Mildly Infuriating

YES, it pisses me off so much. Though I do kind see for some things having some upper limit of 256 for certain services. But I may be wrong in thinking that.

For example I want a secure bank password but I only need it so long. Mainly because unlike my E2EE service if they are servered a warrant or hacked through another service all my data is there. Basically I can only do so much.

At one point years ago my work finally caught up with the 21st century and allowed creation of passwords longer than the fixed 8 characters it had always been. So I said great, made up something that was around 12 or so that I could remember. Until I logged into some terminal legacy programs we were still using and wouldn't take that length. So yeah, I went back to 8 characters that wouldn't break things. They eventually migrated away from such old programs and longer passwords became mandatory since they'd work everywhere, but I thought it was funny that briefly I tried to do the right thing but IT hadn't thought out the whole picture yet.

My bank does this 💀

https://dumbpasswordrules.com/sites/chase-bank/

There's a joke in there somewhere.

Hey at least it told you there maximum length, i signed up paramount+ last night and it only said 42 characters was too long.

I also hate these kind of websites.

My best experience... They allowed me to set a 100 characters password, but then changed the limits a year later, so that you couldn't even login anymore.

You think that's infuriating? Imagine having an ISP that wants you to pick a password of max 8 characters.

There was a game launcher for a popular game that required a minimum of 8 characters but only used the first 8 characters and it wasn't case sensitive. So something like PassWord12345!? could be entered when changing the password, but you could sign in with any of the following:

• password1234
• PassWord123499(#$%
• Password12345!?
• passWord12345!
• pASSword12345?!
• PassWord123499(#$%
• password

I haven't logged in for years so I'm not sure if it is still working that way.

Sounds like they're using bcrypt. Feeding more than 24 utf8 characters into bcrypt won't do anything useful. You can permit longer passwords (many sites do) but they'd be providing a false sense of security.

Bcrypt is still secure enough and 24 characters are fine as long as they're randomly generated by your password manager.

It can also be just a randomly chosen limit. I work as a software engineer on a custom management software for a big client. For whatever reason until recently, the limit for email addresses in the master data was 50 character. Why? No clue but someone had decided that randomly in the past. Now it was increased to 100. Why again? According to RFC 5321 a limit of 254 would be the most sensible one. But the people who come up with those requirements just don't care. They decided it to be 100 from now on for no apparent reason.

Then we have many input fields, that have a limit of 255 character. Why not 256? Why such a weird number in general? The people who use this software in production are most likely not the ones who usually think in powers of two. So why not make it 250 or 300 oder whatever?

Sometimes those limits are just arbitrary with no technical or logical reason to back them up. Which doesn't make it less stupid mind you.

Used to run into this more. Some legacy systems imposed password limits that seem archaic by modern standards. The authentication system was just supporting systems from before newer standards were created.

I think some of those compatibility layers outlived the systems they needed to be compatible with. The people that knew the system retired ages ago and the documentation was lost 3 or 4 "documentation system" changes ago.

Anyway, those have no place on the modern web.