It’s infuriating to create a “strong password” with letters, numbers, upper and lowercase, symbols, and non-repeating text… but it has to be only 8 to 16 characters long.

That’s not a “strong” password, random characters or not.

Is there a limitation that somehow prevents these sites from allowing more than 16 characters?

I’m talking government websites, not just forums. It seems crazy to me.

  • Creat@discuss.tchncs.de
    732·
    1 month ago

    It’s a massive red flag. It implies that they are actually storing the password instead of a (preferably salted) hash and that they have no idea what good security practices are. Storing a hash leads to same size strings, no matter the length on the password.

    • sugar_in_your_tea@sh.itjust.works
      14·
      1 month ago

      And there’s no reason a database can’t store a very long hash as well. Storage is cheap for this kind of thing.

    • sik0fewl@lemmy.ca
      10·
      1 month ago

      That’s why I only store and compare the first 8 characters.

    • jagged_circle@feddit.nlEnglish
      3·
      1 month ago

      They shouldn’t be using salted hashes since a decade or more. Best is to use a memory hard password hash function like argon

      • brisk@aussie.zone
        2·
        1 month ago

        Can you expand on this? My experience with Argon is looking up a Wikipedia page in response to this comment, but it looks like it uses a salt as an input?

        • jagged_circle@feddit.nlEnglish
          1·
          1 month ago

          Its a password specific function. Its also memory hard.

          As oposed to generation a salt and passing that with the password through sha256 or something, which is bad practice