Password policy

sderrew

Neither user registration and password reset page for at least the forum and Credit Club state the maximum length of password. Only after examining the source of both pages do I discover that the maximum length appears to be 20 characters. That is, the second, "confirm password", input field is defined as 20 characters, despite the initial "enter password" field being defined as 50 characters.

It says to choose a strong one, but it would appear we are limited to only 20 alphanumeric characters…

You also appear to have a script enabled that attempts to prevent the pasting of passwords, which only encourages the use of "simple" strings.

Former_MSE_Andrea

Thanks for the feedback sderrew.

I've sent it to our Credit Club team and will take a look at the Forum registration page.

MSE_Chris

Hi sderrew

Thanks for your feedback on this. We're aware there's currently a mismatch when entering passwords in that there's essentially a 20 character limit despite the first box allowing for 50 characters. I've raised this with our tech team but at the moment, they're looking at other improvements that can be made but it is on the 'to do' list.

Whilst we still allow for the use of special characters, meaning you're still able to set a complex password, we intentionally prevented the use of pasting into the password field. The logic behind this was to prevent against any 'brute force' attacks on this page. However, as in your case, we're aware a number of our users use 'password managers' to help store passwords.

Ensuring our users accounts remained secure was our top priority which is why on top of this, we also ask users to enter a memorable word. This coupled with the 20 character password limit should be enough to ensure your account remains secure.

I appreciate not being able to use a password manager is frustrating but we'll continue to look at how we can allow these in the future without compromising security.

I hope this answers your question.