Back then, when they enforced a maximum 16 character password, I saw enough security. Are they storing them in plaintext or what? Btw, I think they increased the limit to 32 now
Well, 72 bytes is still far away from 16 characters. Also, nearly every website is able to allow passwords longer than 16 chars, so it is definitely possible somehow!? This limit is ridiculous
Because then people find out that it ignores a bunch of your password and people's "password12DHpS*yoCTV44cAmg$gJj" is matched by "password123". Or "correct horse battery staple i have the most brilliant password ever" is matched by "correct horse battery staple".
Good point, that was too simplistic. Then again, I guess longer passwords could be preprocessed with another hashing function, one that returns a string of X bytes?
My point is that throwing a "password too long" error, especially for 32 characters or less, feels like a wrong approach to me; no matter the circumstances or the amount of backward compatibility that has to be kept.
What do you mean by problematic? The source links to YT and I can’t view a YT link.
I assume “problematic” here means “difficult but possible”. If problems arise then I guess it’s a matter of priorities; but I think that not inconveniencing the user with password length limits should be high priority.