One of the more persistent annoyances of the modern web for the tech-savvy is the experience of putting a long, randomly generated password into a site and getting an "invalid characters" error.
Or sites that don't tell you the max number of allowed characters and then quietly truncate the password for you. Then you have to guess how many characters they chopped off and try logging in until you get it right.
This! This is the most infuriating... and the salt in the wound is that some of the offenders are career/employment sites for firms that should have enough tech savvy employees to code a form that does client-side verification and clearly indicate password criteria to the user.
I'm really surprised at maximum character lengths.
I use a password generator that defaults to 256 characters, and literally nobody has allowed that yet that i've tried.
It's funny the arbitrary numbers some cut off at.
Many limit it at 32, a strange number at 40 for some reason, a few at 60, and others still will silently truncate it to some number on the signup form, then forget to truncate the login form...
I'm not complaining about them not supporting 256, I just find it strange the arbitrary limits imposed.
A site I signed up for today limited it at 42. Why?
And even if 128 is way over excessive, does it actually make a difference to the server? Obviously you don't want to be hashing multi megabyte passwords, but don't most password hashing systems need a certain sized key to work, so it's padded out to that point anyway? And once it's processing further "iterations", the size of the first password is pretty much irrelevant.
If you use a password manager there is practically no cost to the user to use any number of characters. Why not go for something insanely large from the user perspective?
Royal bank of Canada uses a single 8-character alphanumeric password for online banking, and that login is also good for identifying yourself for government services (e.g. Tax services). I still can't believe it.