[meuk]

I understand that you follow some misguided security guidelines that state that a password must contain special characters and have a length of at least X.

What I don't understand is why sites use a maximum password length. They shouldn't save your password anyway, and only compare the hash, right?

[OskarS]

Yeah. It either means that they do, in fact, save your passwords and the column in the database has a fixed length. Or... I dunno... the backend is written in C and they store the password in a `char password[16];` before sending it off to be hashed.

Whatever the reason is, it's pretty darn stupid!

[blackoil]

Cost of calculating 10k character hash? IMO above 30 length serves no practical purpose.

[meuk]

To put this in perspective: The cost of calculating a 10k character hash is negligible compared to serving a modestly sized image.

Still, you have a point that allowing arbitrary sized passwords to denial-of-service attacks. Still, a more reasonable limit would be 100 or 256, for example.

[thiagomgd]

and no way is 12 a good limit

[OskarS]

If that were the case, would the limits be so small? I mean, it's usually like "less than 16 characters" or something. The extra CPU time to raise that limit to, like, 128 or something would be totally insignificant (especially if they're using a key-derivation function after the hash, as they should be).

[kortilla]

>Cost of calculating 10k character hash?

Irrelevant compared to the rest of the operations done on the server.

[pvorb]

Other than not annoying users by not allowing their 31 character passphrase.