|
|
| | Author: | astute | Posted: | Nov 20, 2023 04:43 | Subject: | Password managers and Bricklink, maximum char | Viewed: | 146 times | Topic: | Technical Issues | |
|
| Since the recent security issue we all have recently updated our password.
Tl:dr, Bricklink allows for up to 15 char passwords, reduce your password
length in your password manager if you have issues auto-filling.
I updated my BL password from a dated 8 character password to my current 1Password
password generated 16 character password.
From there I started realizing issues with logging in using 1Password.
An analysis:
1. You can auto-fill passwords as long as you like during account creation/password
changing without any error, but Bricklink truncates this password after saving
to 15 characters(!!)
2. The password manager happily stores the longer password.
3. When auto-filling during log-in, Bricklink allows the original longer password
to be filled (!!!), it does not truncate/limit the password length. When logging
in it then fails as the original saved password (15 chars) does not match the
filled password (15 chars).
When manually reducing your password to 15 chars allows you to log in fine.
It's not a major issue, but it is not industry standard of handling passwords.
Bricklink should:
1. Ideally allow longer passwords (15 chars is too short).
2. Ideally properly give an error when trying to enter 15 char passwords during
account creation/password updating. Preventing erroneously input.
On the final point I am a bit torn. Either automatically truncating the auto-filled
password is not great (as you are amending input), but it is also not easy providing
an error upon auto-filling too long passwords. In any case, if item 1/2 are resolved,
this item should also be resolved.
And more importantly, I'll continue to advocate for BL to support (and
make mandatory for sellers) 2-factor logging in using an OTP.
|
|
|
| | | | | |
| | | | Author: | yorbrick | Posted: | Nov 20, 2023 05:23 | Subject: | Re: Password managers and Bricklink, maximum char | Viewed: | 44 times | Topic: | Technical Issues | |
|
| | And more importantly, I'll continue to advocate for BL to support (and
make mandatory for sellers) 2-factor logging in using an OTP.
|
Why make it mandatory? Many sellers use perfectly good passwords, keep them secure
and do not use them on other sites or enter them in spoof sites. Forcing sellers
to use OTP every time they log in is not appropriate, and may even lead to sellers
remaining logged in when they don't need to be. Paypal, ebay, my banks, none
of these insist on OTP for log-ins. They can remember devices. My banks all have
a second PIN code on top of the password but none require OTP unless I am setting
up new payees or bank transfers.
|
|
| | | | | | | | | |
| | | | | | Author: | astute | Posted: | Nov 20, 2023 05:59 | Subject: | Re: Password managers and Bricklink, maximum char | Viewed: | 63 times | Topic: | Technical Issues | |
|
| In Technical Issues, yorbrick writes:
| | And more importantly, I'll continue to advocate for BL to support (and
make mandatory for sellers) 2-factor logging in using an OTP.
|
Why make it mandatory? Many sellers use perfectly good passwords, keep them secure
and do not use them on other sites or enter them in spoof sites. Forcing sellers
to use OTP every time they log in is not appropriate, and may even lead to sellers
remaining logged in when they don't need to be. Paypal, ebay, my banks, none
of these insist on OTP for log-ins. They can remember devices. My banks all have
a second PIN code on top of the password but none require OTP unless I am setting
up new payees or bank transfers.
|
While many sellers will not respond to phishing emails and keep secure non-reused
passwords, there is always a small percentage of sellers who do not.
The recent attack/abuse has shown the weakness of single factor authentication.
Many buyers were defrauded by buying on a marketplace they thought was to be
trusted.
Making two-factor authentication for sellers mandatory is a relatively low barrier
measure that will make the platform much more secure as a whole.
--and to your example, PayPal does require 2-Factor (but they use SMS or
email as mandatory, OTP as optional). Your bank will have provided you the pin
over the counter or via snail mail.
If BL is to introduce something, any of the above are fine (although SMS/post
will be too expensive), and e-mail 2FA is fine, but OTP much better and more
convenient (if you ask me at least).
So really, why not have this extra layer of security which bring so so much in
terms of security and is such a small effort.
|
|
|
| | | | | | | | | | | | | |
| | | | | | | | Author: | cosmicray | Posted: | Nov 20, 2023 06:56 | Subject: | Re: Password managers and Bricklink, maximum char | Viewed: | 51 times | Topic: | Technical Issues | |
|
| In Technical Issues, astute writes:
| While many sellers will not respond to phishing emails and keep secure non-reused
passwords, there is always a small percentage of sellers who do not.
|
We are all born/made differently. Those who do not have a sufficient fear of
the darkness, need to wise up, grow up, or (as a last resort) take their toys
away from them.
And, BTW, phishing are also now being accompanied by smishing, so there is that
concern.
| The recent attack/abuse has shown the weakness of single factor authentication.
Many buyers were defrauded by buying on a marketplace they thought was to be
trusted.
Making two-factor authentication for sellers mandatory is a relatively low barrier
measure that will make the platform much more secure as a whole.
--and to your example, PayPal does require 2-Factor (but they use SMS or
email as mandatory, OTP as optional). Your bank will have provided you the pin
over the counter or via snail mail.
|
I have not noticed that PayPal requires 2-factor constantly. They do (occasionally)
ask me to perform some security verification/confirmation, but then store sufficiently
secure tokens to not require them for every round trip. It may be that some areas
have regulations requiring more stringent security.
| If BL is to introduce something, any of the above are fine (although SMS/post
will be too expensive), and e-mail 2FA is fine, but OTP much better and more
convenient (if you ask me at least).
|
Emailed 2-factor is not fine. If you cannot trust one channel of communications,
what makes you think the other one is inherently secure ? There is nothing I
can think of, short of a hardware token matching system, that would give me rock-solid
security (and that might be vulnerable to a MitM attack).
Nita Rae
|
|
|
| | | | | | | | | | | | | | | | | |
| | | | | | | | | | Author: | Vosblokjes | Posted: | Nov 20, 2023 08:22 | Subject: | Re: Password managers and Bricklink, maximum char | Viewed: | 50 times | Topic: | Technical Issues | |
|
| | In Technical Issues, astute writes:
| --and to your example, PayPal does require 2-Factor (but they use SMS or
email as mandatory, OTP as optional). Your bank will have provided you the pin
over the counter or via snail mail.
|
|
In very rare cases PayPal wants to do an extra factor.
And even then it is possible to cancel, start a new tab and try again, most times
no extra factor is needed
And my bank, yes the PIN for my card was sent by snail mail.
But the internet acces to my bank account was done via the app and had to be
verified by another factor. After setting a password (only 5 digits) an extra
factor is not needed for another 90 days. Only after those 90 days I have to
verify it with the extra factor.
And please, don't make it to difficult to log in to BL.
we use 1 laptop, 1 phone and 2 tablets to gain acces to BL. It would be a hassle
if every time the second factor would be needed.
I could imagine that a 2nd factor would be needed for changing your password,
e-mail adres, shipping or payment settings or store terms.
That way a hacked account could not easy be used to fraud others.
And yes, for an account not used for a longer time (say 30 days) a 2nd factor
would be good as well.
And as for the 15 character password.
Is to to short, should it be longer? Don't know.
But there should be a message about it when entering a new password that is longer.
|
|
|
| | | | | | | | | | | | | |
| | | | | | | | Author: | yorbrick | Posted: | Nov 20, 2023 09:38 | Subject: | Re: Password managers and Bricklink, maximum char | Viewed: | 33 times | Topic: | Technical Issues | |
|
| | --and to your example, PayPal does require 2-Factor (but they use SMS or
email as mandatory, OTP as optional). Your bank will have provided you the pin
over the counter or via snail mail.
|
Paypal does not require 2FA every time you log in, unless you call using a stored
cookie 2FA.
| If BL is to introduce something, any of the above are fine (although SMS/post
will be too expensive), and e-mail 2FA is fine, but OTP much better and more
convenient (if you ask me at least).
So really, why not have this extra layer of security which bring so so much in
terms of security and is such a small effort.
|
OTP is a huge pain if you do not have your phone with you. Email 2FA is not very
secure as if the account has been hacked in the first place, then the seller
is probably stupid enough to use the same password for their email account too.
|
|
|
| | | | | | | | | | | | | |
| | | | | | | | Author: | yorbrick | Posted: | Nov 20, 2023 09:40 | Subject: | Re: Password managers and Bricklink, maximum char | Viewed: | 31 times | Topic: | Technical Issues | |
|
| | The recent attack/abuse has shown the weakness of single factor authentication.
Many buyers were defrauded by buying on a marketplace they thought was to be
trusted.
|
None of them would have lost any money though if they had paid by PayPal. Those
that think it is fine to pay a stranger by bank transfer will have done though.
|
|
| | | | | | | | | | | | | | | | | |
| | | | | | | | | | Author: | astute | Posted: | Nov 20, 2023 09:47 | Subject: | Re: Password managers and Bricklink, maximum char | Viewed: | 33 times | Topic: | Technical Issues | |
|
| In Technical Issues, yorbrick writes:
| | The recent attack/abuse has shown the weakness of single factor authentication.
Many buyers were defrauded by buying on a marketplace they thought was to be
trusted.
|
None of them would have lost any money though if they had paid by PayPal. Those
that think it is fine to pay a stranger by bank transfer will have done though.
|
It is clear you prefer to pay 3-5% extra on your orders for the convenience of
not having to enter a second factor authentication.
Besides the cost of Paypal, it's also not available on all BL stores, nor
is it commonly used across the world. I'd rather use iDeal/IBAN and not need
a PayPal account I need to manage my transactions through (note, not everyone
has a creditcard either).
I'd rather save the cash and set-up the one-time OTP. Which is a breeze to
use if you use password managers now present in Windows, Mac, Android, iOS and
most browsers...
|
|
|
| | | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | Author: | yorbrick | Posted: | Nov 20, 2023 10:54 | Subject: | Re: Password managers and Bricklink, maximum char | Viewed: | 27 times | Topic: | Technical Issues | |
|
| In Technical Issues, astute writes:
| In Technical Issues, yorbrick writes:
| | The recent attack/abuse has shown the weakness of single factor authentication.
Many buyers were defrauded by buying on a marketplace they thought was to be
trusted.
|
None of them would have lost any money though if they had paid by PayPal. Those
that think it is fine to pay a stranger by bank transfer will have done though.
|
It is clear you prefer to pay 3-5% extra on your orders for the convenience of
not having to enter a second factor authentication.
|
There is no direct link here. Using PayPal does not stop hacking and implementing
2FA on bricklink does not guarantee you will never be defrauded by someone through
a bank transfer.
|
|
|
| | | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | Author: | Brettj666 | Posted: | Nov 20, 2023 17:07 | Subject: | Re: Password managers and Bricklink, maximum char | Viewed: | 31 times | Topic: | Technical Issues | |
|
| That's a wee bit of a false equivalency, no one uses paypal because they
want to pay 3-5%, they use paypal because it helps to assure buyers that if they
don't ship, buyers will be covered. Something that isn't assured from
iban/transfer methods.
And while people could say "I'd never do that", there's always
a point where someone goes bad.
In Technical Issues, astute writes:
| In Technical Issues, yorbrick writes:
| | The recent attack/abuse has shown the weakness of single factor authentication.
Many buyers were defrauded by buying on a marketplace they thought was to be
trusted.
|
None of them would have lost any money though if they had paid by PayPal. Those
that think it is fine to pay a stranger by bank transfer will have done though.
|
It is clear you prefer to pay 3-5% extra on your orders for the convenience of
not having to enter a second factor authentication.
Besides the cost of Paypal, it's also not available on all BL stores, nor
is it commonly used across the world. I'd rather use iDeal/IBAN and not need
a PayPal account I need to manage my transactions through (note, not everyone
has a creditcard either).
I'd rather save the cash and set-up the one-time OTP. Which is a breeze to
use if you use password managers now present in Windows, Mac, Android, iOS and
most browsers...
|
|
|
|
| | | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | Author: | 1001bricks | Posted: | Nov 20, 2023 17:39 | Subject: | Re: Password managers and Bricklink, maximum char | Viewed: | 27 times | Topic: | Technical Issues | |
|
| | | None of them would have lost any money though if they had paid by PayPal. Those
that think it is fine to pay a stranger by bank transfer will have done though.
|
It is clear you prefer to pay 3-5% extra on your orders for the convenience of
not having to enter a second factor authentication.
|
Hints:
* 75% of my buyers use PayPal, maybe 10% Stripe (quite the same), because it's
SAFE for them. Some benefit of 4x payments using PayPal, on this site I don't
know - but on other places for sure.
* I almost always use PayPal because it's SAFE for me. Especially when buying
in other Countries, new or unknown shops - and especially on other sites/platforms.
* IBAN is impossible with EU Export.
* PayPal transactions are immediate; I have to wait 24 hrs to create an IBAN
recipient, and apart recent instant payments, IBANs are credited the next day.
With all those guaranties, plus many other service - our yearly PayPal cost is
lower than our brick and mortar bank, I assure you.
|
|
|
| | | | | |
| | | | Author: | udenbricks | Posted: | Nov 20, 2023 07:57 | Subject: | Re: Password managers and Bricklink, maximum char | Viewed: | 41 times | Topic: | Technical Issues | |
|
| The 15 max character for a BL Password is a botlleneck if you want longer passwords
or passphrases.
As Astute writes: if you reset your password only the first 15 characters are
stored in Bricklink without your knwowledge. So if you put in your new password
in full length it is not accepted
It is a puzzle then to find the 15 max.
It would be fine if this could be solved
|
|
| | | | | |
| | | | Author: | 1001bricks | Posted: | Nov 20, 2023 10:11 | Subject: | Re: Password managers and Bricklink, maximum char | Viewed: | 31 times | Topic: | Technical Issues | |
|
| | I updated my BL password from a dated 8 character password to my current 1Password
password generated 16 character password.
|
1) We know it's normally restricted to 15 chars - playing with longer passwords
is just a way to get troubles. 15 chars is already very strong, the problem will
always be people setting the minimum and such as "Password1"
2) Being concerned about Security and using an on line service to store your
passwords (1Password) is just a joke, sorry to say Of course you can't
believe they could be hacked
| And more importantly, I'll continue to advocate for BL to support (and
make mandatory for sellers) 2-factor logging in using an OTP.
|
Please no!
|
|
| | | | | | | | | |
| | | | | | Author: | astute | Posted: | Nov 20, 2023 11:24 | Subject: | Re: Password managers and Bricklink, maximum char | Viewed: | 37 times | Topic: | Technical Issues | |
|
| In Technical Issues, 1001bricks writes:
| | I updated my BL password from a dated 8 character password to my current 1Password
password generated 16 character password.
|
1) We know it's normally restricted to 15 chars - playing with longer passwords
is just a way to get troubles. 15 chars is already very strong, the problem will
always be people setting the minimum and such as "Password1"
2) Being concerned about Security and using an on line service to store your
passwords (1Password) is just a joke, sorry to say Of course you can't
believe they could be hacked
| And more importantly, I'll continue to advocate for BL to support (and
make mandatory for sellers) 2-factor logging in using an OTP.
|
Please no!
|
This is just a case of 'whataboutism'. Sure, 1PW is not perfect, no security
solution is.
Why would you not promote 2FA for sellers? What would be so bad about having
a second factor hash that is securely stored on your mobile phone. That in the
eventuality that someone guesses/obtains your password there is a second barrier
that prevents them from accessing your account to your store.
Note that several sellers were legally forced to reimburse thousands of euro's
of orders that were made in their store while it was being taken over by criminals.
They are being held liable as they operate the store on a marketplace.
You are comfortable that between you and your account is only 15 characters?
You trust your amazing password that much?
|
|
|
| | | | | | | | | | | | | |
| | | | | | | | Author: | astute | Posted: | Nov 20, 2023 11:26 | Subject: | Re: Password managers and Bricklink, maximum char | Viewed: | 34 times | Topic: | Technical Issues | |
|
| In Technical Issues, astute writes:
| In Technical Issues, 1001bricks writes:
| | I updated my BL password from a dated 8 character password to my current 1Password
password generated 16 character password.
|
1) We know it's normally restricted to 15 chars - playing with longer passwords
is just a way to get troubles. 15 chars is already very strong, the problem will
always be people setting the minimum and such as "Password1"
2) Being concerned about Security and using an on line service to store your
passwords (1Password) is just a joke, sorry to say Of course you can't
believe they could be hacked
| And more importantly, I'll continue to advocate for BL to support (and
make mandatory for sellers) 2-factor logging in using an OTP.
|
Please no!
|
This is just a case of 'whataboutism'. Sure, 1PW is not perfect, no security
solution is.
Why would you not promote 2FA for sellers? What would be so bad about having
a second factor hash that is securely stored on your mobile phone. That in the
eventuality that someone guesses/obtains your password there is a second barrier
that prevents them from accessing your account to your store.
Note that several sellers were legally forced to reimburse thousands of euro's
of orders that were made in their store while it was being taken over by criminals.
They are being held liable as they operate the store on a marketplace.
You are comfortable that between you and your account is only 15 characters?
You trust your amazing password that much?
|
Have you reviewed your commercial insurance policy already? Will your insurance
policy reimburse your losses in case of cyber crime if your e-commerce platform
is not protected by 2FA? Most policies don't.
|
|
|
| | | | | | | | | | | | | | | | | |
| | | | | | | | | | Author: | 1001bricks | Posted: | Nov 20, 2023 12:21 | Subject: | Re: Password managers and Bricklink, maximum char | Viewed: | 36 times | Topic: | Technical Issues | |
|
| | Have you reviewed your commercial insurance policy already? Will your insurance
policy reimburse your losses in case of cyber crime if your e-commerce platform
is not protected by 2FA? Most policies don't.
|
Dear, do I really look like a newbie???
|
|
| | | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | Author: | Nubs_Select | Posted: | Nov 20, 2023 12:22 | Subject: | Re: Password managers and Bricklink, maximum char | Viewed: | 32 times | Topic: | Technical Issues | |
|
| | Dear, do I really look like a newbie???
|
Since you only have 1001 bricks I’d say a strong maybe
|
|
| | | | | | | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | Author: | 1001bricks | Posted: | Nov 20, 2023 12:26 | Subject: | Re: Password managers and Bricklink, maximum char | Viewed: | 33 times | Topic: | Technical Issues | |
|
| In Technical Issues, Nubs_Select writes:
| | Dear, do I really look like a newbie???
|
Since you only have 1001 bricks I’d say a strong maybe
|
Fun fact, we'll try to feat both 2M parts and 2M visit count... soon
(I should calculate, lazyness oh well)
|
|
|
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | Author: | Nubs_Select | Posted: | Nov 20, 2023 12:39 | Subject: | Re: Password managers and Bricklink, maximum char | Viewed: | 32 times | Topic: | Technical Issues | |
|
| In Technical Issues, 1001bricks writes:
| In Technical Issues, Nubs_Select writes:
| | Dear, do I really look like a newbie???
|
Since you only have 1001 bricks I’d say a strong maybe
|
Fun fact, we'll try to feat both 2M parts and 2M visit count... soon
(I should calculate, lazyness oh well)
|
|
|
| | | | | | | | | | | | | |
| | | | | | | | Author: | 1001bricks | Posted: | Nov 20, 2023 12:17 | Subject: | Re: Password managers and Bricklink, maximum char | Viewed: | 42 times | Topic: | Technical Issues | |
|
| | Why would you not promote 2FA for sellers? What would be so bad about having
a second factor hash that is securely stored on your mobile phone.
|
You've no idea how many connections a busy seller have to make, every day,
on few machines, including programs tier or not, APIs... That would mean either
a central mobile phone and people to walk to it, or a few mobiles, with then
a different phone number or the same SIM card: just an Hell.
| You are comfortable that between you and your account is only 15 characters?
|
Yes. I mean, I wouldn't be more with say 28 chars which is quite the same
problem.
| You trust your amazing password that much?
|
Yes, and at least I don't have any password on line wherever
|
|
|
| | | | | | | | | | | | | | | | | |
| | | | | | | | | | Author: | astute | Posted: | Nov 20, 2023 16:50 | Subject: | Re: Password managers and Bricklink, maximum char | Viewed: | 28 times | Topic: | Technical Issues | |
|
| In Technical Issues, 1001bricks writes:
| | Why would you not promote 2FA for sellers? What would be so bad about having
a second factor hash that is securely stored on your mobile phone.
|
You've no idea how many connections a busy seller have to make, every day,
on few machines, including programs tier or not, APIs... That would mean either
a central mobile phone and people to walk to it, or a few mobiles, with then
a different phone number or the same SIM card: just an Hell.
| You are comfortable that between you and your account is only 15 characters?
|
Yes. I mean, I wouldn't be more with say 28 chars which is quite the same
problem.
| You trust your amazing password that much?
|
Yes, and at least I don't have any password on line wherever
|
On the first item, you can use the OTP hash on multiple phones shared across
users.
In addition, BL could set sessions to last for days, requiring only the OTP only
once in a while on the same device.
For API’s usually API keys are used and are limited to specific functionality,
like syncing inventory.
API’s should have limited capabilities reducing the attack vector for for example
hijacking.
|
|
|
| | | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | Author: | 1001bricks | Posted: | Nov 20, 2023 17:18 | Subject: | Re: Password managers and Bricklink, maximum char | Viewed: | 34 times | Topic: | Technical Issues | |
|
| | On the first item, you can use the OTP hash on multiple phones shared across
users.
In addition, BL could set sessions to last for days, requiring only the OTP only
once in a while on the same device.
For API’s usually API keys are used and are limited to specific functionality,
like syncing inventory.
API’s should have limited capabilities reducing the attack vector for for example
hijacking.
|
As you're using an on line service to keep your passwords (???), I'd
recommend you 2 or 3FA, at least
|
|
| | | | | | | | | | | | | |
| | | | | | | | Author: | yorbrick | Posted: | Nov 20, 2023 12:23 | Subject: | Re: Password managers and Bricklink, maximum char | Viewed: | 35 times | Topic: | Technical Issues | |
|
| |
Note that several sellers were legally forced to reimburse thousands of euro's
of orders that were made in their store while it was being taken over by criminals.
They are being held liable as they operate the store on a marketplace.
|
Which sellers, and how was this legal action taken against them so fast?
|
|
| | | | | | | | | | | | | | | | | |
| | | | | | | | | | Author: | astute | Posted: | Nov 20, 2023 16:47 | Subject: | Re: Password managers and Bricklink, maximum char | Viewed: | 37 times | Topic: | Technical Issues | |
|
| In Technical Issues, yorbrick writes:
| |
Note that several sellers were legally forced to reimburse thousands of euro's
of orders that were made in their store while it was being taken over by criminals.
They are being held liable as they operate the store on a marketplace.
|
Which sellers, and how was this legal action taken against them so fast?
|
The account hijacking issue has been going on for months I’m afraid.
|
|
| | | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | Author: | yorbrick | Posted: | Nov 20, 2023 16:56 | Subject: | Re: Password managers and Bricklink, maximum char | Viewed: | 39 times | Topic: | Technical Issues | |
|
| In Technical Issues, astute writes:
| In Technical Issues, yorbrick writes:
| |
Note that several sellers were legally forced to reimburse thousands of euro's
of orders that were made in their store while it was being taken over by criminals.
They are being held liable as they operate the store on a marketplace.
|
Which sellers, and how was this legal action taken against them so fast?
|
The account hijacking issue has been going on for months I’m afraid.
|
That is irrelevant. Which bricklink sellers were legally forced to reimburse
thousands of euros of orders that were made in their store because their account
was taken over?
|
|
| | | | | | |
| | | | Author: | Bjarketrux | Posted: | Dec 3, 2023 09:21 | Subject: | Re: Password managers and Bricklink, maximum char | Viewed: | 34 times | Topic: | Technical Issues | |
|
| I just had the same problem and it too a while to figure out.
I suggest the following:
1. Add validation to the password input (reset and account creation) for max
length
2. Remove maxlength on the input box as this give problems when pasting passwords
from e.g. password managers
3. Optional: Because this is a known problem now, I would add a max length to
the login input so that all long passwords stored will work.
This is just a suggestion.
In Technical Issues, astute writes:
| Since the recent security issue we all have recently updated our password.
Tl:dr, Bricklink allows for up to 15 char passwords, reduce your password
length in your password manager if you have issues auto-filling.
I updated my BL password from a dated 8 character password to my current 1Password
password generated 16 character password.
From there I started realizing issues with logging in using 1Password.
An analysis:
1. You can auto-fill passwords as long as you like during account creation/password
changing without any error, but Bricklink truncates this password after saving
to 15 characters(!!)
2. The password manager happily stores the longer password.
3. When auto-filling during log-in, Bricklink allows the original longer password
to be filled (!!!), it does not truncate/limit the password length. When logging
in it then fails as the original saved password (15 chars) does not match the
filled password (15 chars).
When manually reducing your password to 15 chars allows you to log in fine.
It's not a major issue, but it is not industry standard of handling passwords.
Bricklink should:
1. Ideally allow longer passwords (15 chars is too short).
2. Ideally properly give an error when trying to enter 15 char passwords during
account creation/password updating. Preventing erroneously input.
On the final point I am a bit torn. Either automatically truncating the auto-filled
password is not great (as you are amending input), but it is also not easy providing
an error upon auto-filling too long passwords. In any case, if item 1/2 are resolved,
this item should also be resolved.
And more importantly, I'll continue to advocate for BL to support (and
make mandatory for sellers) 2-factor logging in using an OTP.
|
|
|
|
| | | | | | | | | |
| | | | | | Author: | Emporiosa | Posted: | Dec 3, 2023 10:50 | Subject: | Re: Password managers and Bricklink, maximum char | Viewed: | 35 times | Topic: | Technical Issues | |
|
|
| | 2. Ideally properly give an error when trying to enter 15 char passwords during
account creation/password updating. Preventing erroneously input.
On the final point I am a bit torn. Either automatically truncating the auto-filled
password is not great (as you are amending input), but it is also not easy providing
an error upon auto-filling too long passwords. In any case, if item 1/2 are resolved,
this item should also be resolved.
|
|
+1 for this; I understand the 15-char limit if that's a system limitation.
It's already long enough (but if there's no system limit, it should be
removed). But the main issue is that it should not be the field itself enforcing
the limit because of the behaviour of password managers (including built-in Chrome
or other browser password generators).
Remove the field character limit of 15, but impose the error when the inputted
password is greater than 15 characters. The error should clearly state what limitations
there are (such as maximum 15 chars).
You can write the password limitations literally right above the field in size
24 bolded characters - it won't help if you don't give an actual UI error.
The user will be stuck in a loop of setting the password, failing the next time
they login, reset etc... if their PW managers/browser password generators are
defaulting to 16+ chars and they don't realize what's happening.
|
|
|
|
|
|