Question password vaults

[Desertprep]

I have just installed a password vault - about time! Once I get done with this, I will install my vpn...and then...on the 21st and a half century! I understand how the pwv works - have watched 3 yt videos on it, but, to be honest, I don't understand how websites manage passwords. Is there a maximum number of digits that a password can have for a website? I have noticed that some websites restrict the characters that I can use, i .e. only punctuation and none of the shift+number keys. I HATE the websites that will not let me use the : it is one of my favorite characters. I want to make the password as difficult as possible. Do websites truncate the last x characters, after, say 16 digits? Should I just jump in, or is there some info that will help me manage this process better?

 

[Math Geek]

If there is a character limit, then the site will tell you as you create the pw. Same as forbidden characters.

You'll get an error telling you whatever the problem is so you can try again. No need to spend any time worrying about it. Make what you want, then adjust if you get any errors.

Remember the site is not saving your actual pw, but a hash of it that is likely much longer than what you type. So no real need to limit it from their end unless you try some crazy long thing

 

[Cilantro7536]

Well-coded sites will tell you what it needs / doesn't allow. Misbehaving site, you might have to experiment.

The key is to use a randomly generated password of sufficient length that it cannot be practically cracked even with a weak hash. Using special characters doesn't change things much unless you want to shorten your password as much as possible retaining the complexity. Since you are using a password manager, you aren't typing those in anyway.

Because of the misbehaving site, once you change your password, you might need to test logging in right away. Some misbehaving site may allow you to change the password, but doesn't allow login with the same password. For this, you have to keep guessing what the site doesn't allow. Usually, it's the special characters, or the length. So, for a problematic site, first drop using special characters altogether, then start decreasing the length.

For the lengths, I have encountered 30+, 30, 26, 20, 16 character limits. Thankfully, no service I use allows fewer than that.

 

[hotaru.hino]

I have just installed a password vault - about time! Once I get done with this, I will install my vpn...and then...on the 21st and a half century! I understand how the pwv works - have watched 3 yt videos on it, but, to be honest, I don't understand how websites manage passwords. Is there a maximum number of digits that a password can have for a website? I have noticed that some websites restrict the characters that I can use, i .e. only punctuation and none of the shift+number keys. I HATE the websites that will not let me use the : it is one of my favorite characters. I want to make the password as difficult as possible. Do websites truncate the last x characters, after, say 16 digits? Should I just jump in, or is there some info that will help me manage this process better?

While adding characters outside of the typical alphanumerical character set is ideal, the key point to a hard-to-crack password is more about its length than the character possibilities.

For example, an 8-character password with just alphanumeric characters has 218,340,105,584,896 combinations. Sounds like a lot, but with hardware as of 2021, it doesn't cost a whole lot to crack (1Password says about $770 in resources should do it for a password that's gone through 100,000 rounds of a function that obfuscates the password). A high-end GPU could probably crunch it within minutes if not hours. However, if you add four more characters, the combinations increase to 3,226,266,762,397,899,816,960. This around 14.7 million times harder. Add another four characters for a 16 character password, and now you have something that costs more than the US's GDP in 2023 several times over to crack within your lifetime.

So for now, the minimum recommended password length is 12 characters, because even if you're stuck with alphanumeric characters, it's still relatively prohibitive for a casual hacker to try and crack.

As for how websites store passwords, there's no way to figure it out. You just have to trust they're doing their due diligence.