Really, H&R Block? A max password size? For something this important?

Hey man, you know it needs to be short and crackable, in case government agencies or Russia needs to access the into for another election ;)

But kidding aside, max password size doesn't make sense at all. What are you worried about, running out of storage space...

@rusty-hacker I thought maybe it had something to do with some IRS guidelines (which they mention), and they were "just following orders". But I found those guidelines, and they only specify an 8 char minimum. So, uh... *shrug*

Feels like PayPal

@MrFastDie It's the single thing that makes me not use PayPal. Why the fuck there is a upper limit?? It's absurd. Just like the one number one capital rule. Do admins really think that a user that uses password for a pasdword, will improve their security? No. They'll just use Password1.

Same thing with those fucking expiring passwords. Password51, Password52, Password53.

@xios it's policy policy sucks entropy is importand

@MrFastDie But in practice those policies create less entropy than one good password that changes once a year.

For example:
My coding buddy is a rubber duck and I like to talk to him. 302.8 bits

Password01 44.5 bits

First one can't be bruteforced, tabled or even remembered by someone who has seen it. It's personal. Monthly expiration becomes unnecessary.

Second one is guessed by hand. Changing the last two digits doesn't change it.

@xios thats what I mentioned

My bank allows only an UPPER limit of 8 characters, and excluding special chars... Wtf. When writing to them about why such limits exist in times of hash operations taking fractions of milliseconds, they boasted about how secure their system was and dismissed me.
If only their real world service wasn't so good, I'd have switched already.