by frou_dh on 11/23/2013, 6:48:43 PM
If it was in fact 1-1000 then some nerd would be complaining about muh 1024 convention. Next, the 1MB guy.
I don't see how where the line is drawn (and realistically it has to be drawn somewhere for a public service) necessarily implies anything about whether proper hashing is being done.
by bdfh42 on 11/22/2013, 7:07:05 PM
I am sure you are quite correct - any limitation (within reasonable bounds for a web page control) is a strong indication that a web site is not hashing you password. At best they are encrypting it - and that is bad bad bad.
by 6thSigma on 11/22/2013, 7:36:05 PM
Websites that allow you to use a 128 character PW could very well be cropping it at whatever their max PW length is FWIW.
by csixty4 on 11/23/2013, 4:15:54 AM
Depends what you mean by "legit". I once asked a project manager if the client had and legally-mandated rules for passwords. The response from the client was (paraphrased) "no legal requirement. Let's go with 6-12 characters, at least one number and one symbol". I suggested a higher (or no) upper limit, but I was told to just give them what they wanted.
"It's what the client wants" is a rather legit reason, whether the rules come from a legal standard for their industry or completely out of their rear end.
by wnevets on 11/22/2013, 6:58:45 PM
Would the performance lost be minimal if my password is 1GB in size?
by byoung2 on 11/22/2013, 7:12:20 PM
Maybe they are storing your password in plain text in a VARCHAR(16) field, which is a scary thought. It is also likely that enforcing a short password encourages users to choose passwords that are easy to remember...longer passwords would encourage users to write them down or keep them in a text file.
by Wezc on 11/22/2013, 8:56:37 PM
I never thought about your situation. As a kid web dev I used to limit password size for db issues as 'byoung2' said: like using a VARCHAR(42) or something like taht depending on the way I store the hash! Anyway, next time I'll think about you and allow user more space for password! :)
by jeffblake on 11/22/2013, 7:24:57 PM
My bank required that I could only use a 6 character alphanumeric password when signing up. Kind of scary, but then again, it made me choose a super random PW like v3Ff78 whereas most all people in that situation would use their same password for everything, such as baseball. Thats my theory anyway
by andrewcooke on 11/24/2013, 2:11:29 AM
the only limit that comes to mind is 16kB (IIRC some servers limit at that) for an HTTP header parameter (since presumably it will be posted).
but as others have said, the reason is likely to be blind following of poorly thought-out specs.
Are there any (legit) reasons for doing this? I couldn't come up with one as they should hash them, and it doesn't matter for the hash function whether the input is 1 or 1000 characters long. Performance loss is minimal.
It really feels like they are using encryption, instead of hashing. Which would be a major security issue.