Speaking of gandi, a while ago, I ran into some problems logging in to their site, and I—finally—got this response from them by e-mail:
Hello again pessimism,
Our password field supports only passwords up to 16
characters at this time. All longer passwords
are truncated.
If you have any further questions, please let me know.
Sincerely,
[redacted]
Tier 1 Tech Support
Gandi US
I checked in with @theharmonyguy who says this is a pretty bad thing, and I originally intended to do an Ask/Tell HN post about it, but life got in the way.
What are your thoughts on this and its implications for using gandi?
Good find. I use Gandi for some domains, and was curious how they truncate passwords (wtf?) so I tested it by creating a new account with a spare gmail address. The registration page says your pwd must be between 6 and 16 characters, so I tested what happens if you register with a pwd > 16 chars.
I registered the 26 letters of the alphabet for my password, and then tested re-logging in with the full 26 char version, the 26 char version + 1 char (a), the first 17 characters, the first 16 chars, and the first 15 characters.
abcdefghijklmnopqrstuvwxyza
abcdefghijklmnopqrstuvwxyz
abcdefghijklmnopq
abcdefghijklmnop
abcdefghijklmno
None but the original 26 character password worked, so apparently they don't truncate passwords at all, they're probably just hashing it down to 16 characters or whatever in the database, then comparing hashes on login attempt.
Their support guy is just playing fast and loose with the word truncate.
Speaking of their support, I can see why some people were avoiding Gandi because of it. I'm trying to transfer a domain (from SWITCH, no less) and am having issues. I emailed them a week and a half ago and heard back the next day saying they were looking into it. Still nothing, so I sent another support email two days ago and haven't heard anything.
They have the most TLD offerings of any registrar I've seen (sans Go Daddy) so I'd hate to move away from them because of support issues, but I'm starting to understand the complaints I've read.
Their customer is abysmal. They never respond on Twitter—fair enough, other registrars do, though—and it took four days to get a response to why I couldn’t log in. I even had to go through weird escalations to higher “tiers” of support.
If someone knows a good non-American registrar with a wide selection of domains who also has two-factor authentication like Name.com, please let me know. Until then, I’ll probably just postpone the domain purchases.
If you just use A-Z, a-z, 0-9, you have a password space containing a little over 95 bits of entropy (log2(62^16)). A randomly chosen password should be reasonably secure against most attacks.
123-reg in the UK go one better. Passwords on there have to be eight characters long. No more, no less, exactly eight characters. I couldn't believe it when I saw it.
What are your thoughts on this and its implications for using gandi?