Closed jridderbusch closed 6 months ago
which limit would be ok from BE POV?
According to this source, anything lower than 128 is considered an unnecessary security risk.
Longer passwords provide a greater combination of characters and consequently make it more difficult for an attacker to guess.
Minimum length of the passwords should be enforced by the application. Passwords shorter than 10 characters are considered to be weak ([1]). While minimum length enforcement may cause problems with memorizing passwords among some users, applications should encourage them to set passphrases (sentences or combination of words) that can be much longer than typical passwords and yet much easier to remember.
Maximum password length should not be set too low, as it will prevent users from creating passphrases. Typical maximum length is 128 characters. Passphrases shorter than 20 characters are usually considered weak if they only consist of lower case Latin characters. Every character counts!!
Make sure that every character the user types in is actually included in the password. We've seen systems that truncate the password at a length shorter than what the user provided (e.g., truncated at 15 characters when they entered 20). This is usually handled by setting the length of ALL password input fields to be exactly the same length as the maximum length password. This is particularly important if your max password length is short, like 20-30 characters.
Description - What happened? *
During the registration process on the "Register Organization - User Details", Login page etc, it has been observed that not all fields, including the "Password" and "Confirm Password" fields, enforce a character limit. This inconsistency in the application of character limits across form fields could potentially lead to data integrity issues and affect the user experience by allowing overly long inputs in certain critical fields.
Expected Behavior *
All fields, especially sensitive ones like "Password" and "Confirm Password," should have a clearly defined and enforced character limit to ensure data consistency, security, and a streamlined user experience.
Observed Behavior *
Not all fields on the "Register Organization - User Details" page enforce a character limit, specifically noted in the "Password" and "Confirm Password" fields, allowing users to input excessively long information.
Steps to Reproduce
Context Information
This issue is assigned a high priority due to its potential impact on both security and user experience. Without consistent enforcement of character limits, the application may be vulnerable to various security risks associated with handling excessively long inputs. Additionally, this oversight could lead to a confusing user experience, as users may not receive clear feedback on acceptable input lengths for each field. Addressing this issue promptly will enhance the overall security and usability of the registration process.
Relevant log output
No response
Screenshots
No response