How on earth can you both not accept the password I copied from my password safe and tell me that I cannot use the same pasaword again?
How on earth can you both not accept the password I copied from my password safe and tell me that I cannot use the same pasaword again?
Not how password hashing works. Demonstrated with sha256:
hunter2butitsreallylong:a9953dfbfec699349341edc857dcfe5c7a617c81f312cf57297d5b852881bab3hunter2:f52fbd32b2b3b86ff88ef6c490628285f482af15ddcb29541f94bcf526a3f6c7a hash algorithm encompasses all provided data and returns a single fixed length data response
https://en.wikipedia.org/wiki/Cryptographic_hash_function
Any changes, even just removing a few characters, drastically changes the output of the hash function (https://en.wikipedia.org/wiki/Avalanche_effect)
You have no way of knowing a user password when you are storing hashes, you can’t truncate them, and the user password length doesn’t matter (up to a certain point where it’s technologically dumb to hash user input over a certain amount of data)
I do agree however that changing / randomizing your password is important, as someone brute forcing or running rainbow tables etc on a hash dump can quickly attack a common password across different dumps
Ultimately we don’t know the implementation. I’ve seen some bad sites like stealth truncating on the registration form but leaving the login form unbounded so the password you pasted in both times doesn’t work.
Separate issue from truncating, I get suspicious when I see passwords capped to 16-20 chars for the reason you gave that they should be stored as fixed length hashes.
That’s true, there’s no way to know what sort of back asswards string modifications are happening to the password before it makes it to a hashing function, if it ever does. But the OP did say they told him his previous password was too long, and he was required to change it, so they were either storing it in plaintext, or storing the length of it somewhere. One is really really bad, one is weird, but also bad