It’s infuriating to create a “strong password” with letters, numbers, upper and lowercase, symbols, and non-repeating text… but it has to be only 8 to 16 characters long.
That’s not a “strong” password, random characters or not.
Is there a limitation that somehow prevents these sites from allowing more than 16 characters?
I’m talking government websites, not just forums. It seems crazy to me.
This is it right here. The new system has to talk to the old database which has a character limit for that field. Untold amounts of money and effort would be required to update the back end.
Too real, I know of a company that is changing a number from 8 to 9 digits and it’s estimated to cost around 230m to complete. Insanity.
Passwords should be hashed to a fixed length. Character limit implies clear text passwords are stored.
What if the pass is only temporarily stored in a db table, then instantly hashed and dropped? Obviously, I’m no db admin. :(
Best practice is never to store a password in the clear.