Websites that still for w/e reason limit the number of characters a password can have...

Seriously, when a website starts bitching about me entering a 32-character password generated by my password manager "being too long", I seriously start to wonder how they store the password...

VARCHAR!

I don't know why they do it either
Like if they store it *properly* it will be hashed, i.e. have a fixed length...

@LotsOfCaffeine Exactly this.

PHP's password_hash() with the PASSWORD_DEFAULT will always fit in a VARCHAR(255) at the time of writing.

I doubt this will be any different for sites build with NodeJS and ASP.

If they spun their own garbage like I demonstrated in my post[1], SHA512 will fit in that just fine (64 characters), add to that about 8-characters for the salt and maybe about 3 or 4 characters for delimiters and you will still be very well within the limits.

Heck, even Argon2I will fit just fine and iirc, you can actually also limit the hash size so it *will* fit one way or another.

I mean, if you can digest hundreds of gigabytes in a single hash, then I'm sure just 32-characters would work juuuust fine as well.

1: https://finlaydag33k.nl/blog/...

@Nanos Those are rare but yes.

I agree within reason. I think any password longer than an SSL key is wasteful, so at that point, just use that for authentication. But up until that point there is no reason. Especially not fucking 16 chars

your house key is too complicated, please make an easier to break house key.

It probably all started because some tit in QA posted a couple of megs in the field and complained it crashed. “32 char limit. Fixed.”

There’s always a story...

@platypus I honestly doubt that as well since on most sites, it's validated server-side anyways.

So if it were to crash because of that, it'd crash anyways :^)

@platypus
...i once set a 4-line paragraph - the intro sentence of my short story - as my password.

it was cool.