SimpleLogin and Proton are cutting down your passwords

SimpleLogin and Proton are cutting down your passwords when you create an account or change your password. They will cut everything that is beyond their password length limit without informing you in any way.

I always used a password from a password manager + password that I have in my head in case my password manager gets compromised, but it was useless because of them cutting down the passwords.

2 Likes

I think their password length limit is 72 characters because they use bcrypt? This is very common behavior from sites that hash passwords actually.

Edit: I mean yes, it’d be nice if they told you. You can also just put the part of the password that you memorize in front of the generated part instead of after to achieve what you want to do. Or use their two password mode which is probably even better suited for that use-case.

1 Like

I used 64 characters and my password still got cut.

1 Like

Technically I think bcrypt is limited to 72 bytes, so I guess if you use non-ASCII characters you could hit the limit earlier. Either way it doesn’t really impact things from a brute-force security perspective.

1 Like

That has to be the case, then. Because I generate the most secure passwords possible in KeePassDX, and they contain all kinds of characters.

Here is an example of my password:
=3;g¨>ý%<A]´+ç*#EÐCPÓ ÕÝgò¯ýh§ö6ïB/v¥i-(ÆIªNFçÌËåëZøbØ)_J*ëUh§áó

2 Likes

What disadvantage would there be to using shorter passwords? It’s not like an attacker is going to crack a randomly generated 50 character password by brute forcing it. If someone did manage to get into your account that’s protected by 50 random char, I’d imagine the password length to not be a factor in that. Of course, it’s debatable where exactly the point is at which increased length doesn’t really improve security anymore, and longer isn’t worse.

100% agree that they should tell you when cutting your password off.

I do also understand a little bit why they don’t. Every time I see a service that has a password length limitation, I wonder to myself “are these people storing passwords in plaintext?” I’d imagine Proton wants to avoid that impression.

2 Likes

Yes and it’s quite unnecessary, why bother the user with things they shouldn’t really have to deal with.
It’s quite like the Apple approach.

It’s nice if they explain it for the sake of transparency in a blog post but no need to actually give the user unnecessary information and warnings or errors even.

If you go above 63 characters in your password it will not let you create an Apple ID. Even Apple doesn’t cut down passwords.

1 Like

Not really what I meant with the apple approach. With that i meant that apple often does things under the hood to secure you like f x. xprotect, who will never tell you it removed a threat.

1 Like

I’m curious though, how do you know passwords are cut down. I just created an account using a 78 character password generated with KeePassXC without issues, and I honestly wouldn’t even noticed if they did cut down my password.

Copy and paste your password and delete some characters from the end of it. If you can log in, it means that your password was cut.

You can basically delete 5 characters from your password, and you will be able to log in, even though you shouldn’t be able to even if you delete or change one character.

3 Likes