Ask HN: What are valid reasons for limiting password length?
I personally get very frustrated if websites reject my 128 character random generated passwords with some error message like "Password too long, maximum of 16 characters".
Are there any (legit) reasons for doing this? I couldn't come up with one as they should hash them, and it doesn't matter for the hash function whether the input is 1 or 1000 characters long. Performance loss is minimal.
It really feels like they are using encryption, instead of hashing. Which would be a major security issue.
15 comments
[ 0.21 ms ] story [ 43.2 ms ] threadI don't know if that's even valid though, it doesn't sound plausible to me.
https://www.djangoproject.com/weblog/2013/sep/15/security/
Just do not do it - it will always end in tears.
"It's what the client wants" is a rather legit reason, whether the rules come from a legal standard for their industry or completely out of their rear end.
I don't see how where the line is drawn (and realistically it has to be drawn somewhere for a public service) necessarily implies anything about whether proper hashing is being done.
but as others have said, the reason is likely to be blind following of poorly thought-out specs.