My password is not accepted because it is too long
In password security, the longer the better. With a password manager, using more than 24 characters is simple. Unless, of course, the secure password is not accepted due to its length. (In this case, through STOVE.)
Possibly indicating cleartext storage of a limited field (which is an absolute no-go), or suboptimal or lacking security practices.
If I have to create a password Ill need to remember and don't have access to my password manager for whatever reason I have a long phrase that's my go to but I have a system about adding numbers and characters to it based on the context of the log in. Sites with character limits really fuck that up.
i once used 20 for a bank. the website havent told me it was too long just clipped off 2 and accepted the rest. not even the banking support was able to help me. took me a few days to solve this by accident.
That must have been frustrating. How many times did it lock you out from trying again?
Being regected for being too long. What a conundrum.
I don't have it in me
This seems to be very common still
Some people even suggest typing a longer password over a simpler one with more special characters. It's harder to brute force.
I thought the use vocabulary lookup tables effectively nullifies the entropy benefits, if everyone started using phrases as password
Assuming the attacker knows it's a phrase: The english language alone apparently has some 800.000 words. 800.0006 = 2*1035 combinations in a dictionary attack. That's comparable to 18 random ASCII characters. We might also be using a different language, or a combination of languages, or we might deliberately misspell words.
A long string of random characters will give you more combinations per password length, but there are some passwords you just need to be able to memorize, and I'd say that's more likely with the 6 words.
I don't know enough to say how accurate the numbers are, but the sentiment stands - if it's a password you're memorizing, longer password will probably be better.
What's the point? no one is brute forcing a 12-15 password if the login system has ANY login attempt protection anyway.
This seems like one of the extreme overkill things...
At least they tell you. I’ve had inputs take the full password and then truncate it silently, so you don’t actually know what they saved. Then, you try to login and they tell you wrong password.
I once encountered a system that truncated your submitted password if you logged in through their app, but not through their website. So you would set your password through the website, verify that the login was working (through the website) and then have that same login fail through the app.
Yes I've had issues with this as well, since I'm a child I've set my password generator length at 69 characters... A small trick I've found is to delete and rewrite the last character of one of the two repeated passwords since often the validity check gets triggered on write but not on paste
My worst experience so far was a webpage that trimmed passwords to 20 characters in length without telling you. Good luck logging in afterwards...
As long as their login page also does that :p
I remember some office software that didn’t accept certain special characters but didn’t tell the user and just accepted the new password. I had to bother IT support many times to reset my password.
One of my favorite memories of how much Something Awful's sysadmins were absolutely amateur hour back in the early 2000s was the "lappy" to "laptop" debacle. Apparently Lowtax found the term "lappy" so annoying that he ordered his system administrator to do a find/replace for every instance of "lappy," replacing them with "laptop."
Unfortunately this included usernames and passwords, as well as anything that just managed to have the letters "lappy" in that order anywhere in the word. So, there was one user named 'Clappy' who woke up one day to find his name changed to 'Claptop.' Apparently this is also how people discovered that they were storing password unsalted in plain text in a fucking MySQL database, which if you're old enough, you probably already remember that the combination of MySQL and PHPmyAdmin were like Swiss cheese when it comes to site defense. :p
Flaptop Bird
That must have done a lot of dawizard to their reputation.
Common mistake for amateurs that found a password library and used it without reading the documentation. E. g. bcrypt will tell you to salt and hash the password before digesting it into constant length output for your database.
Salting before doing anything else is basic password security. I assume the webpage in question doesn't do that, either.
We have a customer, a big international corporation, that has very specific rules for their intranet passwords:
I can only assume that whoever came up with these rules is either an especially demented BofH, or they have some really really weird legacy infrastructure to deal with.
I worked in IT for a big national company for a short time. Passwords rules were : at least 8 characters, at least one uppercase letter, at least one number, change password every 2/3 months and different than the 3 previous ones. Several workers had a post-it on the screen with the 4 passwords they use. One of them had name of child and year of birth, I don't know if it was his children or his relatives' children too.
I am a designer, but I once did a project with a very very major and recognizable tech corporation that, no joke, implemented an 8 character limit on passwords for storage reasons.
This company made in the tune of tens of billions of dollars per year, and they were penny-pinching on literal bytes of data.
I can't say who it is, but their name begins with 'M' and ends in 'cAfee.'
I can’t say who it is, but their name begins with ‘M’ and ends in ‘cAfee.’
Whoever the company is, we have to assume it's not a security-related company. Because, surely, none of those would do that ever.
If password length affects storage size then something has gone very wrong. They should be hashed, not encrypted or in plaintext.
For a system I worked on a few years ago I got the password requirement:
I was also recommended to make it a single word to make it memorable.
My favorite is when they don't have this check, but silently slice the string to meet the requirement, so that you can't login with the original password the next time.
Wells Fargo used to do this. They cut my 16 character password to 8 and negated capitalization. Which is why I don't use them anymore
amazon also had it a couple years ago
My bank used to do that back in the early 2000's, I moved banks.
Metro Bank did something like this to me.
This shit pisses me off so bad. I had an identity theft a few years back, took ages to undo, and my credit score is still impacted by it. At the time I moved to a password manager and all my passwords are 31 characters of garbage. I’ve got several, highly sensitive accounts that my passwords don’t work for, in fact one a bank, until fairly recently, had repurposed a phone number field in the DB so passwords were limited to 10 characters numeric only (I managed to get one of their IT folks on the horn to explain why the password was so awful).
I cannot believe we live in 2025 and we still haven’t figured out passwords.
My bank forces a 6 digit PIN as a password.
Their 2fa is also email or text only.
At least we can set a unique username?
We have figured out passwords. Management hasn’t figured out allocating resources to security, and governments haven’t figured out fining the crap out of such companies.
Is there any specific reason to using 31 random characters instead of 32?
I'm not the one you're asking, but I've had a case where using the maximum number lead to login issues. A character less did not have issues. Must have been an off-by-one implementation issue (maybe a text terminator character). 32 is a power of two number. Seems like a reasonable approach to evade such issues categorically - at the cost of a character by default of course.
Illogical meat brain that thinks odd numbers are more random that even I guess.
all our banks and government systems and may online services work on a governments own 2fa, and there are several variants. They are linked to phone and require inputting Pins. Very comfortable, very secure and very convenient. Also very fast.
Don’t get me wrong, there are systems that work. I built up a very successful smart card based system many years ago after a failed audit. I initially hated the idea but in the end we built a crazy secure environment that was very easy to use and maintain. That project is long since obsolete but after doing that one, over a decade ago, I figured things were headed in the right direction.
I think I’m extra sensitive right now because my aging mom has made the issue acute. She’s not the same as she was a few years ago and helping her with all her online accounts has become a nightmare. It’s just too complicated for many folks.
I once registered an account with a random ~25 characters long password (Keepass PM) for buying tickets on https://uhuu.com.br/
The website allowed me to create the account just fine, but once I verified my e-mail, I couldn't log into it due to there being a character limit ONLY IN THE LOGIN PASSWORD FIELD. Atrocious.
EDIT: btw, the character limit was 12
PayPal did the same. Registration took 40 characters, login only half of that. Editing the login form didn't work unfortunately.
I’ve had this exact same thing happen.
I’ve also had it happen where you have the two fields to verify the password is the same. One had a maxlength set in it, and the other didn’t. I was for sure entering the same password and I was so confused until I opened up the dev tools and inspected the inputs.
I’ve seen this behavior too, I forget where. For me it was a bit easier since the fields displayed a different number of stars. I did spend too long trying to figure out how my password manager could be failing that way
How about creating a new account, letting bitwarden create a password, only for them to send me a clear text copy of that passwod in their confirmation email....
That means the breach is imminent, but at least you won’t need to worry about other accounts when it happens. Just be sure you don’t give them any kind of PII or financial data to save. No, you can’t save my card data to make shopping easier, because you’re almost certainly going to have a data breach next month, and drag your heels about disclosing it, giving hackers plenty of time to commit a bunch of fraud using all of the cards on file.
Here's your password, remember to write it down on your password post-it!
i thought that practice died like 20 years ago
friendica does this.
My mum told be the other day she logged onto a new bank, gave it a 12 character password then couldn't get back in after. When she got through to their customer services they said that it was an 8 character password limit (!), but it just never said on the register screen.
Microsoft does this to our users at my job. They go to charge their password and it won’t accept it but won’t tell them what the requirements are. “Your password doesn’t meet our criteria.” Okay, so what are you looking for???
Worst is that there seems to be a soft block at some point and instead of telling them that, it shows this dumb error instead over and over again no matter what password they choose.
so secure, no one can get in, even her!
Maybe that's security by obscurity. Or security by confusion. /s
Ah must be my bank. Same.
a game i played doesnt allow special characthers or its too long.
A game I play used to not care about it being a capital letter or not. Hunter2 and HuNTeR2 would both work perfectly fine.
What’s more frustrating is when the password creation page is silently cutting off too long passwords and don’t inform you about it.
There’s a site I use that does that on the password reset page, but not when logging in. So when using a long password it’s as if the reset never works. Took me ages to figure out what was going wrong.
Back in the day, long time ago, Unix would do that, and limit user silently to 8 characters.
Which then wasn't great, but a good password would be hard to break even at only 8 characters with equipment of the time.
We would do a cracking test against the user passwords periodically and ding users who got cracked. Well one user was shocked because they thought their 16 character password was super secure and there's no way we would crack it. So we cited her password and she was shocked she went through so much trouble only for the computer to throw away half her awesome password.
Oh, I hate this one
I have a "cuts off special chars, wtf" somewhere in my password store.
Okay so I agree with you that a longer password is better but this in no way indicates clear text password storage.
Is the maximum 24 characters because their database column is a VARCHAR(24)? That's one of the first questions that I thought of. Sure, it doesn't guarantee plaintext, but it's a indicator that it may be stored plaintext, considering hashing doesn't care about length. Or at the very least whoever has had eyes on this code doesn't know shit about security, which makes me less confident in the product as a whole.
The only reason I can think of to have a maximum would be to save on bandwidth and CPU cycles, and even then 24 characters is ridiculously stingy when the difference would be negligible.
bcrypt hashes only the first 72 bytes. 24 characters is the max amount of 4 byte UTF8 characters when using bcrypt. Which is stupid because UTF8 is variable, but still, it's a possible explanation.
Cryptographic hash functions actually have fixed runtime too, to avoid timing-based attacks.
So correct password implementations use the same storage and cpu-time regardless of the password.
I would have thought the opposite. I remember having a familiar conversation: “we need a sanity check in the password: what would no sane person do?” I believe we cut it off at 64 characters, but I can see someone thinking 24 is kore than enough, if they’ve never used a password generator.
It does. If you hash the user passwords, which you should, the hash is always the same length and it's thus irrelevant how many characters the user's password consists of.
Now, it's not certain though, which wasn't claimed either, because the front end developer might have other reasons for setting limits. The backend shouldn't care though.
The backend should care though. Even if strings can have an unlimited amount of characters, you don't want to go and hash a gigabyte of data. In lower level languages you don't have magic strings either so you might do something like char password[64].
There's many reasons to limit raw password length. Not many good ones to have it as small as 24 (or even 64) though.
It could be an older codebase that’s using an inline encryption algorithm as opposed to a hash. Using an encryption algorithm with a private key would result in varying length outputs.
Password hashes always have the same length.
Why is there a limit at 24? It may be an arbitrary limit set, or it may be because they don't store more.
I heard some banks encrypt single characters of the password separately (no idea how that would be safe) they often ask to provide random characters from the password instead of the entire password.
My bank only accepts up to 20 characters. It doesn't validate it... The login page simply ignores all characters beyond 20th. So I didn't even know that it cut my password until I tried to log into the mobile app, which replaces the last character when you type more than 20... that was confusing 20 minutes when I didn't know why I can't log into my mobile app.
What would be the other reason for a password length limit so low ? I could understand limiting to like 64 characters but 24 sounds low.
Don’t worry, pretty soon they will just block password managers from autofilling fields on their login page so that you HAVE to remember your password! Then you’ll be happy it can’t be that long, you can only fit so much on a post-it note on the side of your monitor
/s
EDIT: I think there should be a law against blocking password managers for filling in fields. Any brute force bots are going to submit HTTP requests directly anyway; no one is hitting the DOM to do that
think there should be a law against blocking password managers for filling in fields.
I’ve never heard of anyone trying to do that. I couldn’t even imagine how a website could detect a password manager.
I've had banks do it in the past. It's not that they can "detect" the password manager, they just use a method that's incompatible with them.
They have a fake input field and capture keypress events via JavaScript directly from the dom, then just make it look like you typed in to the input field. They don't read the password from the input field, they build it up in memory from those key press events.
It also completely breaks accessibility software, which is the main reason I think the industry moved away from doing it for the most part.
I've seen a couple of times. It's the same ones that block copy/paste on password fields. The workaround is to write a short python script using pyautogui or similar to "type" out the clipboard content.
Happens more and more often
Your password MUST contain big and small letters, and contain at least 1 number character and 1 spacial character, it MUST be 8 characters long, and it MUST be typed on a German Cherry keyboard between 8-9 PM, using ONLY 1 finger while blindfolded and listening to ABBA music. BUT NO SPACES ALLOWED!!!
This is because of something called entropy we never even read about so we have zero understanding of it. Of course combined with lousy programming, so safety is all on you.
Making all these possibilities OPTIONAL would actually make for safer passwords (higher entropy), as would using multiple words separated by spaces. The only meaningful way to accept a password would be to test it against common bad passwords, and test the entropy to determine acceptable levels. There is no good reason a password couldn't be 10 words and at least 127 characters. There is no way that should stress a properly designed modern system.
genuinely, whats up with not being able to use spaces?
I think it's originally because of bad programming. It's so incredibly stupid I don't have words.
You have described all of the guidelines that NIST, Microsoft, GCHQ and a few other institutions now recommend for password security.
And yet I still have to have this argument with so-called security engineers and my favourite, compliance officers.
the guidelines that NIST, Microsoft, GCHQ and a few other institutions now recommend for password security
Because they are morons that don't understand entropy.
Requiring at least 1 number increases entropy less than simply allowing the use of numbers, and then recommending it.
But most password queries are lousy at describing what's allowed when creating it, and they generally don't describe it at all when you enter it for access.
The second part can be crucial for remembering exactly how the password was created, because what is now required, used to often not even be possible to use!
you forgot that you can only use a selection of special characters from a pre approved list of 10.
Had that yesterday.
"Must use special characters!"
"Okay, no problem. Here you go."
"Not that one! It's too special!"
"Dude, I haven't even touched extended ASCII yet."
A pre-approved list of 10 which THEY DON'T EVEN TELL YOU WHAT THEY ARE
I love when there are so many rules that my first few randomly-generated passwords are rejected.
Even worse, when you can’t figure out why, or how to configure the generator, then end up having to type your own anyway
I like the ones that just tell you your password strength.
Subtle shaming of bad passwords without giving bad actors hints as to what the minimum (and thus most likely) password is.
One time I worked a job where you had to make EXACTLY a 12 character password using only ten letters and two numbers.
That's insane.
But you could decide on the positions of letters and numbers? While it had to be exactly 10 and two?
I spent way too much time on this the first time I came across it
Joyously frustrating game
I've had a case in the past where I reduced my password to the limit, but after account creation, I was not able to log in.
Turns out they had an off-by-one issue, and a password with a length slightly below the limit worked fine.
I once got locked out of an HP printer because it chopped off the last few characters of a password. Only figured it out because somebody had made a comment online about password length
Experienced a site some years ago that let me I put however long password I wanted (my default is 52 in my password manager), but turns out it only used the first 20 or so.
funniest experience that ive had is that i made a psn (playstation network) account with a 64 (iirc, might have been 32, dont remember) character password. That worked making the account on my PC on their website. Never was able to log into that account on my playstation tho and the error message was just some generic error. Support didnt know what was going on and i didnt either until it dawned on me. The password was too long for the console. Changed the whole thing to a shorter one and now it works everywhere. Used to work on their website, not in the app, not on console. Fun.
Recently had a password that was acceptable for the account creation page on the website but too long for the login screen in the mobile app.
Took me a while to figure out that pasting into that field was just quietly dropping characters.
The password on my PC is something like 30 characters long. Back when win10 was first coming out, they were pushing getting an actual outlook account and tying that to your login. I was hesitant at first, but figured I'd try it out and see how that worked for me.
Turns out outlook accounts (at the time) had something like a 16 character limit on passwords. Bruh.
Obligatory https://neal.fun/password-game/
I don't understand rule 5. "Digits shall add up to 25" I have a 1 and a 24, and it doesn't accept it :(
figured it out, it adds digits, not numbers
When that was first making the rounds I shared it with my omcoworkers. Most of my coworkers enjoyed it for a few minutes then moved on. One of my coworkers sent me a teams message 3 days later of the win message
I got a login on an IBM system. I logged in and moved to the change password mask. Changed my password to something filling out the 12 character new password field. Logged out, and got the login mask again. With an eight character password field.
Banks are the fucking worst for this. I assume it's because they're built on some 500 year old CICS mainframe.
Then again, there's not much point to super long passwords. They'll be turned into hashes, commonly of 128, 196, or 256 bits length. When brute forcing, by a certain length, it's pretty much guaranteed there's a shorter combination computing to the same hash. And an attacker doesn't need your password, just some password that computes to the same hash. With 256 bit hashes a password with 1000 characters isn't more secure than one with 15 in any meaningful way.
There should be a limit to prevent DoS attacks but really it should be like 1M characters or something.
No, there should be no limit. The password should be salted and hashed stored on the server side they should be uniformly like 256 or 512 characters behind the scenes no matter if you send it 5 characters or 50,000. The password that is stored is just a mathematical representation of the password.
As far as DDOS, It doesn't matter what the limit is, you can send them millions of characters rven if they have a limit. If you're going to DDOS you're going to just use SYN flood, pings, for all of the matters you could send headers.
Not DDOS, DOS. You can often crash an unprepared server with one request by telling it to hash more data than it has memory for. See this blog post for a well-known web framework. Let’s say I just sent it a 10GB password, it still has to process that data whether or not the hash eventually shortens to the database field length.
So I just went through something similar with a security team, they were concerned that any data should have limits even if transiently used because at some point that means the application stack is holding that much in memory at some point. Username and password being fields you can force into the application stack memory without authentication. So potentially significantly more expensive than the trivial examples given of syn and pings. Arbitrary headers (and payloads) could be as painful, but like passwords those frequently have limits and immediately reject if the incoming request hits a threshold. In fact a threshold to limit overall request size might have suggested a limited budget for the portion that would carry a password.
24 characters is enough to hold a rather satisfactorily hardened but human memorable passphrase. They mentioned use of a password manager, in which case 24 characters would be more entropy than a 144 bit key. Even if you had the properly crypted and salted password database for offline attack, it would still be impossibly easier to just crack the AES key of a session, which is generally considered impossible enough to ignore as a realistic risk.
As to the point about they could just limit requests instead of directing a smaller password, well it would certainly suck of they allowed a huge password that would be blocked anyway, so it makes sense to block up front.
oh. this has been a big pet peeve of mine for awhile. After starting to use password managers I figured I would standardize on the largest required characters only to find a source whos maximum characters were lower than anothers minimum characters.
c/passwordtoostrong
When I banked with wells fucking fargo they had issues similar to this. I had something like a 16 character password and I once forgot the last character and it accepted it anyway, so there was some kind of character limit that they didn't make obvious.
I also had a time I accidentally had caps lock on, and my password still was accepted. Their passwords were not case sensitive even though their password screen says they were.
That's insane
I had this problem with a fucking bank once. Even better are the sites that silently chop off characters after the internal limit, on the backend, but don't tell you or limit the characters on the frontend. I had a really fun time with that last scenario once, resetting my password over and over and having it never work until I decided to just try a shorter password.
And then they store it in plain text anyway...
24 is fine, not as bad as 12 and no special character. That's honestly the worst one i've encounter.
my bank app doesn't allow copy paste so i can't have anything that long and hard to type, and they tend to request password login when transferring money.
24 is not fine if you're like me and use passphrases sometimes
A 24 char passphrase while not as bulletproof as a machine generated string is still credibly strong even to offline cracking attacks when possible. In all the datasets of passwords acquired through that sort of cracking I don't think I've ever seen it catch even a 4 word passphrase.
In my opinion, an acceptable password length should be L in ln(alphabetSize^L)/ln(2) = (B bits of entropy). For a Bech32 character set (since it excludes ambiguous characters), alphabetSize = 32. A good password should have been 96 and 256 bits of entropy, with 128 bits being my personal preference. This means L = (B)*ln(2)/ln(alphabetSize) = 128*ln(2)/ln(32) = 25.6 = 26 characters.
That's… pretty close to what OP said they were restricted to, so maybe the person who set the 24 character restriction used a similar methodology.
At one point years ago my work finally caught up with the 21st century and allowed creation of passwords longer than the fixed 8 characters it had always been. So I said great, made up something that was around 12 or so that I could remember. Until I logged into some terminal legacy programs we were still using and wouldn't take that length. So yeah, I went back to 8 characters that wouldn't break things. They eventually migrated away from such old programs and longer passwords became mandatory since they'd work everywhere, but I thought it was funny that briefly I tried to do the right thing but IT hadn't thought out the whole picture yet.
Most likely it's just a validation not related to actual storage of the information.
It's something that can happen automagically when using a library. I wouldn't be too surprised if this length limitation is just a default of whatever registration solution they are using.
There's a joke in there somewhere.
YES, it pisses me off so much. Though I do kind see for some things having some upper limit of 256 for certain services. But I may be wrong in thinking that.
For example I want a secure bank password but I only need it so long. Mainly because unlike my E2EE service if they are servered a warrant or hacked through another service all my data is there. Basically I can only do so much.
My bank does this 💀
In password security, the longer the better.
This is only true up to a certain point
Is that point 24 - the limit they set?
Explain please, I'm curious
So this is *mathematically correct, but practically not really. Let me give you a longer (but still simplified) answer. There's essentially two things here that are different:
The reason for #2 in digital systems is because of hashing, which is used to protect your password in the case of a data breach. Essentially, you can think of a hashing algorithm as a one-way algorithm that takes an input, and then always returns the same output for that input. One-way here means that you can't use the hashed output to reverse-engineer the originally inputted password (you can't unhash a hashbrown into the original potato 🥔). This is why if someone hacks Facebook, they don't necessarily have your Facebook password; Facebook never saves your actual password anywhere. To login, the website hashes your password input, and compares it against the hash that they saved from your original password creation.
Usually, the result of these algorithms is saved as a fixed-length string of characters. And so your data is mathematically not more safe if you exceed this length, since a random password combination can theoretically resolve to the same value as your super-long-password. This would depend on the algorithm being used / data being stored, but for example, bcrypt outputs a 184-bit hash (often represented as a 60-character string). So mathematically, your password is not more secure beyond 60 characters.
However in practice, this is a non-issue, because I think that basically the only way that collisions like this are useful are for brute-forcing a password? And the chance of a password collision in this way is something like 1027-or-28 (being hit by lightning every day for 10,000 years)? The much easier solution for gaining access is to get your actual password. So if your password being longer makes it harder for people to guess, I'd say that adding security by way of #1 is still extremely valid.
All passwords longer than eight characters are silently truncated anyway.
Passphrases are much stronger than any 10 character password you can conjure up
How does that contradict my statement? 10 chars is pretty weak.
My best experience... They allowed me to set a 100 characters password, but then changed the limits a year later, so that you couldn't even login anymore.
There was a game launcher for a popular game that required a minimum of 8 characters but only used the first 8 characters and it wasn't case sensitive. So something like PassWord12345!? could be entered when changing the password, but you could sign in with any of the following:
I haven't logged in for years so I'm not sure if it is still working that way.
Sounds like they're using bcrypt. Feeding more than 24 utf8 characters into bcrypt won't do anything useful. You can permit longer passwords (many sites do) but they'd be providing a false sense of security.
Bcrypt is still secure enough and 24 characters are fine as long as they're randomly generated by your password manager.
The specification of the algorithm specifies up to 56 bytes, including a null terminator. If you're using UCS-2 (2+ bytes per character, like Windows, Java, Javascript, and more languages and platforms do), that's 27 characters (can't use the last half byte character pair). Add some margins for extended characters (emoji and such) and you'll end up just above or below 24. With UTF-8 you can end up doing much better (exclusively Latin-1) or much worse (exclusively non-Latin character sets). Verifying that on the frontend is a massive pain (string length in JS is unreliable) and dynamically switching codecs is a recipe for bugs and security leaks.
The 72 byte limit is the result of the internal workings of most bcrypt algorithms, but if you ever switch implementations you need to make sure that implementation doesn't change the internal workings if you rely on details like that. If the stars align you can use 71 characters (72 if you use Pascal strings), but that's far from a given.
Utf8 isn't ASCII. It takes up more space.
It can also be just a randomly chosen limit. I work as a software engineer on a custom management software for a big client. For whatever reason until recently, the limit for email addresses in the master data was 50 character. Why? No clue but someone had decided that randomly in the past. Now it was increased to 100. Why again? According to RFC 5321 a limit of 254 would be the most sensible one. But the people who come up with those requirements just don't care. They decided it to be 100 from now on for no apparent reason.
Then we have many input fields, that have a limit of 255 character. Why not 256? Why such a weird number in general? The people who use this software in production are most likely not the ones who usually think in powers of two. So why not make it 250 or 300 oder whatever?
Sometimes those limits are just arbitrary with no technical or logical reason to back them up. Which doesn't make it less stupid mind you.
a limit of 255 character. Why not 256? Why such a weird number in general?
255 chars + '\0' = 256
Not weird at all.
I see your point, but we have Java backends and strings there are not null terminated. Also I'm very sure that those would never be the reason for our Postgres server to run out of storage so I don't get it why not make it more user friendly. We're not implenting an embedded system where every byte of storage counts.
Hey at least it told you there maximum length, i signed up paramount+ last night and it only said 42 characters was too long.
Maybe they allow more characters during the day /s
You think that's infuriating? Imagine having an ISP that wants you to pick a password of max 8 characters.
That was the insurance corp my career came bundled with for a decade until recently.
Sunlife. Finally very slowly replacing their garbage old website.
I'll do you one better. The target redcard credit card doesn't allow non-standard special chars, max I think it was 12 chars and gets pissy at using known SQL special chars. If it wasn't for the fact it required a credit check prior to getting to that screen I would have ran so hard.
What's even more annoying is their password field says that it does support that, but if you try via the mobile app it errors out
Used to run into this more. Some legacy systems imposed password limits that seem archaic by modern standards. The authentication system was just supporting systems from before newer standards were created.
I think some of those compatibility layers outlived the systems they needed to be compatible with. The people that knew the system retired ages ago and the documentation was lost 3 or 4 "documentation system" changes ago.
Anyway, those have no place on the modern web.
I also hate these kind of websites.