this post was submitted on 17 Jul 2023
485 points (99.8% liked)
Programmer Humor
32503 readers
523 users here now
Post funny things about programming here! (Or just rant about your favourite programming language.)
Rules:
- Posts must be relevant to programming, programmers, or computer science.
- No NSFW content.
- Jokes must be in good taste. No hate speech, bigotry, etc.
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Infuriating fact: if a service has maximum password length limits (lower than 1000 characters), they're reversibly storing your password and if they're that lazy it's probably plain text
Nope. No point in storing > 256 or even 128 chars for a password anyway. Useless storage wasted. Also it doesn’t really mean they store the password badly in the server.
A hashed password is always the same length though is it not?
The length limit is mostly for the user's sake - companies don't want people to set their passwords to 30+ character ones that they keep forgetting and call their tech support to reset.
That's really really really annoying, as someone who has a good, strong brain-based password algorithm and hates it when websites forbid my strong password forcing me to make an exception.
Ignoring that they must be hashed to be acceptable and that it's not possible for 1000 characters of text to add up to a waste of storage worth mentioning in pretty much any environment, it's literally impossible for a 128 character password limit to be beneficial in any way.
A limit below that demonstrably lowers security by a huge margin.
Ok but are 15 characters too much?
I've seen 14-char limits, which are NOT reasonable
there is at least one bank that I know of with a 12 character limit
There's a major bank in Australia that limited passwords to six characters. Exactly six. No more, no less. The passwords were also case-insensitive.
Yikes, how do banks, of all things, have such low password limits...