ASF not working with certain passwords

[JustArchi]

Discussed in #2899

^{Originally posted by AdamT20054 May 16, 2023}
Are there limits to what password ASF can accept?

I remember a while ago I had issues with ASF using long complex passwords, so I had to switch to a much shorter and weaker one.
I've come back to ASF with a stronger password and again I get the InvalidPassword error, are there any limitations to what the program allows for the steam password (eg, length, characters, special characters)?

(Absolutely certain there is nothing wrong with the credentials, not rate limited, etc)

[JustArchi]

Reproduced with password:

Lw{R7{FdA33h+h*~M9nXmQ}`9P5pd-t*Yc:tm-C`No-{\Qj2Z[:}{[Q(KxL[PzjA9r9]*m~K)'Yy>'}Jk;f+cu4cmH&[?L2i+}fUqqrqkQ=w~3$t4J?"=3+7Rav##FT~

[JustArchi]

My blind guess is that Steam artificially limits passwords sent over to only certain characters (length limit), since in similar way they cut non-ASCII characters out of it, pending check using NH2 how the official Steam client signs in.

[JustArchi]

                s = t.replace(/[^\x00-\x7F]/g, '').slice(0, 64);

Bingo.

[nolddor]

Good catch mate!

[JustArchi]

@AdamT20054 Steam artificially cuts passwords to first 64 characters. Your 128-char password is effectively first 64 characters exclusively, and you can use first 64 characters to log in, whether in official client, web browser or ASF - also versions without fix above.

I've added logic for ASF to automatically cut those 64 characters in case somebody uses longer passwords, but from security standpoint, the passwords are 64 characters at most. I can't believe Valve didn't even care to tell people that longer passwords are not accepted, but then again what did I expect if they didn't even tell people non-ASCII characters are trimmed as well.

Sigh, fixed.

[AdamT20054]

Cheers!
Valve just doing valve things i guess :p