Don't Use maxlength on Password Inputs

On the HTML input form element, you must define a type and may define a maxlength attribute. This is in regards to the password type and the relation it has to the maxlength attribute. If the maxlength on a password input is wider than the width of the input, there is no way to tell if what you are typing (or pasting) is actually going into the field.

Below are two test forms that will illustrate my point. Each form looks identical, but have much larger implications in practice. Test the following KeePass generated password in the following forms:

f7cef761bb0c51db6811c27a752bff49

What you have just experienced is a problem that exists on many website's user registration. If this were a real user registration, the password you entered will not completely save and you will be locked out when attempting to log in. This happens when sites validate the length of the password by specifying a maxlength as opposed to correctly checking its length during the form processing. Overall, using client side markup to validate form values is precarious. Therefore, maxlength should be limited to text input types, if it is backed up by server side validation.

P.S. Stop putting maximum length requirements on passwords, period. Just hash the password and store that. And no, password retrieval is not an excuse; have the user reset their password instead.

 

March 3, 2011