Cula.io limiting password lengths

Security Aug 05, 2020

Following my post on why passwords shouldn't be limited in length, I have decided to name and shame some services as I find them when they limit password lengths.

The first one on the list is Cula.io, which is a free monitoring tool for websites. I looked into this service as part of my day job, and was mortified when I had to lower my password generation length from its usual 32 characters down to 20.

cula.io registration form showing the password requirement of 6-20 characters

Whilst a 20 character password with 20 characters of mixed case, numbers, and special characters may take near forever to crack (11 quintillion years according to Online Domain Tools), I find it astounding that a service offering monitoring restricts their password length in such a way. A service of this type is likely used by network administrators and similar people who have a lot of responsibility. They shouldn't be forced to compromise their security.

What's worse, if they use a password manager and have to change their settings down to accommodate the site, they may not remember to increase it again for the next service they sign up to. Or the next service they change a password for. That's two services then which aren't as strongly secured as they might hope.

What's probably worse than limiting to 20 characters is the minimum length being set to 6 characters.  According to Online Domain Tools, this should only take an average PC taking 2 hours to crack the password for an account using a password that short.

Yes, the user of the account is responsible for actually setting the password that short. But those creating services, especially ones likely to be used by IT professionals, should be at least encouraging people to use longer passwords - if not forcing it.

I ended up finding the service didn't seem to work for me at the time, but was put off up-front by the limitation on the password. Loads of others will be, too.

Tags