It’s infuriating to create a “strong password” with letters, numbers, upper and lowercase, symbols, and non-repeating text… but it has to be only 8 to 16 characters long.
That’s not a “strong” password, random characters or not.
Is there a limitation that somehow prevents these sites from allowing more than 16 characters?
I’m talking government websites, not just forums. It seems crazy to me.
ive mostly noticed this on old systems… where the field length for password was decided by an intern 30 years ago.
This is it right here. The new system has to talk to the old database which has a character limit for that field. Untold amounts of money and effort would be required to update the back end.
Passwords should be hashed to a fixed length. Character limit implies clear text passwords are stored.
What if the pass is only temporarily stored in a db table, then instantly hashed and dropped? Obviously, I’m no db admin. :(
Best practice is never to store a password in the clear.