Redback
  1. Redback
  2. REDBACK-87

Increase the default max password length

    Details

    • Type: Improvement Improvement
    • Status: Closed Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Number of attachments :
      0

      Description

      Getting a message "You must provide a password between 1 and 8 characters in length" with a password that looks like "aaaaaa###" (where "a" is a letter and "#" is a number)..
      The passwords should not be limited in length.

        Issue Links

          Activity

          Hide
          Brill Pappin added a comment -

          I would agree that an arbitrary limit doesn't make much sense (which is why this issue exists), however if people are determined to have one then it should be long enough that a nine char password doesn't generate an error... it's simply too short.

          Show
          Brill Pappin added a comment - I would agree that an arbitrary limit doesn't make much sense (which is why this issue exists), however if people are determined to have one then it should be long enough that a nine char password doesn't generate an error... it's simply too short.
          Hide
          Joakim Erdfelt added a comment -

          Adjusting summary description to fit with request from wsmoak.

          Show
          Joakim Erdfelt added a comment - Adjusting summary description to fit with request from wsmoak.
          Hide
          Joakim Erdfelt added a comment -

          Brill, Max.

          All systems have an upper limit.
          Most systems will silently truncate at that limit, making any content after that limit pointless.

          There are always upper limits.
          There will remain upper limits.

          What's left to hammer out ...

          1. Do we state the upper limit in the error messages?
          2. Do we allow the upper limit to be configurable?
          3. Do we emulate other systems and have a hard-coded upper limit that just truncates?
          Show
          Joakim Erdfelt added a comment - Brill, Max. All systems have an upper limit. Most systems will silently truncate at that limit, making any content after that limit pointless. There are always upper limits. There will remain upper limits. What's left to hammer out ... Do we state the upper limit in the error messages? Do we allow the upper limit to be configurable? Do we emulate other systems and have a hard-coded upper limit that just truncates?
          Hide
          Brill Pappin added a comment -

          While I understand the argument, this is a Java library and itself doesn't have any such limit beyond the limits of a string string or char array.

          That does not mean that there are not limits in stores that Plexus may want to provide an implementation for, however those implementations can handle the requirements of their stores in a way that makes sense for them. This component should not arbitrarily enforce limits that those implementations may or may not need.

          Stores with a "hard coded upper limit" may truncate or use any other pattern that they need to use to satisfy the story they are implementing. To answer you question, here is my opinion:

          1. Do not state the upper limit in the error message, this I think would be a security problem.
          2. Upper limit if there is one must be configurable, preferably in-process to that an application using it (like Archiva) can provide their own limit or allow the user to change it though a UI.
          3. No truncation should occur. Allow implantations to truncate if that is truly what they need to do, but not all implementations will need to truncate and they should not receive a pre-truncated password under any circumstances.
          Show
          Brill Pappin added a comment - While I understand the argument, this is a Java library and itself doesn't have any such limit beyond the limits of a string string or char array. That does not mean that there are not limits in stores that Plexus may want to provide an implementation for, however those implementations can handle the requirements of their stores in a way that makes sense for them. This component should not arbitrarily enforce limits that those implementations may or may not need. Stores with a "hard coded upper limit" may truncate or use any other pattern that they need to use to satisfy the story they are implementing. To answer you question, here is my opinion: Do not state the upper limit in the error message, this I think would be a security problem. Upper limit if there is one must be configurable, preferably in-process to that an application using it (like Archiva) can provide their own limit or allow the user to change it though a UI. No truncation should occur. Allow implantations to truncate if that is truly what they need to do, but not all implementations will need to truncate and they should not receive a pre-truncated password under any circumstances.
          Hide
          Jesse McConnell added a comment -

          max password length is now 24 characters

          if anyone feels strongly about doing it a different way at this point, patches are welcome.

          Show
          Jesse McConnell added a comment - max password length is now 24 characters if anyone feels strongly about doing it a different way at this point, patches are welcome.

            People

            • Assignee:
              Jesse McConnell
              Reporter:
              Brill Pappin
            • Votes:
              1 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: