Last week, I tried to register for a service and was really surprised by a password limit of 16 characters. Why on earth yould you impose such strict limits? Never heard of correct horse battery staple?
Last week, I tried to register for a service and was really surprised by a password limit of 16 characters. Why on earth yould you impose such strict limits? Never heard of correct horse battery staple?
That happens all the fucking time, and it’s infuriating. Most recent example was with Kagi, which I eventually found out had a max of 72, truncated, no warning. I bitched out their support and they were like ‘nbd, and it should have warned you’ and I’m like ‘nope, no warning at all’ which means they didn’t bother checking if a warning actually showed or prevented the input, just ‘I wrote it so we must be good’.
They claim to have fixed this, but ugh. Took me a half an hour, and I started with the suspicion that it was being truncated. Test your shit if you’re going to be stupid, people.
Bcrypt and scrypt have a limit of 72 chars, so it’s probably that. Implementations can work around it by putting the password through a pre-hash, but most don’t bother. There are tons of reasonably secure password storage systems with that limit.