Password length limits and requirements

#1

I use a password manager, so I always make passwords that are very long and complex. It appears that passwords on cloudflare get truncated to 21 characters. I just spent over an hour trying to log back on to cloudflare with a too-long password. After filling out about fifty capchas :hot_face: (no joke). I was starting to think I did not know what traffic lights, buses, cars, bicycles and cross walks were.

So when I finally reset the password, I made it SHORT and without any special characters and was finally able to log in again. This is a bad sign.

Cloudflare: PLEASE display both the min AND MAX password length AND list the special characters which are actually permitted on your password change page. Too often only the minimum length is revealed, we all have to guess how secure we are permitted to make our passwords.

#2

To be fair, there shouldnt be a maximum length in the first place.

I just tried it though and create a dummy account with a 33 character long password, which was accepted just fine and allowed me to log in. So, I am afraid, I cannot confirm your findings.

#3

Thanks for trying that.

I tried again today and the password no longer truncates at 21 characters (!) so either cloudflare changed the password prompt or I was hallucinating.

Yesterday I tried it in both FF and chromium and Cloudflare truncated the PW to 21 characters. To be “safe” I also truncated my password in password safe. This was likely my undoing. My suspicion is that cloudflare was accepting the entire password in the background yet truncating the display to the user. And after filling out dozens of capchas I was not exactly thinking clearly nor rationally anymore.

One of my concerns with switching to cloudflare is harassing potential visitors with captchas. Personally when confronted with these I usually don’t bother unless I must (like yesterday).

#4

I cant say if they had changed anything, but if so, that must have happened in the eight hours between your posting and my response.

I dont want to deny what you experienced, but it would seem somewhat like a coincident to if they had fixed such an issue during that very period.

What do you precisely mean? Visitors to your site wouldnt be presented with a password captcha to your dashboard and the captcha challenge visitors could potentially receive is unrelated to your password.

#5

I have been using a 64 long password for months, I can log in with it.

1 Like