top | item 47049002

(no title)

Having more than just alphanumeric characters widens the domain of the password hash function, and this directly increases the difficulty of brute-force cracking. But having a such a small maximum password length is... puzzling, to say the least. I would accept passwords of up to 1 KiB in length.

With rainbow tables, even 11-character simple passwords like 'password123' can be trivially cracked, and as the number of password leaks show, not everyone is great at managing secrets and credentials.

discuss

empyrrhicist|12 days ago

It's easier for me to remember really long passphrases than even short alphanumeric strings - small maximum password lengths set my teeth on edge. The passwords should be getting hashed anyway right?

raddan|12 days ago

The problem is that you never really know what a website operator does with your credentials. Ideally, you have both a unique email and a unique password for each site, because sadly credential stuffing [1] is a thing.

[1] https://en.wikipedia.org/wiki/Credential_stuffing

abustamam|12 days ago

Should being the operative word...

abustamam|12 days ago

I recommend all my friends and family to use a password manager like Bitwarden, and if they can't do that for some reason, at least use a 3-word passphrase separated by a hyphen.

The amount of times people have complained to me that this doesn't work because of low max-chars on passwords is insane.

empyrrhicist|12 days ago

One time I had to reset my password with the power company - they had such a system, and the lady had to read me something like:

Uh4zB4DP55WD!

Apparently I was a bit salty with the system when I set it.

The fact that she shouldn't have even been able to look up the password in the first place due to hashing was lost on her.

tshaddox|12 days ago

I bet the rationale would be "anything over 12 characters will be too hard to remember and people will just write down the password."

empyrrhicist|12 days ago

But it's a maximum. It prevents people that want to use passphrases from doing so.

unethical_ban|12 days ago

Until the late 2010s, the AD account password at my financial institution employer was capped at 12 characters because, for a subset of workers, AD creds were sync'ed to a mainframe application that could only support that many characters.

abustamam|12 days ago

I think we (whoever we is) should start normalizing the concept of passphrases; on sign-up screens they should show the benefits of a passphrase. I'm surprised that Googles PW generator does not use passphrases, and I don't know about ios because I haven't tried theirs yet.

I started using passphrases after I saw this xkcd https://xkcd.com/936/

When I'm trying to log into something on a device that has a terrible keyboard, like a TV or giant touchscreen, it's a lot easier to type words I know than gibberish.