this post was submitted on 30 May 2025
115 points (98.3% liked)

privacy

4849 readers
26 users here now

Big tech and governments are monitoring and recording your eating activities. c/Privacy provides tips and tricks to protect your privacy against global surveillance.

Partners:

founded 3 years ago
MODERATORS
Kokomheart@lemmy.ca
QuentinCallaghan@sopuli.xyz
altair222@beehaw.org
115
What is it with websites restricting passwords to 8 - 16 characters? Is there some technical limitation to their system?? (lemmy.ca)
submitted 3 weeks ago by Showroom7561@lemmy.ca to c/privacy@lemmy.ca
83 comments fedilink hide all child comments
 

It's infuriating to create a "strong password" with letters, numbers, upper and lowercase, symbols, and non-repeating text... but it has to be only 8 to 16 characters long.

That's not a "strong" password, random characters or not.

Is there a limitation that somehow prevents these sites from allowing more than 16 characters?

I'm talking government websites, not just forums. It seems crazy to me.

you are viewing a single comment's thread
view the rest of the comments
[–] Thorry84@feddit.nl 51 points 3 weeks ago (13 children)

There are valid reasons to limit password length. For example when a hashing function is used that requires a lot of processing power and the amount of power required to calculate the hash is related to the length. In that (very common) case, a denial of service attack vector is exposed. By simply spamming insane long passwords into a login form for example, the servers calculating the hash get easily overloaded. Even with rate limiting, only a small number of attacking nodes can be used to pull down a site.

So a maximum number of characters for a password is a valid thing to do. HOWEVER the maximum length for this purpose is usually set at something like 2048 or 4096 characters.

There is no excuse for a max password length of 16, that's just terrible.

[–] some_guy@lemmy.sdf.org 10 points 3 weeks ago (8 children)

Sixteen is the minimum where I work. We upped it at the end of last year. Fortunately, we also fixed our password policy to expire annually. It used to be every three months, which leads to recycling.

[–] sugarfoot00@lemmy.ca 7 points 2 weeks ago (1 children)

There's always recycling. Or changing that final character from a 1 to a 2, etc. The human brain just cant handle the complexity otherwise.

[–] teft@lemmy.world 2 points 2 weeks ago (1 children)

Use a couple words instead of letters, you’ll find it easier to remember and not use repeats. Bicycle Uber Pancake 4* should be more secure than some random bunch of letters you’ll forget.

[–] sugar_in_your_tea@sh.itjust.works 4 points 2 weeks ago (1 children)

Just use a password manager. No need to remember anything besides your master password. That works for pretty much everything, except I guess computer logins.

[–] teft@lemmy.world 3 points 2 weeks ago (1 children)

Well yes everyone should use a password manager but some people can't load a password manager onto their work computer and therefore are more likely to use non-random passwords. It's easier to remember a passphrase than a random password.

[–] sugar_in_your_tea@sh.itjust.works 2 points 2 weeks ago (1 children)

Fortunately, we force everyone to use a password manager at my company. SSO all the things!

[–] Kazumara@discuss.tchncs.de 1 points 2 weeks ago

We got SSO systems too, unfortunately, there are about 3 of them, lol. The old ADFS, the current Microsoft login (possibly cloud AD, not sure), and our own ID product that we offer to customers.

load more comments (6 replies)
load more comments (10 replies)