DEV Community

Discussion on: What are the worst security practices you've ever witnessed?

Collapse
 
mitchpommers profile image
Mitch Pomery (he/him)

Password set fields that have a maximum length equal to the max length password they accept.

If you have a max length, your input fields should allow more characters and then error stating the password is too long. I have seen systems that for reasons (that were valid when the decision was made) had low max password lengths. Newer systems that were built on top of it silently truncated passwords to this max length on both setting and validating, so users thought they had longer passwords than they actually had. Increasing users password lengths then became an issue because you have to allow the increase in both the password set and input fields, but can't because users could then input what they correctly think their password is and recieved an invalid username/password error.