Lemmy Support @lemmy.ml Kalcifer @sh.itjust.works 1mo ago

[SOLVED] What is the maximum username length for a Lemmy account?

Solution

The Lemmy server appears to have a database limit of 255 characters ^[2]; however, individual instances appear to put their own limits on username length though the frontend ^[3] and/or the API ^[4.1][4.2].

Original Post

If you know, please also provide relevant documentation.

UPDATE (2025-02-02T06:06Z): I did some brute-force testing, and, at least for sh.itjust.works, it seems that the maximum username length is 50, and the maximum password length is 60 ^[1].

References

"Sign Up". sh.itjust.works. Lemmy. Accessed: 2025-02-02T08:49Z. https://sh.itjust.works/signup.
- When creating an account on sh.itjust.works, the sign-up form will throw this error if the provided password is greater than 60 characters in length.
@[email protected] To: ["[SOLVED] What is the maximum username length for a Lemmy account?". "Kalcifer" @[email protected]. "Lemmy Support" [email protected]. sh.itjust.works. Lemmy. Published: 2025-02-03T00:54:51Z. https://sh.itjust.works/post/32085936.]. Published: 2025-02-02T05:57:26Z. Accessed: 2025-02-03T00:44Z. https://sh.itjust.works/post/32085936/16442382.

It might be 255 characters? […]
- They pointed to code on GitHub for the Lemmy server which outlines the length of the username data in the SQL database.
"[SOLVED] What is the maximum username length for a Lemmy account?". "Kalcifer" @[email protected]. "Lemmy Support" [email protected]. sh.itjust.works. Lemmy. Published: 2025-02-03T00:54:51Z. Accessed: 2025-02-03T00:46Z. https://sh.itjust.works/post/32085936.
- §"Original Post". ¶2.
  
  […] I did some brute-force testing, and, at least for sh.itjust.works, it seems that the maximum username length is 50 […]
  - The maximum username length for sh.itjust.works was found to be 50 characters by brute-force testing the length limit.
"Andrew" @[email protected] To ["[SOLVED] What is the maximum username length for a Lemmy account?". "Kalcifer" @[email protected]. "Lemmy Support" [email protected]. sh.itjust.works. Lemmy. Published: 2025-02-03T00:54:51Z. https://sh.itjust.works/post/32085936.] Published: 2025-02-02T19:57:49Z. Accessed: 2025-02-03T00:59Z. https://sh.itjust.works/post/32085936/16453656.
1. curl -L http://lemmy.world/api/v3/site | jq -r .site_view.local_site.actor_name_max_length (26)
  - The maximum username length for Lemmy.world was found to be 26 characters via an API request.
2. curl -L http://sh.itjust.works/api/v3/site | jq -r .site_view.local_site.actor_name_max_length (50)
  - The maximum username length for sh.itjust.works was found to be 50 characters via an API request.

51 comments

It might be 255 characters?

Assuming that's the field applicable to this question, there isn't some other limit somewhere other than the database and that I didn't miss another later migration that changes the field length etc. I haven't looked terribly thoroughly, though.
- Can’t wait for the 255 username posting to 255 community @ 255 (253?) instance
A password max length shouldn't be needed if they store a hash of it in the db.
- It's possible that Lemmy uses fixed-size buffers for the username and unhashed password. It would be pretty bad to give an unauthenticated user the power to allocate hundreds of megabytes in a shared process.
  
  Not that I read the source code to know for sure, but it's common practice to reduce the opportunity for denial of service attacks by limiting user input size.
- It's up to the UI as to how much data to accept AFAIK. The lemmy-ui will truncate passwords beyond 60. So even if you have a 64 char password it will drop the last 4 and do the hashing on that.
  
  […] The lemmy-ui will truncate passwords beyond 60. So even if you have a 64 char password it will drop the last 4 and do the hashing on that.
  
  At least on sh.itjust.works, it doesn't just silently truncate the password; it throws an error ^[1]:
  
  References
  
  "Sign Up". sh.itjust.works. Lemmy. Accessed: 2025-02-02T08:49Z. https://sh.itjust.works/signup.
  
  When creating an account on sh.itjust.works, the sign-up form will throw this error if the provided password is greater than 60 characters in length.
It seems to be set per-instance - you can find out through their APIs:

curl -L http://lemmy.world/api/v3/site | jq -r .site_view.local_site.actor_name_max_length (26)

curl -L http://sh.itjust.works/api/v3/site | jq -r .site_view.local_site.actor_name_max_length (50)
- Is there any official documentation for that? Lemmy's API docs ^[1] seem rather sparse on the subject.
  
  UPDATE (2025-02-02T23:23Z): I found this ^[2] and this ^[3], but unfortunately it doesn't contain much information.
  
  References
  
  "API". Lemmy Documentation. Lemmy. Accessed: 2025-02-02T23:20Z. https://join-lemmy.org/docs/contributors/04-api.html.
  
  §Site. Lemmy API. Accessed: 2025-02-02T23:27Z. https://lemmy.readme.io/reference/get_site.
  
  "Unofficial Lemmy OpenAPI Documentation (v0.19.6)". Lemmy. Version: 0.19.6. Accessed: 2025-02-02T23:29Z. https://mv-gh.github.io/lemmy_openapi_spec/#tag/Site/paths/~1site/post.
  
  §Site.
  
  Not much. I think Lemmy's current API docs are generated from the JS client. So I guess there's
  
  https://join-lemmy.org/lemmy-js-client-docs/v0.19/interfaces/LocalSite.html#actor_name_max_length
  
  This refers to the wrong line number though, it's actually at:
  
  https://github.com/LemmyNet/lemmy-js-client/blob/ad9f402e06292899a35927c46fe48b22c6f5eb27/src/types/LocalSite.ts#L59

51 comments