[jfrunyon]

Because then people find out that it ignores a bunch of your password and people's "password12DHpS*yoCTV44cAmg$gJj" is matched by "password123". Or "correct horse battery staple i have the most brilliant password ever" is matched by "correct horse battery staple".

[thih9]

Good point, that was too simplistic. Then again, I guess longer passwords could be preprocessed with another hashing function, one that returns a string of X bytes?

My point is that throwing a "password too long" error, especially for 32 characters or less, feels like a wrong approach to me; no matter the circumstances or the amount of backward compatibility that has to be kept.

[kenniskrag]

I understand your point but then password shucking can be problematic: https://cheatsheetseries.owasp.org/cheatsheets/Password_Stor...

[thih9]

What do you mean by problematic? The source links to YT and I can’t view a YT link.

I assume “problematic” here means “difficult but possible”. If problems arise then I guess it’s a matter of priorities; but I think that not inconveniencing the user with password length limits should be high priority.

[mikestew]

In other words, a modern version of Microsoft LAN Manager:

https://en.wikipedia.org/wiki/LM_hash

Save-ya-a-click: basically what jfrunyon describes, along with a whole lot of other insecurity goodness (and to be fair, LANMan was a long time ago).