Christian Heilmann

Don’t rely on maxlength to shorten passwords

Monday, February 6th, 2006 at 6:47 pm

It is bad practice to rely on the maxlength attribute of form fields to ensure the real length of entered data. That much I knew, as playing with curl made me aware how vulnerable forms are on the wild wild web.

However, I was a bit agog when I realised that it is possible to change the value of a field to a word longer than maxlength on MSIE and Opera.

I set up a demo that shows how to override maxlength with JavaScript .

So, don’t trust maxlength, make sure to also check the real length on the server side.

Share on Mastodon (needs instance)

Share on Twitter

Newsletter

Check out the Dev Digest Newsletter I write every week for WeAreDevelopers. Latest issues:

Dev Digest 146: 🥱 React fatigue 📊 Query anything with SQL 🧠 AI News

Why it may not be needed to learn React, why Deepfake masks will be a big problem and your spirit animal in body fat! 

Dev Digest 147: Free Copilot! Panel: AI and devs! RTO is bad! Pi plays!

Free Copilot! Experts discuss what AI means for devs. Don't trust containers. Mandated RTO means brain drain. And Pi plays Pokemon!

Dev Digest 148: Behind the scenes of Dev Digest & end of the year reports.

In 50 editions of Dev Digest we gave you 2081 resources. Join us in looking back and learn about all the trends this year.

Dev Digest 149: Wordpress break, VW tracking leak, ChatGPT vs Google.

Slowly starting 2025 we look at ChatGPT vs Google, Copilot vs. Cursor and the state of AI crawlers to replace web search…

Dev Digest 150: Shifting manually to AI.

Manual coding is becoming less of a skill. How can we ensure the quality of generated code? Also, unpacking an APK can get you an AI model.

My other work: