In password security, the longer the better. With a password manager, using more than 24 characters is simple. Unless, of course, the secure password is not accepted due to its length. (In this case, through STOVE.)

Possibly indicating cleartext storage of a limited field (which is an absolute no-go), or suboptimal or lacking security practices.

  • @tarsisurdi@lemmy.eco.brEnglish
    421 days ago

    I once registered an account with a random ~25 characters long password (Keepass PM) for buying tickets on https://uhuu.com.br/

    The website allowed me to create the account just fine, but once I verified my e-mail, I couldn’t log into it due to there being a character limit ONLY IN THE LOGIN PASSWORD FIELD. Atrocious.

    EDIT: btw, the character limit was 12

    • Skull giverEnglish
      321 days ago

      PayPal did the same. Registration took 40 characters, login only half of that. Editing the login form didn’t work unfortunately.

    • @FiniteLooper@lemm.eeEnglish
      121 days ago

      I’ve had this exact same thing happen.

      I’ve also had it happen where you have the two fields to verify the password is the same. One had a maxlength set in it, and the other didn’t. I was for sure entering the same password and I was so confused until I opened up the dev tools and inspected the inputs.

      • @scintilla@lemm.eeEnglish
        -221 days ago

        I understand a cap of like 64 characters or something to keep storage space down for a company with millions of users. other than that it doesn’t make a ton of sense.

        • RedjardEnglish
          321 days ago

          That is a huge red flag if ever given as a reason, you never store the password.
          You store a hash which is the same length regardless of the password.

        • @mic_check_one_two@lemmy.dbzer0.comEnglish
          021 days ago

          The cap should actually be due to the hashing algorithm. Every password should be the exact same length once it is salted and hashed, so the actual length of the password doesn’t make a difference in regards to database size. The hash will be a set length, so the storage requirements will be the same regardless. Hashing algorithms have a maximum input length. IIRC the most popular ones return a result of 64-255 characters, and cap at 128 characters for input; Even an input of just “a” would return a 64 character hash. But the salt is also counted in that limit. So if they’re using a 32 character salt, then the functional cap would be 96 characters.

          Low character caps are a huge red flag, because it means they’re likely not hashing your password at all. They’re just storing them in plaintext and capping the length to save storage space, which is the first mortal sin of password storage.