Comment by dajonker
6 years ago
Yes, this is terribly annoying, often there is a minimum length but no mention of maximum length. I see this on many, many websites...
6 years ago
Yes, this is terribly annoying, often there is a minimum length but no mention of maximum length. I see this on many, many websites...
What kind of range limits are you talking about? 30? 100?
Lots of sites have a limit of 72 characters, maybe even without the developers knowing about it. Bcrypt has a limit of 72
It's honestly a crapshoot. I've seen as low as 8 (a sibling poster says 6), but 10, 12, 15, 16, and 20 are not unusual. It's usually an even number, so you can just knock 2 characters off your password at a time (after making it an even number) until you're down to the maximum to figure it out.
Wells Fargo’s is 12 IIRC.
Lots and lots of legacy systems do this, very low limit, case insensitive, numbers and letters only. I know of a major retailer with 10 character, case insensitive, alpha numeric for All their systems. Why? Because that’s the lowest common denominator (as400).
1 reply →
I have a 14 character WFC password, seemingly works fine.
2 replies →
I believe that Blizzard had a limit of ~20 until recently for battle.net accounts (don't know if that's still the case).
Passwords for Blizzard accounts are also case-insensitive, as they are converted to upper case before hashing. Try it!
I first found this while working on a WoW server emulator in around 2009, but I believe it's been the case since Battle.net 1.0 was launched in 1996. In order to preserve backwards compatibility, it's never been changed.
I remember that Microsoft got stuck with a 16 character limit for a while thanks to hotmail.
"for a while"
You mean until May of 2019?
https://techcommunity.microsoft.com/t5/Azure-Active-Director...
Often it's 20. Not sure why 20 is so common.
Someone somewhere probably posted a code sample with a 20 character limit...
I've seen 6 characters and 16.