Last week, I tried to register for a service and was really surprised by a password limit of 16 characters. Why on earth yould you impose such strict limits? Never heard of correct horse battery staple?

  • @[email protected]
    link
    fedilink
    203 months ago

    If a company tells you your password has a maximumn length, they are untrustable with anything important.

    I would add if they require a short “maximum length.” There’s no reason to allow someone to use the entirety of Moby Dick as their password, so a reasonable limit can be set. That’s not 16 characters, but you probably don’t need to accept more than 1024 anyway.

    • @Valmond
      link
      53 months ago

      Why not? You’re hashing it anyways, right?

      Right?!

      • @phcorcoran
        link
        123 months ago

        Sure but if my password is the entire lord of the rings trilogy as a string, hashing that would consume some resources

        • @Valmond
          link
          23 months ago

          I think there are other problems before that 😂

      • @[email protected]
        link
        fedilink
        53 months ago

        Of course, but if you’re paying for network and processing costs you might as well cap it at something secure and reasonable. No sense in leaving that unbounded when there’s no benefit over a lengthy cap and there are potentially drawbacks from someone seeing if they can use the entirety of Wikipedia as their password.

        • @[email protected]
          link
          fedilink
          13 months ago

          You can also hash it on the client-side, then the server-side network and processing costs are fixed because every password will be transmitted using same number of bytes

          • @[email protected]
            link
            fedilink
            23 months ago

            You still need to deal with that on the server. The client you build and provide could just truncate the input, but end users can pick their clients so the problem still remains.

          • @Valmond
            link
            13 months ago

            That would take care of it, you do nead to salt & hash it again server side ofc.

      • @[email protected]
        link
        fedilink
        23 months ago

        Bcrypt and scrypt functionally truncate it to 72 chars.

        There’s bandwidth and ram reasons to put some kind of upper limit. 1024 is already kinda silly.

    • @[email protected]
      link
      fedilink
      13 months ago

      you probably don’t need to accept more than 1024 anyway.

      OWASP recommends allowing at least 64 characters. That would cover all of my passphrases, including the ones that are entire sentences

    • @AA5B
      link
      13 months ago

      I wonder if a lot of it is someone using their personal experience and saying “just a little bigger ought to cover it”

      When I used my own passwords, I rarely used more than 12 characters, so that should be enough

      All the password generators I’ve used default to about 24 chars, so 30 ought to be enough for anyone