In password security, the longer the better. With a password manager, using more than 24 characters is simple. Unless, of course, the secure password is not accepted due to its length. (In this case, through STOVE.)
Possibly indicating cleartext storage of a limited field (which is an absolute no-go), or suboptimal or lacking security practices.
This shit pisses me off so bad. I had an identity theft a few years back, took ages to undo, and my credit score is still impacted by it. At the time I moved to a password manager and all my passwords are 31 characters of garbage. I’ve got several, highly sensitive accounts that my passwords don’t work for, in fact one a bank, until fairly recently, had repurposed a phone number field in the DB so passwords were limited to 10 characters numeric only (I managed to get one of their IT folks on the horn to explain why the password was so awful).
I cannot believe we live in 2025 and we still haven’t figured out passwords.
My bank forces a 6 digit PIN as a password.
Their 2fa is also email or text only.
At least we can set a unique username?
Yeah, I’m up to 40 hide my addresses for that same reason. Figure if the password sucks, at least the email can be unique and obscure.
We have figured out passwords. Management hasn’t figured out allocating resources to security, and governments haven’t figured out fining the crap out of such companies.
all our banks and government systems and may online services work on a governments own 2fa, and there are several variants. They are linked to phone and require inputting Pins. Very comfortable, very secure and very convenient. Also very fast.
Don’t get me wrong, there are systems that work. I built up a very successful smart card based system many years ago after a failed audit. I initially hated the idea but in the end we built a crazy secure environment that was very easy to use and maintain. That project is long since obsolete but after doing that one, over a decade ago, I figured things were headed in the right direction.
I think I’m extra sensitive right now because my aging mom has made the issue acute. She’s not the same as she was a few years ago and helping her with all her online accounts has become a nightmare. It’s just too complicated for many folks.
One time I worked a job where you had to make EXACTLY a 12 character password using only ten letters and two numbers.
How about creating a new account, letting bitwarden create a password, only for them to send me a clear text copy of that passwod in their confirmation email…
i thought that practice died like 20 years ago
Here’s your password, remember to write it down on your password post-it!
Banks are the fucking worst for this. I assume it’s because they’re built on some 500 year old CICS mainframe.
In password security, the longer the better.
This is only true up to a certain point
Passphrases are much stronger than any 10 character password you can conjure up
Explain please, I’m curious
All passwords longer than eight characters are silently truncated anyway.
Uh? Why?
Don’t worry, pretty soon they will just block password managers from autofilling fields on their login page so that you HAVE to remember your password! Then you’ll be happy it can’t be that long, you can only fit so much on a post-it note on the side of your monitor
/s
EDIT: I think there should be a law against blocking password managers for filling in fields. Any brute force bots are going to submit HTTP requests directly anyway; no one is hitting the DOM to do that
think there should be a law against blocking password managers for filling in fields.
I’ve never heard of anyone trying to do that. I couldn’t even imagine how a website could detect a password manager.
My mum told be the other day she logged onto a new bank, gave it a 12 character password then couldn’t get back in after. When she got through to their customer services they said that it was an 8 character password limit (!), but it just never said on the register screen.
Yeah, I’d be doing that bank if there’s any choice.
Edit: Leaving (my attention got taken away as I posted)
Either this is some new slang I’m not rizz enough to understand or one of us had a stroke.
He just wants to have sex with the bank.
No cap
Tain planet, he’s our hero.
Microsoft does this to our users at my job. They go to charge their password and it won’t accept it but won’t tell them what the requirements are. “Your password doesn’t meet our criteria.” Okay, so what are you looking for???
Worst is that there seems to be a soft block at some point and instead of telling them that, it shows this dumb error instead over and over again no matter what password they choose.
Maybe that’s security by obscurity. Or security by confusion. /s
Ah must be my bank. Same.
I got a login on an IBM system. I logged in and moved to the change password mask. Changed my password to something filling out the 12 character new password field. Logged out, and got the login mask again. With an eight character password field.
Most likely it’s just a validation not related to actual storage of the information.
It’s something that can happen automagically when using a library. I wouldn’t be too surprised if this length limitation is just a default of whatever registration solution they are using.Then again, there’s not much point to super long passwords. They’ll be turned into hashes, commonly of 128, 196, or 256 bits length. When brute forcing, by a certain length, it’s pretty much guaranteed there’s a shorter combination computing to the same hash. And an attacker doesn’t need your password, just some password that computes to the same hash. With 256 bit hashes a password with 1000 characters isn’t more secure than one with 15 in any meaningful way.
The password on my PC is something like 30 characters long. Back when win10 was first coming out, they were pushing getting an actual outlook account and tying that to your login. I was hesitant at first, but figured I’d try it out and see how that worked for me.
Turns out outlook accounts (at the time) had something like a 16 character limit on passwords. Bruh.
Obligatory https://neal.fun/password-game/
I don’t understand rule 5. “Digits shall add up to 25” I have a 1 and a 24, and it doesn’t accept it :(
figured it out, it adds digits, not numbers
I had this problem with a fucking bank once. Even better are the sites that silently chop off characters after the internal limit, on the backend, but don’t tell you or limit the characters on the frontend. I had a really fun time with that last scenario once, resetting my password over and over and having it never work until I decided to just try a shorter password.
I once registered an account with a random ~25 characters long password (Keepass PM) for buying tickets on https://uhuu.com.br/
The website allowed me to create the account just fine, but once I verified my e-mail, I couldn’t log into it due to there being a character limit ONLY IN THE LOGIN PASSWORD FIELD. Atrocious.
EDIT: btw, the character limit was 12
PayPal did the same. Registration took 40 characters, login only half of that. Editing the login form didn’t work unfortunately.
It’s pretty stupid because the longer the password the more secure it is.
