PayPal password requirements

TechnoDan
New Community Member

I changed my PayPal account password today, and I tried to enter a 24 character password, but this password was rejected as being too long. It was stated that my password must be under 20 characters, so I chose a 19 character password and I was successful in changing my password, but why is there a rather low limit on password length? I called PayPal customer service and was told that the limit is 20 characters (not under 20 characters, i.e. 19). I use longer passwords, such as 32 characters on one banking site, so why the limit of only 20 at PayPal?

Login to Me Too
8 REPLIES 8

Bardurc
Contributor
Contributor

I ran into the same problem today.

PayPal_PwLessThan20.png

I am very curious as to why this is and quite frankly this disturbs me a lot. Programatically I don't see any reason for the limit. The resulting hash value would be the same length, no matter how long your password is. The only reason to have the limit is if you save the password in cleartext (I strongly assume that this is not the case) and the other reason is...uhm...I can't think of any other reason!!!!!

 

This limit (along with the lack of 2fa support) makes me question how serious Paypal takes the security of their users.

 

Paypal...What is the reason for the 20 character limit?

Login to Me Too

hiestaa
New Community Member

I wanna back this up with my feedback. My passwords have spaces, and are often 50+ character long, because they are passphrases, way more secure than a single password.

But your system disallow spaces, and limits to 20 characters. As the other guy said, there is no technical reason for this limitation. Can you take the security of your users seriously and allow longer password, or give us a reason why you think this would lower the security of your platform?

Login to Me Too

AerinNight
New Community Member

+1

I use a password manager, as do many security-conscious people these days, so it's rare for me to use a password that isn't 32 characters of randomly generated junk, that I never use anywhere else. What's almost worse than the low limit is the lack of notice in the password box that this is why my passwords were being rejected. I tried a good 20-30 passwords with various settings before finding this article and realizing that even dropping to 24 chars (which I'd already tried) wasn't far enough.

Seriously. I play stupid web games with better password security than PayPal, a -finances and payments tool-. What the heck?

Login to Me Too

appmaker
Contributor
Contributor

My password was rejected because it contains a period. Why would that be disallowed??

Login to Me Too

James_Nilknarf
Contributor
Contributor

Same here. The weird part is that used to have a password with a period in it for the last year. However, a few days ago I was unable to log into my account even though I was 100% sure what my password was (I use a password manager). So I reset my password to another password with a period in it; PayPal's website let me do so.

 

However, when I tried logging in again later that day I got the same message that my password was not valid. So, I reset again to another password with a period in it. The same thing happened yesterday and so getting fed up with this I reset my password to a ridiculously simple password using just a word and an exclamation point. I then tried logging in today just to make sure it was still working and it did. I then did the password reset again back to a more secure password. However, when I got to the point where I wanted a period I got a security message below saying only upper and lower case, numbers and about 5 or 6 special characters were permitted. I noticed that a period was not on the list.

 

It is very weird to me that it seems a period has not been allowed for years and yet my password contained one for quite some time with no issues until just recently. I find it quite annoying that some sites allow periods and some don't, I never understood why since it seems that the more potential options for a password the more complicated it would be to hack the system.

Login to Me Too

DarkMikey
New Community Member

This is ridiculous. @Paypal change the requirements to at least allow periods!

Login to Me Too

calzakk
Contributor
Contributor

Not just periods. Please allow all characters in passwords. Technically there is absolutely no reason to prevent any characters, just as there is no reason for an arbitrary limit of 20 characters.

 

Both these problems go against current security best practices: use long passphrases consisting of multiple words, and/or use password managers to generate long strings of random characters (alphanumeric plus symbols).

 

I'm a software engineer, I know how this works.

PayPal, you're making yourselves look like amateurs.

Login to Me Too

GAFe
Member
Member
PayPal, this has been an issue for years - FIX THIS!!
Login to Me Too

Haven't Found your Answer?

It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.