SimpleLogin and Proton are cutting down your passwords when you create an account or change your password. They will cut everything that is beyond their password length limit without informing you in any way.
I always used a password from a password manager + password that I have in my head in case my password manager gets compromised, but it was useless because of them cutting down the passwords.
I think their password length limit is 72 characters because they use bcrypt? This is very common behavior from sites that hash passwords actually.
Edit: I mean yes, itâd be nice if they told you. You can also just put the part of the password that you memorize in front of the generated part instead of after to achieve what you want to do. Or use their two password mode which is probably even better suited for that use-case.
I used 64 characters and my password still got cut.
Technically I think bcrypt is limited to 72 bytes, so I guess if you use non-ASCII characters you could hit the limit earlier. Either way it doesnât really impact things from a brute-force security perspective.
That has to be the case, then. Because I generate the most secure passwords possible in KeePassDX, and they contain all kinds of characters.
Here is an example of my password:
=3;gš>Ăœ%<A]ÂŽ+ç*#EĂCPĂ ĂĂgĂČÂŻĂœh§ö6ĂŻB/v„i-(ĂIÂȘNFçĂĂĂ„Ă«ZĂžbĂ)_J*Ă«Uh§åó
What disadvantage would there be to using shorter passwords? Itâs not like an attacker is going to crack a randomly generated 50 character password by brute forcing it. If someone did manage to get into your account thatâs protected by 50 random char, Iâd imagine the password length to not be a factor in that. Of course, itâs debatable where exactly the point is at which increased length doesnât really improve security anymore, and longer isnât worse.
100% agree that they should tell you when cutting your password off.
I do also understand a little bit why they donât. Every time I see a service that has a password length limitation, I wonder to myself âare these people storing passwords in plaintext?â Iâd imagine Proton wants to avoid that impression.
Yes and itâs quite unnecessary, why bother the user with things they shouldnât really have to deal with.
Itâs quite like the Apple approach.
Itâs nice if they explain it for the sake of transparency in a blog post but no need to actually give the user unnecessary information and warnings or errors even.
If you go above 63 characters in your password it will not let you create an Apple ID. Even Apple doesnât cut down passwords.
Not really what I meant with the apple approach. With that i meant that apple often does things under the hood to secure you like f x. xprotect, who will never tell you it removed a threat.
Iâm curious though, how do you know passwords are cut down. I just created an account using a 78 character password generated with KeePassXC without issues, and I honestly wouldnât even noticed if they did cut down my password.
Copy and paste your password and delete some characters from the end of it. If you can log in, it means that your password was cut.
You can basically delete 5 characters from your password, and you will be able to log in, even though you shouldnât be able to even if you delete or change one character.