Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Speaking of gandi, a while ago, I ran into some problems logging in to their site, and I—finally—got this response from them by e-mail:

    Hello again pessimism,
    
    Our password field supports only passwords up to 16
    characters at this time. All longer passwords
    are truncated.
    
    If you have any further questions, please let me know.
    
    Sincerely,
    
    [redacted]
    Tier 1 Tech Support
    Gandi US
I checked in with @theharmonyguy who says this is a pretty bad thing, and I originally intended to do an Ask/Tell HN post about it, but life got in the way.

What are your thoughts on this and its implications for using gandi?



Good find. I use Gandi for some domains, and was curious how they truncate passwords (wtf?) so I tested it by creating a new account with a spare gmail address. The registration page says your pwd must be between 6 and 16 characters, so I tested what happens if you register with a pwd > 16 chars.

I registered the 26 letters of the alphabet for my password, and then tested re-logging in with the full 26 char version, the 26 char version + 1 char (a), the first 17 characters, the first 16 chars, and the first 15 characters.

abcdefghijklmnopqrstuvwxyza

abcdefghijklmnopqrstuvwxyz

abcdefghijklmnopq

abcdefghijklmnop

abcdefghijklmno

None but the original 26 character password worked, so apparently they don't truncate passwords at all, they're probably just hashing it down to 16 characters or whatever in the database, then comparing hashes on login attempt.

Their support guy is just playing fast and loose with the word truncate.


The worrying thing about that limit isn't the limit itself, but whatever process they are using to process passwords that imposes that limit.

I mean, if they're hashing the password as they should, why the limit? It's stored as fixed length string anyway...


Speaking of their support, I can see why some people were avoiding Gandi because of it. I'm trying to transfer a domain (from SWITCH, no less) and am having issues. I emailed them a week and a half ago and heard back the next day saying they were looking into it. Still nothing, so I sent another support email two days ago and haven't heard anything.

They have the most TLD offerings of any registrar I've seen (sans Go Daddy) so I'd hate to move away from them because of support issues, but I'm starting to understand the complaints I've read.


Their customer is abysmal. They never respond on Twitter—fair enough, other registrars do, though—and it took four days to get a response to why I couldn’t log in. I even had to go through weird escalations to higher “tiers” of support.

If someone knows a good non-American registrar with a wide selection of domains who also has two-factor authentication like Name.com, please let me know. Until then, I’ll probably just postpone the domain purchases.


If you just use A-Z, a-z, 0-9, you have a password space containing a little over 95 bits of entropy (log2(62^16)). A randomly chosen password should be reasonably secure against most attacks.


123-reg in the UK go one better. Passwords on there have to be eight characters long. No more, no less, exactly eight characters. I couldn't believe it when I saw it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: