Skip to content

Document the admin/user password character and length limits (PASSWORD_MIN_LENGTH, max length, allowed charset) #5570

Description

@AceBurn90

Prerequisites

  • I searched open issues and this has not already been proposed.
  • I searched discussions and this is not already being debated there.
  • This is a concrete, actionable proposal — not a vague "it would be nice if..." request.

Area

Auth / Security

Problem or Motivation

The setup script references a PASSWORD_MIN_LENGTH constant, but I couldn't find the actual
minimum length value, a maximum length, or the allowed character set documented anywhere
(README, docs/setup.md, or Settings UI).

I use a password manager (Enpass) with lowercase, uppercase, digits, and special characters
enabled, generating passwords around 100 characters long, potentially including the full
standard set of special characters:

! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~

I confirmed this is a real, reproducible issue, not just missing docs: setting a ~100-character
password via Settings > Change Password fails with a frontend error
"JSON.parse: unexpected character at line 1 column 1 of the JSON data", suggesting the backend
returns a non-JSON error response (likely an unhandled exception/HTML error page) instead of a
clean validation error. A 72-character password works fine.

This strongly points to bcrypt's 72-byte input limit (the bcrypt Python package raises a
ValueError for inputs over 72 bytes since v4.0, rather than silently truncating) being hit
without being caught and handled gracefully server-side.

Proposed Solution

Document the following, either in docs/setup.md, the README security notes, or directly in
the Settings UI as a hint next to the password field:

  1. The exact minimum password length (PASSWORD_MIN_LENGTH)
  2. The maximum password length — practically capped at 72 bytes by bcrypt
  3. Whether any characters are disallowed or cause issues

Additionally, and more importantly: catch the bcrypt length error server-side and return a
clean validation error (e.g. "Password must be 72 characters or fewer") instead of letting
it surface as an unhandled exception that breaks JSON parsing on the frontend.

Alternatives Considered

Could also just add inline validation error text showing the requirement, but explicit docs
are more discoverable.

Prior Art / Related Issues

No response

Are you willing to implement this?

No — I am only filing the request

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestready for reviewDescription complete — ready for maintainer review

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions