Why is the admin password length limited to 40 characters?

**grafcaps.com** · 20 Sep 2018, 12:17 AM

I'm attempting to update a site to Zen-Cart 1.5.5f. I was having trouble logging in to the admin section on the upgraded site, and I discovered that the password field has a `maxlength=40` attribute.

I typically use 64 character passwords. I removed the `maxlength=40` attribute and my long password works fine. Is there a practical reason for the limit?

**mc12345678** · 20 Sep 2018, 12:17 PM

Certainly have me intrigued about the reason, though for some reason I have a suspicion that at one point that was possibly the longest password that could be processed to give a result that fit within the database field length. Meaning, anything longer than that might have allowed variation on the actually input password to provide a successful entry. Ie. Pwd1 or Pwd2 could be entered to gain entry. Could be complete hogwash, but mentally that's a possibility...

**DrByte** · 21 Sep 2018, 05:01 AM

I'm pretty sure it's a leftover legacy thing that needs cleaning up.
Unlike other fields where the number of allowed characters is matched roughly with the limit that the database can store (so the user can't unwittingly submit data that gets chopped off), password hashes are handled differently so there's no correlation there.

**mc12345678** · 21 Sep 2018, 02:09 PM

Originally Posted by DrByte

I'm pretty sure it's a leftover legacy thing that needs cleaning up.
Unlike other fields where the number of allowed characters is matched roughly with the limit that the database can store (so the user can't unwittingly submit data that gets chopped off), password hashes are handled differently so there's no correlation there.

Thanks for that explanation of the likely source of the 40 characters. Certainly at one point even considering a password of 40 characters in length was unusual. :)