Feedback on registration and Q about pwd

Moin Vaxry and who it might concern =)

First of all: congratulations on going live!

Some feedback:

  1. Looks are cool around here.
  2. It took me quite some attempts to register. There’s next to no feedback about why it’s failing - figuring out that a username must be at least 3 characters long was the first hurdle (basically just noticed the register button becoming enabled when everything was filled and the username was long enough).
  3. Not sure, but i think the answer to that “captcha” is case sensitive? If so that’s a horrible idea, especially when some answers are just yes/no… or Yes/No? Apart from that, just as a hint from someone who dealt with this stuff for a long time: it’s always easier to let bots prove they’re bots than it is to get humans prove they’re human. I’d remove that awful captcha and replace it with some honeypots, session validation and maybe a proof of work.
  4. When registration fails the captcha should be reloaded automatically - that the user needs to refresh the whole page manually and start over is very unusual and feels cumbersome. JavaScript might be ugly, but it’s very easy to reload parts of the DOM with it :slight_smile:
  5. The password drove me crazy. My standard passwords are at least 53 characters long and easily get to 70 characters and more - but there seems to be some limit on the length, which is only indicated by a red “invalid password” after the form has been submitted. I had no idea if it contained invalid characters or if it was the length (turned out to be this) or maybe it wasn’t complex enough? If you impose rules, please also do state them. Thanks!

On the topic of passwords i got a question:
The limitation on the password’s length got me thinking. Are you storing passwords in plain text/string/varchar? Because only then would a password’s length be relevant due to a possible field length limitation.

In general the length of the password and its containing characters should be absolutely irrelevant because you should never store a user’s password anyways. The least you should do is to hash the password and then store that hash. Also add a random salt, add it to the password and hash that, then store hash and salt in the db. On login you use the same method to salt+hash and forget about the password the user entered - only match the username and hash against your stored values.

So that’s my few cents. I’ll look around a bit and get a feeling for what’s up around here. Maybe i’ll even convert my monthly kofi donation into a subscription. But as i don’t rly need dotfiles it’s kinda up to you what you would prefer. I’d like to get the most of my donation into your pocket and iirc i’ve read something about personal donations not being taxed while your subscriptions go through some company-esque shit and get taxed? Hence i feel kofi donations yield more? Lemme know :face_blowing_a_kiss:

Wish you the best of luck with your projects and may you never have to worry about spending coin on shit you need (or just want)..!

Weird. When I tried to register shortly after midnight with a password of more than 50 characters, I was told it had to be between 6 and 29 characters and some other stuff with including excluding special characters.

unrelated… but what’s the benefit of going above, say, 20 letters in password length? 20 is already long enough that most powerful pcs can’t crack it… and quantum ones can theoretically compute a huge length easily right? (i’m about 36% sure about the stuff i said above so please don’t kill me).

still educate me about the password length need.

The benefit is that keepassxc shows a satisfying green bar :eyes:

1 Like

Oh, so Vaxry might’ve been working on it already.. :star_struck:

  1. Username requirements could be made clearer - fair.
  2. It’s not case-sensitive. Proof of work could be a nice idea, true. There are a few other systems on the backend to prevent spam - the captcha is there mostly as “one more thing that slows you down”.
  3. Fixed already 18h ago
  4. This has also been fixed 18h ago.
1 Like

No, I hash them, but I am also paranoid, and would rather avoid weird unicode.

Thanks for the kind words :)

1 Like

Good, good, that satisfies my own paranoia a bit :grin: .oO( and utf8mb4 is awesome )

Thanks a bunch for your quick answers! :black_heart:

I’ve added a POW in the background, with a dynamic difficulty based on some basic heuristics. I’ve also added hints to usernames and passwords when you are typing, and I’ve doubled email + password boxes with a “repeat …” because some people were misspelling their emails.

Cheers.

2 Likes

Just checked it. Awesome! Well, for me it’s too late - but i got a 2-digit uid for my troubles earlier. Checks out :grin: :+1:

2 Likes