That one irks me too... When I built an auth/rbac app previously I did make Max length configurable and it would display a night if set. I set a hidden hard limit to 1k only to reduce attack surfaces that would only display and error if exceeded.
Default was a min-length of 15 as the only requirement with the default hint of "try using a short sentence"
I also had optional use of zxcvbn and haveibeenpwned checks during new passphrase creation.
I really wanted to open source the application but couldn't get approval to do so.
It was a pretty nice little simple auth application that issued RSA signed JWT to configured applications. It was interested into a few internal apps as well as for clients that didn't have something like azure ad, okta, etc. where we wrote bridge apps for auth.
If I had my configuration doc, I'd probably recreate it exactly, but with a Rust backend with HTMX instead of C#+react.
The date store used SQLite as a KV store, with simple methods for access that allowed an exception later for the values. Also wrote support for PostgreSQL and MS-SQL so they could be used where available.
Spent a lot of time on same defaults, hashing and encryption along with required configuration options for a few clients.
Aside: more devs really need to better understand public/private key generation and usage... Like not using the same keys for different environments.
Even worse, when the password has an arbitrary length requirement of 20, but the site doesn't tell you and just cuts of any trailing characters exceeding the requirement during account creation.
You have no idea how long it took me to figure that one out.
Slightly easier to figure out but no less annoying is when the maxLength attributes on the password fields for the two forms (create account and login) are different.
Even worse, some will simply arbitrarily silently truncate the password. But not everywhere! The sign up page might silently truncate and then the actual login page might not.
What happened to me once is that a long-time password of mine got truncated as the website lowered it's maximum password length, and the login page didn't truncate, so my full correct password suddenly stopped working. The pain.
Several comments mention passwords getting silently truncated by input maxlength. FWIW my extension provides a visible warning when this occurs: https://underpassapp.com/StopTheMadness/
Default was a min-length of 15 as the only requirement with the default hint of "try using a short sentence"
I also had optional use of zxcvbn and haveibeenpwned checks during new passphrase creation.
I really wanted to open source the application but couldn't get approval to do so.
It was a pretty nice little simple auth application that issued RSA signed JWT to configured applications. It was interested into a few internal apps as well as for clients that didn't have something like azure ad, okta, etc. where we wrote bridge apps for auth.
If I had my configuration doc, I'd probably recreate it exactly, but with a Rust backend with HTMX instead of C#+react.
The date store used SQLite as a KV store, with simple methods for access that allowed an exception later for the values. Also wrote support for PostgreSQL and MS-SQL so they could be used where available.
Spent a lot of time on same defaults, hashing and encryption along with required configuration options for a few clients.
Aside: more devs really need to better understand public/private key generation and usage... Like not using the same keys for different environments.