It’s infuriating to create a “strong password” with letters, numbers, upper and lowercase, symbols, and non-repeating text… but it has to be only 8 to 16 characters long.
That’s not a “strong” password, random characters or not.
Is there a limitation that somehow prevents these sites from allowing more than 16 characters?
I’m talking government websites, not just forums. It seems crazy to me.
It’s a massive red flag. It implies that they are actually storing the password instead of a (preferably salted) hash and that they have no idea what good security practices are. Storing a hash leads to same size strings, no matter the length on the password.
And there’s no reason a database can’t store a very long hash as well. Storage is cheap for this kind of thing.
That’s why I only store and compare the first 8 characters.
Why not store the whole thing?
I’m joking of course, but the reason would be the database column is 8 characters.
If only there was a SQL command that could alter an existing table…