114
What is it with websites restricting passwords to 8 - 16 characters? Is there some technical limitation to their system?? (lemmy.ca)
submitted 1 week ago by Showroom7561@lemmy.ca to c/privacy@lemmy.ca
83 comments fedilink hide all child comments

It's infuriating to create a "strong password" with letters, numbers, upper and lowercase, symbols, and non-repeating text... but it has to be only 8 to 16 characters long.

That's not a "strong" password, random characters or not.

Is there a limitation that somehow prevents these sites from allowing more than 16 characters?

I'm talking government websites, not just forums. It seems crazy to me.

you are viewing a single comment's thread
view the rest of the comments
[-] Creat@discuss.tchncs.de 71 points 1 week ago

It's a massive red flag. It implies that they are actually storing the password instead of a (preferably salted) hash and that they have no idea what good security practices are. Storing a hash leads to same size strings, no matter the length on the password.

[-] sugar_in_your_tea@sh.itjust.works 14 points 6 days ago

And there's no reason a database can't store a very long hash as well. Storage is cheap for this kind of thing.

[-] sik0fewl@lemmy.ca 10 points 6 days ago

That's why I only store and compare the first 8 characters.

[-] sugar_in_your_tea@sh.itjust.works 1 points 6 days ago

Why not store the whole thing?

[-] sik0fewl@lemmy.ca 8 points 6 days ago

I'm joking of course, but the reason would be the database column is 8 characters.

[-] sugar_in_your_tea@sh.itjust.works 1 points 6 days ago

If only there was a SQL command that could alter an existing table...

[-] jagged_circle@feddit.nl 3 points 6 days ago

They shouldn't be using salted hashes since a decade or more. Best is to use a memory hard password hash function like argon

[-] brisk@aussie.zone 2 points 5 days ago

Can you expand on this? My experience with Argon is looking up a Wikipedia page in response to this comment, but it looks like it uses a salt as an input?

[-] jagged_circle@feddit.nl 1 points 5 days ago* (last edited 5 days ago)

Its a password specific function. Its also memory hard.

As oposed to generation a salt and passing that with the password through sha256 or something, which is bad practice

this post was submitted on 30 May 2025
114 points (98.3% liked)

privacy

4487 readers
127 users here now

Big tech and governments are monitoring and recording your eating activities. c/Privacy provides tips and tricks to protect your privacy against global surveillance.

Partners:

founded 3 years ago
MODERATORS
QuentinCallaghan@sopuli.xyz
Kokomheart@lemmy.ca
altair222@beehaw.org