-ass, multi-platform password management apps, there’s really no reason not to use a different password on every website, and it doesn’t have to be one that’s cleverly based on the name of the site, like “gmail44secret.” I have no idea what my passwords are anymore, and I find that liberating.
And since I’ve got cut and paste on every platform I use my password manager on, there’s no reason not to use longer passwords, like, say, 30 characters.
OK, there is one reason (aside from the fact that on rare occasions I have to type something into a browser that I’m reading off of an iPhone) – not all sites support really long passwords.
Some will actively block you, saying, for instance, that the password has to be between 8 and 12 characters. But others, I’m finding, will just take your really long password and never work.
And frankly, that’s for the best, since it highlights some likely underlying problems. I can’t prove it, but I suspect that some of these sites are taking the password and storing it into a database field that’s been declared with too few characters.
In that case, the password is saved, but only the first n characters. The rest are truncated. Which means the subsequent user validation call won’t work.
It should be obvious that storing cleartext passwords is capital B Bad, but it’s ridiculously common. Even with some forms of encryption, the length of what’s stored is dependent on the length of the submitted password, so you’re still vulnerable to truncation.
Like I said, I can’t prove it, but I’ve found a few sites that will accept, but not honour, my 30 character passwords, and that’s the only theory I can come up with as to why. I wish it weren’t so, but we tend to think everyone does what we do, so if the dev/QA team uses 5 character passwords, it simply won’t occur to them to try really large ones.