................. Are you actually kidding me?

Yeah, some days ago I registered somewhere. Maximum password length was twelve characters also and special characters where not allowed.

Even worse than my bank's limit of 20

Almost like a longer password makes bruteforcing harder...

At my job our login password cannot start or end with a number.

@BobbyTables why though

@alexbrooklyn I was told it has to do with some legacy systems still ised. The single password is synced across several systems across the business (that way people dont have numerous passwords to remember).

You really should register over at acm.org... only letters allowed...

@alexbrooklyn my bank (german Sparkasse) limits the online banking password to five characters 😐

@Sumafu same with one of the big banks here! Looking at you westpac. Wtf.

Doesn't the upper limit suggest a column USER.PASSWORD type is VARCHAR2(12)?

[plain-text passwords?]

@netikras maybe. Or they might have a custom hash function which has set some artificial limits for some reason

@netikras It does. That's why an upper limit on password length is such a big red flag. Password length shouldn't matter in a hashed password, out of the hashing algorithm comes a string with fixed length anyway.

Also my ISP has a limit on this as well, 12 characters I believe, but not sure. I'd have to check. And they're very open about knowing customer credentials and storing them in plain. They even send it to you via postal mail if you'd like. After I reported to their COO how shitty that is, it took them over a year to "fix". Now they encrypt it, and think it's done. A symmetric key probably lives on the exact same server. When it gets hacked, nothing stops a crook from grabbing that along with the database. But hey, it's fixed, right?
In other news, that's the same ISP that uses MySQL 5 for their "premium hosting" that I ranted about earlier.

Can someone tell these shit devs to get THEIR shit together? Do we have or need password standards now? 👏👏

@Superviral "Hahahaha, you user", the support team says, "you have no idea what you're talking about! You are just a customer of ours, not an engineer. Oh.. wait- oh, yes, I'll send you to my higher ups"
I absolutely *loved* that reaction of my ISP to it 😂

@alexbrooklyn my bank limits to 6 characters no special characters

I once entered a 100 characters long password into a password reset form in a system where I pay for accommodation every month and it completely broke the whole system ¯\_(ツ)_/¯ the server only returned 503 since then and I got a "thank you very much.../s" call from my friend who works for the university and had to fix it

@Sumafu @alexbrooklyn @error503 after implementing a second step verification with the phone, my bank made me change my password for a 6 digits pin.

I can ofc understand an upper limit on a password to prevent collisions. Ofc it can't allow just infinite data for several reasons... Yet seeing 12 as the maximum... Or really anything below 128 as a max seems literally like a plaintext password...

I can proudly say we only have minimum length limitation of of 8 characters on a website I am working on for a client.
Maximum is unrestricted and all characters are allowed

@Condor Password length should matter but only in the case of trolls that use ridiculously long passwords.

We need a website where users can post stupid password rules and the link to where they found them.

@Lensflare I think that exists actually! Plaintext offenders or something like that.
https://plaintextoffenders.com

@JFK422 if I type in a password with 1000 characters, I should most certainly be able to. What's your server not going to be able to handle 1kB of data? Your frameworks probably weigh 10k times as much.