Why do so many companies and people say that your password has to be so long and complicated, just to have restrictions?

I am in the process of changing some passwords (I have peen pwnd and it’s the password I use for use-less-er sites) and suddenly they say “password may contain a maximum of 15 characters“… I mean, 15 is long but it’s nothing for a password manager.

And then there’s the problem with special characters like äàáâæãåā ñ ī o ė ß ÿ ç just to name a few, or some even won’t let you type a [space] in them. Why is that? Is it bad programming? Or just a symptom of copy-pasta?

  • @[email protected]
    link
    fedilink
    01 year ago

    Underappreciated fact: Bcrypt has a maximum of 72 bytes. It’ll truncate passwords longer than that. Remember that UTF8 encoding of special characters can easily take more than one byte.

    That said, this is rarely a problem in practice, except for some very long passphrases.

    • Spzi
      link
      fedilink
      English
      01 year ago

      Bcrypt has a maximum of 72 bytes. It’ll truncate passwords longer than that. Remember that UTF8 encoding of special characters can easily take more than one byte.

      Interesting: https://en.wikipedia.org/wiki/Bcrypt#Maximum_password_length

      In the worst case a password is limited to 18 characters, when every character requires 4 bytes of UTF-8 encoding. For example:
      
      𐑜𐑝𐑟𐑥𐑷𐑻𐑽𐑾𐑿𐑿𐑰𐑩𐑛𐑙𐑘𐑙𐑒𐑔 (18 characters, 72 bytes)
      

      Makes me question if bcrypt deserves to be widely used. Is there really no superior alternative?

      • janAkali
        link
        fedilink
        English
        1
        edit-2
        1 year ago

        Not only that, bcrypt could be run by GPUs and FPGA, that makes it more prone to bruteforcing attacks.

        There are 2 modern alternatives: scrypt and argon2. They both require a substantial amount of memory, so gpu and hardware computation is no longer feasible.