Passwords arbitrarily limited in length

evilrix
Contributor
Contributor
Posted on
‎May-12-2020 06:27 AM

Can someone please explain to me why PayPal has an arbitrary password limit of just 20 characters? My standard minimum is 30 and this really should be the minimum for something like PayPal. Maybe for lesser important sites 15-20 is fine, but for a site like PayPal the limit of 20 is too short.

 

That said, why is there even a limit? Passwords should be hashed and salted using a strong hashing algorithm. No matter what length your password is it will (should!) always end up as a one-way cryptographic hash. So, having an arbitrary limit is nonsense. It's also an upper bound that an attacker can exploit. It reduces the search space of an attack to 20 characters maximum rather than an unknown upper-bound.

 

I am both baffled and annoyed that PayPal has such an arbitrary limit in place. Yes, I do use 2FA and that is mitigation; however, this is NOT an excuse for poor practices when it comes to passwords. Rather than setting the maximum to 20 they should be setting this as the absolute minimum and have no upper-bound.

I would love to know what PayPal's thinking is behind this.

 

-e

Labels:
Login to Me Too
Login to Reply or Kudo
1 REPLY 1

GAFe
Member
Member
‎Aug-24-2021 01:22 AM
I also want a satisfactory answer as to why this has not been updated, and the answer needs to be better than “it’s low priority.” Password length limits are not low priority to me! Especially because your users have been asking for this since at least 2017 on this forum. (https://www.paypal-community.com/t5/My-Feedback-for-PayPal/Password-length-limited-to-20-charackters...) Do better, PayPal!
Login to Me Too
Login to Reply or Kudo

Haven't Found your Answer?

It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.