Black box tinkering: finding max password length via WeVideo password reset

June 20, 2023

This is how I deduced that 50 characters is the longest length for a password on WeVideo.

Details

The password reset link from WeVideo has this format:

https://www.wevideo.com/newPassword?vc=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX&email=<e-mail-address-here.com>

The hexadecimal string XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX is acting as a UUID/temporary password. Including the separating dashes, the string is 36 characters long, so let's try a 36 character long random password from KeePassXC (alphanumeric with all given symbols).

Criticism of WeVideo's password rules

This is one of the few times I wished there was sensible JavaScript page interactivity/client side checking, as a well done password field should warn me if my password is too short or long, along with listing the password rules.

I previously tried 128 and 72 characters, but those limits were too long.

I worked up from 36 to 40, and then 50. I then went to 60, but then the password was silently being cut off with no visible warnings.

So, I slowly deleted characters and descended in a scaled manner, so: 59, 58, ..., 52, 51 — until I arrived back at 50 characters.

Also a 2023 criticism: no 2FA!

WeVideo also has no form of 2FA whatsoever (neither TOTP nor U2F/WebAuthn; let alone the most recent passkeys).