It’s infuriating to create a “strong password” with letters, numbers, upper and lowercase, symbols, and non-repeating text… but it has to be only 8 to 16 characters long.
That’s not a “strong” password, random characters or not.
Is there a limitation that somehow prevents these sites from allowing more than 16 characters?
I’m talking government websites, not just forums. It seems crazy to me.
So you were questioning a password limit of 256 chars.
Let’s say we do not impose a limit because we’re not worried about anything. We now get hit by a botnet trying to create accounts or login in thousands at the same time.
Say we’re using Argon2id. This is obviously subjective to hw and parameters, but let’s say 8k characters take 5 seconds of (1) cpu time on your server.
Now multiply this by 1000 attempts a second, and all your hardware does is calculate hashes.
The input limit of Argon2 specifically is much, much higher than that at 2^32-1 bytes, at which point you might as well just take it offline yourself.
If we impose no limit, why would the attacker limit themselves to 2560 chars?