Oh I had the same thought. Whoever limits password length probably has many other shitty security practices.

If a company tells you your password has a maximum length, they are untrustable with anything important.

Lemmy-UI has a password limit of 60 characters. Does that make it untrustworthy?

If a company tells you your password has a maximumn length, they are untrustable with anything important.

I would add if they require a short "maximum length." There's no reason to allow someone to use the entirety of Moby Dick as their password, so a reasonable limit can be set. That's not 16 characters, but you probably don't need to accept more than 1024 anyway.

The number of government websites that I’ve encountered with this “limitation.” Even more frustrating when it’s not described upfront in the parameters or just results in an uncaught error that reloads the page with no error message.

bcrypt has a maximum password length of 56 to 72 bytes and while it's not today's preferred algo for new stuff, it's still completely fine and widely used.

also, if they think a strong password is only about types of characters. a dozen words from as many languages and 5+alphabets is just as good!

its to the point I don't bother remembering my passwords anymore, because this bullshit makes user-memorable-hard-to-machine-guess passwords impossible.

I am now very concerned about a certain medical implant device company

True!

Do you know the password game?

The digits in your password must add up to 25.

When I was working on a password system a few years ago, I found some amazingly bad password requirements. One that stuck with me was it couldn't contain any two digit years (e.g. 08).

I'll also leave this here: https://dumbpasswordrules.com/sites-list/

Ugh, I'm unfortunately even more bothered by the random extra spaces at the start of the first and last requirements than I am by the security horror.

I am now even more relieved that the NJ courts have removed me permanently from jury duty, so my chances of interacting with that entire nonsense has gone down. A bit. Just a bit down.

Now I just must try to not be taken to court or take one to court.

This is where hiding inside might help.

I used to manage a system that had a longer character limit on the creation than in the sign in. To fix it, they just let you type in more characters when you signed in but only validated the first 8 anyway. 🤦‍♂️

Honestly at that point, it's not worth using the service to me if I have to contact support just to sign in.

I used a service that had password validation on the “current password” field when you update your password. My password had stopped being valid due to a change in their password policy, but I couldn’t fix it because the “update password” form kept saying my current password was invalid. I know — you told me to change it!!!!

I have had this before, I was so confused for a while.

Made account used my password manager, so I knew the password was correct, went around the loop a few times of "forgot password"; finally shortened form 25 to 16 characters and it just worked.

Mine does not allow spaces. They used to use a 4 digit pin as 2FA. Not a new pin you got every time you logged in, the same 4 digit pin.

A lot of bank computing is a complete clusterf@#k. Getting even basic changes and bug fixes requires it being signed off on by various regulators and committees. Apparently, 18 months for a 1 line change is normal. This has ended up with layers of new work being frankensteined onto older systems. E.g. Internet banking, for a long time, physically printed checks, via an automated machine, posted them, and then had them read in, via an automated machine. Hence why Internet bank transfers took 2-3 days.

I had issues with my banks truncating my password a while back. It only looked at the first 8 characters.

One of my past banks used to be case-insensitive. They aren't anymore (as far as I know). Their name starts with Key and ends with Bank.

Sheesh

Crazy that there are still banks that use a username and password for login.

Oh that's evil.

About 10 years ago this happened to me at chase.com. IIRC they truncated at 30 characters at the time.

That happens all the fucking time, and it's infuriating. Most recent example was with Kagi, which I eventually found out had a max of 72, truncated, no warning. I bitched out their support and they were like 'nbd, and it should have warned you' and I'm like 'nope, no warning at all' which means they didn't bother checking if a warning actually showed or prevented the input, just 'I wrote it so we must be good'.

They claim to have fixed this, but ugh. Took me a half an hour, and I started with the suspicion that it was being truncated. Test your shit if you're going to be stupid, people.

8??? For banking? I haven’t used less than like 16 in at least 5, maybe 10 years. Jeez.

A major US bank that I used to use has case insensitive passwords, found that out one day when I noticed caps lock was on after logging in with no trouble

Early 2000s internet banking was a trip.

Ha. I had the same thing, with a government-run student loan website

I had to make a 10 character password for Santander

No no, not 8 characters, 8 numerical characters!

The fact that it was a power of 2 makes me suspect lazy coding. That bank didn't pay its programmers well enough.

but not 2! and not THAT special character! and...

Your password must contain at least one swear word.

I hate that, why can't I use something like £ or Ł?

Obligatory link https://imgs.xkcd.com/comics/password_strength.png

SELECT * FROM users WHERE name = "$name" OR password = "$password"

sqlquery = "INSERT INTO users (username, password) VALUES ('" + username + "', '" + password + "')"

What could go wrong?

Wow that’s true, what a crock.

USAA strikes me as the most Wonder bread Texas Aw Shucks company that smiles to your face while outsourcing as much as possible (and stabbing you in the back in the process). Case in point. USAA only allows TOTP through Symantec’s proprietary app. I’m moving everything away from them except for auto insurance (which will likely go away at some point too as they’re not really that valuable for that anymore either).

I have to change my USAA password every few months because I forget about the 12 character restriction...

Huh? I have had a USAA account for many years and my current password is far beyond 12 characters. I use both the website and the app...

Ah yes, the password rules from 1980.

By any chance wanna share your approximate location, asking for a friend

Use a different bank.

How about a bank app that requires 6 numbers password (not the app PIN, but the user account's password).

A lot of older systems I worked on had password requirement of exactly 7 characters, no special characters, no numbers and no upper case. Must have been interesting times in security when those systems were made.

It's all fun and games until someone realizes they can just create lots of accounts with large passwords and fill your space.

What? The password should only receive the hashed password, and that's gonna have a fixed length. What's stored in the db should have the exact same length whether the password is 2 characters long or 300. If the length of the password is in any way a consideration for your database, you've royally fucked up long before you got to that point.

Happened to me a couple days ago when resetting a password for Paypal. The browser limit was 20 characters for the 2nd password box but had a higher limit for the first password box.

Though, it appears they recently modified the form to pop up with an "Enter a shorter password" message. With that being said, PayPal has apparently always had shitty password policies.

"Otherwise our database may misinterpret it as a number when we store it in pain text"

Has. 20 char max.

And (at least at the time of my account creation) don't even tell you about it. I found out by the errormessage in the networklog of the REST requests why my signup failed repeately.