114
I had the opposite issue… how the heck do I need a username over 1000 characters? lol
Because the requirement was to allow user names, the dev asked what the limit should be, the PM said, “I don’t care, make it 1000”, and so the dev did it.
Source: I’ve been working in software far too fucking long.
That's some malicious compliance right there! 😂
Irá usually bad backend design, bad frontend design, all made by people who are only vaguely aware of security, and how it works.
It's the same bunch that brought us "change your password every two weeks" and other insane anti security designs. They make it worse without even realizing it.
Do hope that your passwords aren't stored in plain text!
Probably running on code from before 2000.
It's a massive red flag. It implies that they are actually storing the password instead of a (preferably salted) hash and that they have no idea what good security practices are. Storing a hash leads to same size strings, no matter the length on the password.
And there's no reason a database can't store a very long hash as well. Storage is cheap for this kind of thing.
That's why I only store and compare the first 8 characters.
Why not store the whole thing?
I'm joking of course, but the reason would be the database column is 8 characters.
If only there was a SQL command that could alter an existing table...
They shouldn't be using salted hashes since a decade or more. Best is to use a memory hard password hash function like argon
Can you expand on this? My experience with Argon is looking up a Wikipedia page in response to this comment, but it looks like it uses a salt as an input?
Its a password specific function. Its also memory hard.
As oposed to generation a salt and passing that with the password through sha256 or something, which is bad practice
It's informative. It informs you that you shouldn't use the site, if possible. Because it's also suggestive of poor security practices in general.
load more comments
(2 replies)
There are valid reasons to limit password length. For example when a hashing function is used that requires a lot of processing power and the amount of power required to calculate the hash is related to the length. In that (very common) case, a denial of service attack vector is exposed. By simply spamming insane long passwords into a login form for example, the servers calculating the hash get easily overloaded. Even with rate limiting, only a small number of attacking nodes can be used to pull down a site.
So a maximum number of characters for a password is a valid thing to do. HOWEVER the maximum length for this purpose is usually set at something like 2048 or 4096 characters.
There is no excuse for a max password length of 16, that's just terrible.
Sixteen is the minimum where I work. We upped it at the end of last year. Fortunately, we also fixed our password policy to expire annually. It used to be every three months, which leads to recycling.
NIST recommended to never have passwords expire since like 3 decades. You gotta get rid of that. It makes your org less secure.
Probably best to just fire whoever set that up. They're clueless
These policies typically come from top management. They'd have to fire themselves.
There's always recycling. Or changing that final character from a 1 to a 2, etc. The human brain just cant handle the complexity otherwise.
Use a couple words instead of letters, you’ll find it easier to remember and not use repeats. Bicycle Uber Pancake 4* should be more secure than some random bunch of letters you’ll forget.
Just use a password manager. No need to remember anything besides your master password. That works for pretty much everything, except I guess computer logins.
Well yes everyone should use a password manager but some people can't load a password manager onto their work computer and therefore are more likely to use non-random passwords. It's easier to remember a passphrase than a random password.
Fortunately, we force everyone to use a password manager at my company. SSO all the things!
We got SSO systems too, unfortunately, there are about 3 of them, lol. The old ADFS, the current Microsoft login (possibly cloud AD, not sure), and our own ID product that we offer to customers.
You could put a timeout on the hash function so that it can't be abused that way, but then... why not just make a limit so it can't anyway.
load more comments
(3 replies)
ive mostly noticed this on old systems.. where the field length for password was decided by an intern 30 years ago.
load more comments
(5 replies)
view more: next ›
this post was submitted on 30 May 2025
114 points (98.3% liked)
privacy
4487 readers
120 users here now
Big tech and governments are monitoring and recording your eating activities. c/Privacy provides tips and tricks to protect your privacy against global surveillance.
Partners:
- community.nicfab.it/c/privacy
founded 3 years ago
MODERATORS