Are you fucking kidding me Ubisoft? 8-16 characters??? Only letters and numbers???

I think the worst thing is, that thay cap the length to 16 characters. I mean my save passwords also only contain characters from a-z but they have at least a length of 45.

16 should be good enough though for this purpose.

My web host allows only 8-15 characters ib my account password without any provision for 2fa. Why, because fuck me that's why

@BigBoo no. 16 Alphanumeric is not even sufficient for the electronic lock on my beer fridge.

@shaji Time to change, then?

@Nato Yeah, banks have often a very low security policy. It's insane.

It's enough. They're planning to force 2FA down on every user, and they recommend it everywhere

@ilPinguino That's 36^16 number of combinations.

If you went back to the beginning of time and managed to map out each combination. You wouldn't even be close to being done with one percent if you could do one a second.

But I guess it's not strong enough for yer gaming needs.

@Jilano but they're cheap! But yeah, would have to move on soon

@BigBoo But what about one every millisecond?

@BigBoo It's just because I have a consistent password scheme, and it's really annoying when a website fucks with it and I have to try to remember all these retarded rules for each website.

@filthyranter If you could do 10000000000000 each second. You would be closer to 2% than 1% by now. If you started at the birth of the universe will say.

So 1000 a second literaly does not have any impact.

edit. One zero too much. Lol.

The only problem I see is no Unicode support. It shouldn't matter if they hash it.

I bet it has something to do with the company DB architecture being old and archaic, and it would be a huge hassle to rebuild everything. I work for a company that's in the same boat.

@BigBoo You miss quite a few things there.
First, I am usually not limited to a single attempt at a time, I could use several instances and computers (or a dedicated brute forcing tool like hydra, given that it's a web app) to reduce the time needed.
Second, what if the site got compromised? If a hashing algorithm was in place, which can probably be assumed of any application in the 21st century, a decreased password length and complexity can decrease the time needed before your creds are available for the bad guys.
Third, it shows poor understanding of current hashing algorithms. A hash's length is independent of the secrets length and there are no limitations regarding the secret - it could be text, but it could also be, say, a binary file. Hell, your secret could be a whole disk image for all the algorithm cares about (although this has other obvious inconveniences).

@ilPinguino Well. My point still stands on your case 1. You still have to enumerate a fuckton of attempts each second. See my math in later comments.

Same goes if it's compromised. Tbh. It's the same thing just faster since you can do it locally.

The third part I do agree with you though. A sufficiently strong hash should be enough. I can't for the life of me figure out why they would want to limit it. But I can come to the conclusion that the limit is sufficiently strong.

My password has special chars.

@Nato your bank pin works on ATM networks. Not the internet. Terrible conparison

@BigBoo, you're still missing the point. A 16 character limit indicates that Ubisoft are so incompetent that they are not hashing the passwords at all.

Ubisoft can be storing the passwords as plain text, or perhaps encrypted. That would explain the length limit. If they are hashing, it can be hashed by a terrible algorithm. Or without a salt. All of which are plausible given the clear lack of competence they portray in their utterly trash password policy.

And even if Ubisoft is storing the passwords salted and hashed (both of which are unlikely), most passwords aren't composed out of 36^16 random characters, but of regular words, often used on other sites that have already been breached so they are filled up in the dictionaries password crackers already use.

A GPU-accelerated system built around Hashcat can guess hundreds of billions of passwords per second. Within a few hours of work, most of the weak passwords Ubisoft forces its users to create, will be cracked.