[joeig]

Since I’m using a password manager, I’m generating >24 digit passwords, because I’ll never have to type them. You would be surprised how many websites cut everything after 24/32 digits during registration without notice, but suddenly allow more digits in the login form, leading to login issues.

[Cosmin_C]

This is infuriating. Then you need to go through a password reset to be able to recover the account and some websites don't even bother to tell you how many characters you're allowed to enter in the password field, leading to a whack-a-mole type of situation where you reset password -> check with a lower number of characters -> issues -> reset again and rinse and repeat.

[bsimpson]

Schwab, the 120 billion dollar financial institution, famously had this problem for years.

Until relatively recently, they silently truncated the password that literally protected your bank account to 8 characters.

[gruez]

Is there even a point in using passwords that long? It sounds like overkill to me. Assuming your attacker had the computing power of the bitcoin network (ie. attempts per second = hashes per second), then a 16 character alphanumeric password would take more than 800,000 years to crack.

[pferde]

If you are using a password manager, then a (good) longer password is basically extra safety for literally zero extra price, so why not? What does it matter if you are copypasting , or letting the password manager autofill, twelve characters or fifty?

[slazaro]

The GP comment gave a reason: some websites might misbehave with longer passwords, so it's not actually free.

[pferde]

But that's a self-defeating attitude. If you are going to defensively assume that websites are broken in this way, the only logical conclusion is to limit your generated passwords to something ridiculously conservative, like six characters.

In my opinion, it is more reasonable to assume that most websites will behave correctly with even longer passwords, and solve the odd misbehaving ones on a case by case basis.

[gruez]

But if 16 characters is already secure for the foreseeable future, why bother risking it for negligible gains in security?

[pferde]

That's something each of us has to determine for themselves.

I haven't yet, in my many years of "being on the web" encountered a single website with the truncated password problem described above, so for me, it's a weird statistical anomaly to be ignored.

If you have been burned repeatedly by some such websites, you will have a different outlook, and will generate your own passwords accordingly.

[frosted-flakes]

Because sometimes you do need to type it. I'm reminded of signing into a Kindle e-reader with shared (family) account and a long randomly-generated password with lots of symbols (I could not change the password). The Kindle has a terrible keyboard and obscures the password input, so what could have taken ten seconds took ten minutes and many attempts.

I use “correct horse battery staple”-style[1] passphrases now because they're still long and secure, but also memorable, so I don't have to enter passwords character-by-character, and I've memorized all of my most-used accounts now and don't need to look them up. 1Password can even generate these types of passwords automatically.

The only annoying bit is when services have arbitrary restrictions like “no spaces”, or “mix of capitals, lower-case, numbers, and symbols”. In those cases I use hyphens instead of spaces, or stick “A1!” on the end.

[1]: https://xkcd.com/936/

[anaerobicover]

The "correct horse battery staple" style was (originally?) known as Diceware: https://theworld.com/~reinhold/diceware.html The FAQ is interesting reading.

[pferde]

Fair enough, although as someone who uses a 60 character long home wifi password - and have had to type it out manually more than once in the past - I think it's still worth it, because such cases are rare. :)

[m-p-3]

And on mobile you can connect using a QR code so it's a simple way to avoid that as well.

[CDRdude]

One point to longer passwords is passphrases. Passphrases are easier to remember than complicated passwords, and often longer. I can remember the 37 character passphrase “This passw0rd is far too long for me.” much more easily than the 20 character “W64$hmIbAZ7:-IirN57p”

[gruez]

Right but op mentioned using a password manager, so that doesn't really apply.

[thijsvandien]

Unless you sometimes need to type the password manually.

[emteycz]

What about dictionary attacks?

[SAI_Peregrinus]

Irrelevant. In a "passphrase", the "symbols" are entire words, instead of single-byte ASCII characters. So "ResearchWannabeProbablyMagmaDeltaCondoneWannabeImpurityScrabbleAbidep" consists of 10 symbols chosen from a list of 7776 symbols. As opposed to "!Z['$-t]8:" which is 10 characters from a list of only 96. Since the entropy of a password (and thus resistance to brute-froce and dictionary attacks) is $log_{2}(Symbols_in_list^{Length_of_password_in_symbols})$, the passphrase has 129 bits of entropy and the password only has 65 bits.

There's no concern about dictionary attacks, since there are too many "words" of multiple "symbols". The symbols just happen to be composed of sequences of ASCII characters, instead of single characters. The analog for regular passwords would be a dictionary consisting only of single letters/numbers/symbols.

[sircastor]

There have been more times than I care to count that I’ve needed to type my 32+ Long character password. Is unusual, but not never.

[danmur]

Using a tv remote is the worst

[nonameiguess]

Big props here to Amazon Prime Video for allowing you to open an Amazon app you've already logged into on a device with a camera and scan a QR code on your television to log in, rather than requiring you to type a password using arrow keys to select from a virtual keyboard.

[sircastor]

I was just using the Roku app on my phone for this. I don’t know if it’s universal for apps on the Roku, but it certainly is nice.

[maneesh]

Hulu also allows you to type a short character sequence from a website instead of using a password.

[blauditore]

It's even worse with Apple TV, where you have to swipe between characters on a single row. They completely butchered UX on that one, it's infuriating.

[JohnCurran]

If you have an iPhone, you can use the Apple TV remote on the phone which will show a text input you can type on (on any form text input). This has the added bonus of being able to access your keychain for automatic password filling

I have enabled the tv remote on control center - I’m not sure if it’s there by default. You should be able to toggle it in settings

[jeffgreco]

I’ve found voice dictation surprisingly useful in these situations - you can instruct which case to use as well as using military alphabet.

https://support.apple.com/guide/tv/use-siri-dictation-atvb21...

[slim]

I would not do that for a password

[loriverkutya]

That’s why I use apple remote app where even copy paste works.

[blauditore]

...which is only available on iOS (I don't have an iPhone). This is one of my other pet peeves with Apple products.

[harg]

It’s for these situations that I tend to use pass phrases rather than long random strings of different special characters. Much easier to type 4 or 5 words

[throw0101a]

> You would be surprised how many websites cut everything after 24/32 digits during registration without notice, but suddenly allow more digits in the login form, leading to login issues.

The input type="password" element allows for passing information to browsers / password managers what the limitations:

* https://developer.mozilla.org/en-US/docs/Web/HTML/Element/in...

maxlength, minlength, pattern ("A regular expression the value must match in order to be valid").