It’s infuriating to create a “strong password” with letters, numbers, upper and lowercase, symbols, and non-repeating text… but it has to be only 8 to 16 characters long.

That’s not a “strong” password, random characters or not.

Is there a limitation that somehow prevents these sites from allowing more than 16 characters?

I’m talking government websites, not just forums. It seems crazy to me.

    • hightrix@lemmy.world
      link
      fedilink
      arrow-up
      17
      ·
      3 days ago

      Because the requirement was to allow user names, the dev asked what the limit should be, the PM said, “I don’t care, make it 1000”, and so the dev did it.

      Source: I’ve been working in software far too fucking long.

  • Phoenixz@lemmy.ca
    link
    fedilink
    arrow-up
    15
    ·
    3 days ago

    Irá usually bad backend design, bad frontend design, all made by people who are only vaguely aware of security, and how it works.

    It’s the same bunch that brought us “change your password every two weeks” and other insane anti security designs. They make it worse without even realizing it.

    Do hope that your passwords aren’t stored in plain text!

  • Creat@discuss.tchncs.de
    link
    fedilink
    arrow-up
    71
    arrow-down
    2
    ·
    4 days ago

    It’s a massive red flag. It implies that they are actually storing the password instead of a (preferably salted) hash and that they have no idea what good security practices are. Storing a hash leads to same size strings, no matter the length on the password.

  • Thorry84@feddit.nl
    link
    fedilink
    arrow-up
    47
    ·
    4 days ago

    There are valid reasons to limit password length. For example when a hashing function is used that requires a lot of processing power and the amount of power required to calculate the hash is related to the length. In that (very common) case, a denial of service attack vector is exposed. By simply spamming insane long passwords into a login form for example, the servers calculating the hash get easily overloaded. Even with rate limiting, only a small number of attacking nodes can be used to pull down a site.

    So a maximum number of characters for a password is a valid thing to do. HOWEVER the maximum length for this purpose is usually set at something like 2048 or 4096 characters.

    There is no excuse for a max password length of 16, that’s just terrible.

    • NotMyOldRedditName@lemmy.world
      link
      fedilink
      arrow-up
      3
      ·
      3 days ago

      You could put a timeout on the hash function so that it can’t be abused that way, but then… why not just make a limit so it can’t anyway.

    • Showroom7561@lemmy.caOP
      link
      fedilink
      arrow-up
      11
      ·
      4 days ago

      There is no excuse for a max password length of 16, that’s just terrible.

      I get your point above, and the reason I hate short passwords is that I use passphrases. They are not only easier to type in, but long passphrases of 4+ words (plus a few extra characters and a number) are considerably more secure than the “best” 16-character password made up of random characters.

      Per your problem above, is this why some sites send you a 2FA code before asking for your password? To avoid that potential DOS attack?

      • Spaz@lemmy.world
        link
        fedilink
        arrow-up
        4
        ·
        4 days ago

        Yes in your specific scenario, you are righr. But if you even the playing field, apples to apples. If you have 4 words of each 4 letters plus random char at the ebd, lets say equating to 20 characters in total, a random 20 character password is better. Words/phrases are now commonly added to bruteforce attacks unlike before. Use an good password plus a 2fa that isnt sms or email for best protection, or dump passwords if you can for hardware keys.

    • some_guy@lemmy.sdf.org
      link
      fedilink
      arrow-up
      9
      ·
      4 days ago

      Sixteen is the minimum where I work. We upped it at the end of last year. Fortunately, we also fixed our password policy to expire annually. It used to be every three months, which leads to recycling.

      • jagged_circle@feddit.nl
        link
        fedilink
        English
        arrow-up
        8
        ·
        3 days ago

        NIST recommended to never have passwords expire since like 3 decades. You gotta get rid of that. It makes your org less secure.

        Probably best to just fire whoever set that up. They’re clueless

        • filcuk@lemmy.zip
          link
          fedilink
          arrow-up
          3
          ·
          3 days ago

          These policies typically come from top management. They’d have to fire themselves.

      • sugarfoot00@lemmy.ca
        link
        fedilink
        English
        arrow-up
        7
        ·
        3 days ago

        There’s always recycling. Or changing that final character from a 1 to a 2, etc. The human brain just cant handle the complexity otherwise.

        • teft@lemmy.world
          link
          fedilink
          arrow-up
          2
          ·
          3 days ago

          Use a couple words instead of letters, you’ll find it easier to remember and not use repeats. Bicycle Uber Pancake 4* should be more secure than some random bunch of letters you’ll forget.

          • sugar_in_your_tea@sh.itjust.works
            link
            fedilink
            arrow-up
            4
            ·
            3 days ago

            Just use a password manager. No need to remember anything besides your master password. That works for pretty much everything, except I guess computer logins.

            • teft@lemmy.world
              link
              fedilink
              arrow-up
              3
              ·
              3 days ago

              Well yes everyone should use a password manager but some people can’t load a password manager onto their work computer and therefore are more likely to use non-random passwords. It’s easier to remember a passphrase than a random password.

                • Kazumara@discuss.tchncs.de
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  2 days ago

                  We got SSO systems too, unfortunately, there are about 3 of them, lol. The old ADFS, the current Microsoft login (possibly cloud AD, not sure), and our own ID product that we offer to customers.

  • Dr. Wesker@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    55
    ·
    4 days ago

    It’s informative. It informs you that you shouldn’t use the site, if possible. Because it’s also suggestive of poor security practices in general.

    • MelodiousFunk@slrpnk.net
      link
      fedilink
      arrow-up
      11
      ·
      edit-2
      4 days ago

      Yeah, imagine my shock and disappointment when encountering such limitations signing up for credit monitoring (by one of the big 3). It’s not enough that my employer has a breach, no. But also finding out that one of the big players has some ridiculous 12 character alphanumeric password restriction. Absolute dogshit.

      • sugar_in_your_tea@sh.itjust.works
        link
        fedilink
        arrow-up
        3
        ·
        3 days ago

        A random 12-character password should take years to crack. But they’re probably also storing it as plaintext, so no need to crack, just breach the DB (which is probably also insecure).

    • shalafi@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      1
      ·
      4 days ago

      This is it right here. The new system has to talk to the old database which has a character limit for that field. Untold amounts of money and effort would be required to update the back end.

      • Jakeroxs@sh.itjust.works
        link
        fedilink
        arrow-up
        3
        ·
        4 days ago

        Too real, I know of a company that is changing a number from 8 to 9 digits and it’s estimated to cost around 230m to complete. Insanity.

      • tinkling4938@lemmynsfw.com
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        1
        ·
        3 days ago

        Passwords should be hashed to a fixed length. Character limit implies clear text passwords are stored.

  • who@feddit.org
    link
    fedilink
    English
    arrow-up
    15
    ·
    edit-2
    4 days ago

    No, there is no valid reason to limit web passwords to lengths as short as 8 or 16 characters. If someone has built such a system with a technical limit that short, then what they have built is (from a security perspective) garbage.

    Thankfully, NIST finally dropped their terrible password guidelines of the past in favor of sensible ones. Perhaps this will lead to fewer bad decisions being made in web development circles.

    A few relevant sections:

    https://pages.nist.gov/800-63-4/sp800-63b.html#usability-considerations-by-authenticator-type

    https://pages.nist.gov/800-63-4/sp800-63b.html#length

    https://pages.nist.gov/800-63-4/sp800-63b.html#passwordver

    Obligatory xkcd:

    https://xkcd.com/936/

    (To be clear, this comic’s approach to passphrases is sound advice.)

    • sugar_in_your_tea@sh.itjust.works
      link
      fedilink
      arrow-up
      1
      ·
      3 days ago

      Yeah, I usually limit passwords to 256 characters, because that’s way longer than anyone needs and still short enough to not worry about overloading something.

          • who@feddit.org
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            3 days ago

            Hashing takes up cpu time

            Oh my goodness.

            I am very skeptical of this reasoning. If hashing of 256-character passphrases, or even 2560-character passphrases, consumes enough CPU time to risk overloading your system, then I think your are in an infinitesimal niche worthy of a detailed write-up.

            If you’re worried about that load, just wait until you learn about key derivation functions.

            • filcuk@lemmy.zip
              link
              fedilink
              arrow-up
              2
              ·
              2 days ago

              So you were questioning a password limit of 256 chars.
              Let’s say we do not impose a limit because we’re not worried about anything. We now get hit by a botnet trying to create accounts or login in thousands at the same time.

              Say we’re using Argon2id. This is obviously subjective to hw and parameters, but let’s say 8k characters take 5 seconds of (1) cpu time on your server.
              Now multiply this by 1000 attempts a second, and all your hardware does is calculate hashes.

              The input limit of Argon2 specifically is much, much higher than that at 2^32-1 bytes, at which point you might as well just take it offline yourself.

              If hashing of 256-character passphrases, or even 2560-character passphrases

              If we impose no limit, why would the attacker limit themselves to 2560 chars?

  • UnpopularCrow@lemmy.world
    link
    fedilink
    arrow-up
    15
    arrow-down
    1
    ·
    4 days ago

    It’s usually shoddy (or intended?) coding that only allows a 16 byte length for the password. One character equals one byte of memory so my guess is they only allocated 16 bytes of space for the password. The irony is NIST 2025 recommendations argue for AT LEAST 15 characters for passwords.

    • tleb@lemmy.ca
      link
      fedilink
      arrow-up
      20
      ·
      4 days ago

      One character equals one byte of memory so my guess is they only allocated 16 bytes of space for the password.

      This is true for storing text in general but passwords aren’t supposed to be stored as text, they should be hashed. The size of the hash will depend on the hashing algorithm. In other words, if there’s a database limitation for the size of a password, it probably means they’re storing the password plaintext 💀

      More likely than not it’s just some poorly designed validation

    • DocMcStuffin@lemmy.world
      link
      fedilink
      arrow-up
      6
      ·
      4 days ago

      What’s funny is a character isn’t necessarily a byte now. It could be 1, 2, 3, or 4 bytes. Or only 2 or 4 bytes if we include utf-16 and 32. Character encodings are fun!

      • Elvith Ma'for@feddit.org
        link
        fedilink
        arrow-up
        5
        ·
        edit-2
        4 days ago

        Guess how many systems ‘with full unicode support’ are broken by using emojis in your username or password…

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          arrow-up
          2
          ·
          3 days ago

          Which is dumb because passwords should be treated as opaque bytes then salted and hashed. If your code breaks due to invalid unicode, your code is broken.

          • jagged_circle@feddit.nl
            link
            fedilink
            English
            arrow-up
            1
            ·
            3 days ago

            No. If you’re salting and hashing your passwords, you’re doing it wrong.

            We have password specific memory hard functions like argon that you should be using

        • nik9000@programming.dev
          link
          fedilink
          arrow-up
          4
          ·
          4 days ago

          I’ve always wondered about Unicode normalization and passwords. I don’t know a ton about it, but I think it’s that things like ö and be represented as one character for the whole thing or two, one for the umlaut and another for o. That means that there are at least two sequences of code points that make the same… Glyph? I forget the word. The thing you see on the screen.

          Anyway, what if you have that ö in your password and one browser/keyboard/os/lovecraftian nightmare makes the mark one way and the other does it the other way? They aren’t the same bytes. So they won’t hash the same and you just can’t tell why. Without digging super deep.

          There are standard ways to normalize the Unicode but I don’t imagine most password systems use them. Maybe it’s some intermediate layer. But I kind of doubt it. Those are complex, evolving standards.

          Oh. And that “evolving” thing might make trouble for password systems. Are these standards backwards compatible in the way they’d need to be for a normalization upgrade not to break any passwords?

          Oh God, what nightmare have I found?

          • Elvith Ma'for@feddit.org
            link
            fedilink
            arrow-up
            1
            ·
            edit-2
            3 days ago

            Better yet of you include users - there are so many lookalike characters (and the additionally all those diacritics to make more lookalikes) that look the same, so that a human most certainly can’t/won’t tell them apart, but that are completely different codepoints.

            I � Unicode!

  • chickenf622@sh.itjust.works
    link
    fedilink
    arrow-up
    10
    arrow-down
    1
    ·
    4 days ago

    Yeah that’s cause they’re using ancient systems that probably store the password in plaintext. If you absolutely must use it make sure that password is only used on that specific site. I would strongly recommend looking for other ways before you do though.

    • Showroom7561@lemmy.caOP
      link
      fedilink
      arrow-up
      8
      ·
      4 days ago

      If you absolutely must use it make sure that password is only used on that specific site. I would strongly recommend looking for other ways before you do though.

      Not only did I use a completely unique and random password, but all the “security questions” (they asked for quite a few), were just random words for things like “Your pet’s name”.

      In addition to the shitty password requirement, 2FA is also done by phone or text. Like, come on!

      • drspod@lemmy.ml
        link
        fedilink
        arrow-up
        6
        ·
        4 days ago

        You should treat security questions like passwords and use strong alphanumeric passwords as the answers. Just make sure to store them in your password manager in such a way that you can remember which one goes with which question!

      • sugar_in_your_tea@sh.itjust.works
        link
        fedilink
        arrow-up
        1
        ·
        3 days ago

        At least provide email as an option, which might at least be TLS encrypted. If you’re going to screw up security, at least make it something I can somewhat secure.

  • Subscript5676@lemmy.ca
    link
    fedilink
    English
    arrow-up
    6
    ·
    4 days ago

    There’s no good reason today and in the future, period.

    There are “experts” who still claim these, but they are based on a very dated recommendation from at least 15 - 20 years ago at this point. To some, such non-sensical requirements (by the fact that we should be storing passwords as hashes today) have become doctrine, rather than any fact based in reality.

    And some users have been conditioned into thinking that these are good security practices as well, because governments and banks still make use of them, and these are the very organizations that should be the best-in-class when it comes to security. Some of these users become CEOs or product designers with more say than their IT and security experts in the company. The rest is history from there.

    • drspod@lemmy.ml
      link
      fedilink
      arrow-up
      11
      arrow-down
      1
      ·
      4 days ago

      You don’t want your password to be encrypted, you want it to be hashed.

      • Optional@lemmy.world
        link
        fedilink
        arrow-up
        5
        ·
        4 days ago

        I was going to say hashing is a kind of encryption but I can tell you’re an engineer, so I’ll simply link my feeble cite and go back to my corner quietly.

        • drspod@lemmy.ml
          link
          fedilink
          arrow-up
          10
          ·
          4 days ago

          The fundamental difference is that hash functions are designed to be irreversible (one-way functions), whereas encryption is designed to be reversible (where the inverse operation is called “decryption”).

  • witheyeandclaw@lemmy.sdf.org
    link
    fedilink
    arrow-up
    6
    ·
    4 days ago

    Piggybacking on this because i do IT for a major US bank that requires passwords to be a set number of characters for its employees. I don’t want to be specific, but it’s in the range OP posted of 8-16.

          • shalafi@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            1
            ·
            4 days ago

            If the company is not using WSUS, or the like, to manage updates, that’s on the IT department.

              • shalafi@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                ·
                3 days ago

                I’ll explain slow. MS offers a native way to manage updates, both for servers and workstations. It’s called Windows Server Update Services (WSUS).

                Assuming you have your shit together as a Windows admin, you’re running the infrastructure on Active Directory (AD). WSUS is how you control and roll out Window’s updates in an AD environment.

                No surprises, no bullshit. Roll updates however it works for your org.

                Questions?

                • over_clox@lemmy.world
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  3 days ago

                  Why the fuck would I ask any questions?

                  I literally patched and updated MicroXP 0.82 to the point that it can run Windows 7 in VirtualBox.

  • DocMcStuffin@lemmy.world
    link
    fedilink
    arrow-up
    5
    ·
    4 days ago

    There was one point in time when Intel’s website only allowed up to 14 characters and disallowed certain special characters. If I had to guess why, fear of inadequate error checking and fear of sql injection.

  • over_clox@lemmy.world
    link
    fedilink
    arrow-up
    3
    arrow-down
    1
    ·
    4 days ago

    This is an interesting question. Honestly, I’ve never signed up with any government website.

    This begs the question though, what country?

    I’m from the USA and have little to no reason to trust signing up on a government website.

    • Showroom7561@lemmy.caOP
      link
      fedilink
      arrow-up
      3
      ·
      4 days ago

      This begs the question though, what country?

      Canada. We do a lot through our government systems: license plate renewal, address changes, taxes, benefits, etc.

      • over_clox@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        4 days ago

        Here in the USA, I just prefer to show up in person.

        Hell, just 2 days ago I went in to renew my mother’s auto tag. She wasn’t even with me.

        Easy peasy.

        • Showroom7561@lemmy.caOP
          link
          fedilink
          arrow-up
          4
          ·
          4 days ago

          Interestingly enough, I went to check on how to apply for our new dental care plan, and they only give the option to apply online. 😵

          I don’t generally mind doing government-related stuff online, since it’s minutes rather than hours of my time. But this password thing, for a government site, is aweful.

          • over_clox@lemmy.world
            link
            fedilink
            arrow-up
            1
            ·
            edit-2
            4 days ago

            It took me about 8 months to learn…

            If it’s an emergency, you can literally tell the dentist what to do, especially if it happens to involve an abscess.

            The dentist wanted to lecture me, like I should have been in there months sooner.

            I straight up told her to fuck off, I already knew that, but couldn’t afford it prior. Then I told her to get to work, quit leaving me suffering…

            Edit: Why am I kinda cross posting the things on my mind right now? The system in the USA is and has been so fucked up for a long time…