A very poor decision was made by somebody at Go Daddy. That decision caused me hours of frustration and delayed the launching of a client’s website. Behold, the 14 characters that caused such grief:
When creating PHP websites, I, like many web developers, develop locally first. Once the client is happy with the website, I get things ready for production by uploading the code, creating a database, and importing the data. My troubles occurred with creating a database, specifically with the database password. Here are Go Daddy’s password criteria:
- be 8-14 characters long
- start with a letter
- include a lower case letter
- include an upper case letter
- include a number
- include a special character (!,@,#,%)
- not include these characters (^,\,$,`, )
Go Daddy has client-side password validation so that you can see which criteria your password meets and which it doesn’t. Now, given the popularity of phpMyAdmin and the fact that it generates 16-character passwords, I’d be willing to bet that there are a lot of MySQL database passwords out there that are 16 characters long. I also think it’s fair to assume that a significant number of web developers have their development database and production database share the same name, username, and password just to keep things simple. It’s not like it’s the root user, so why not?
Given these things, it’s only logical that it would be common for people to paste their database password into the password field on Go Daddy’s “Add a MySQL Database” form. And that’s a problem. Why? Because that password field has its
maxlength attribute set to “14”. This means that if you paste anything more than 14 characters into it, whatever you pasted will be truncated without warning. So pretty much the only way you’ll notice that it got truncated is if you have a password significantly longer than 14 characters. Then, of course, you won’t be able to access your newly created database but, of course, Go Daddy’s tech support will be able to access it just fine. So I have some questions for Go Daddy:
Why limit the password length to such a small number? And if you’re going to do that, why not have that number be 16 since that’s the length of the passwords generated by phpMyAdmin? Next, why put the password’s maximum length in the HTML? The rest of the password criteria are checked client-side, so why not the maximum length as well? This way, if somebody pastes a password longer than the maximum length, “be 8-14 characters long” would get an “X” next to it and the person would realize that the password is too long.
Of course, the chances of Go Daddy reading this are slim to none. Even if they did read it, I highly doubt they would do anything about it. But maybe this blog post will help somebody else facing the dreaded “#1045 – Access denied for user ‘foo’@’172.16.254.1’ (using password: YES)” message.
Lastly, I want to say that the only reason I was using Go Daddy is this particular client was already a Go Daddy customer. Otherwise, I most definitely would have went elsewhere.