just signed up, and i got a message that "password length must be between 6 and 10 chars".
Now as someone who did work on multiple login systems in the last 10 years, this is an awful practice and it looks to me like you would store the password in plain text in your DB - something you should never do in case your DB get's compromised, since a lot of users will use the same email and password on multiple sites.
The password length shouldn't matter at all because ideally you would salt& hash the password and only store the hash - not the password itself and with MD5 the password hash would always be 32 chars long; no matter now short or long the original password was. There is a more in-depth explanation with examples at http://thomashunter.name/blog/password-encryption-hashing-salting-explained/ on this topic.
I think that is a serious issue; since even the bigger sites like linkedin and last.fm did the same mistake in the past and then had to admit that they lost a few million user accounts with email and plain text passwords.
Hey Daniel, we definitely don't store pw's in plain text, and never have as far as I can remember. We store a hash like you say. The pw length message might be over from the olden days or might have some other explanation, but I'm sure Peter will be along shortly to clarify
Yeah, that restriction is totally arbitrary, a minimum length was put in place to try and encourage people to have more secure passwords. The maximum - well, I don't even remember the logic for that, which is probably because there really isn't any logic to it. It's just a hangover from earlier, less-experienced days..
Passwords have always been hashed in our database and for a few years now have also been hashed and "salted". I believe some of these other high profile cases were from databases where the passwords were hashed, but not salted which still leaves you open to problems, because so many password hashes are already known. For example, you can work out everyone who has 123456 as their password, because the hash for it is always the same. Once salted with a random value, and then rehashed again, or even rehashed several times, this becomes much much harder. This is what our current practice is.
Note, it's for this reason that we can't ever send someone their password if they've forgotten it, because it's really quite impossible for even us to work it out! If you lose your password, you will need to receive an email with a special expiring link allowing you to reset it.
Suffice to say, apart from the fairly random restriction on number of characters in your password, the passwords are protected at an above-average standard in our database.
I'd say get rid of the maximum limit if it's any possible, or at least make it very high.
(BTW awesome customer service guys! I'm pretty convinced I've made the right choice for our travel blog!