In password security, the longer the better. With a password manager, using more than 24 characters is simple. Unless, of course, the secure password is not accepted due to its length. (In this case, through STOVE.)
Possibly indicating cleartext storage of a limited field (which is an absolute no-go), or suboptimal or lacking security practices.
We have a customer, a big international corporation, that has very specific rules for their intranet passwords:
I can only assume that whoever came up with these rules is either an especially demented BofH, or they have some really really weird legacy infrastructure to deal with.
I am a designer, but I once did a project with a very very major and recognizable tech corporation that, no joke, implemented an 8 character limit on passwords for storage reasons.
This company made in the tune of tens of billions of dollars per year, and they were penny-pinching on literal bytes of data.
I can’t say who it is, but their name begins with ‘M’ and ends in ‘cAfee.’
If password length affects storage size then something has gone very wrong. They should be hashed, not encrypted or in plaintext.
I worked in IT for a big national company for a short time. Passwords rules were : at least 8 characters, at least one uppercase letter, at least one number, change password every 2/3 months and different than the 3 previous ones. Several workers had a post-it on the screen with the 4 passwords they use. One of them had name of child and year of birth, I don’t know if it was his children or his relatives’ children too.
No repeats??? Like, you cant have ‘aaaa123@’ as a password?
You’re just making it easier to brute force…