[JonChesterfield]

Shout out to forms which error out with "Password too long! Must be at most ten characters. All from this subset of ascii". Which seems especially popular with banks.

[nullfield]

I suspect, somehow, that this is stupidity with the bank's processing core systems, which ... things are weird with financials.

They buy someone out, and now there are two systems. Glued together with duct tape. Then they release a new web product, or mobile app, or whatever, and that gets taped on too. Duct tape and spit all the way down, with everything eventually limited by the most broken part (if you're lucky).

[kdomanski]

Yeah, banks unfortunately have their opinionated checklists of “best practices”, also know as “what every other bank does”.

[alwaysbeconsing]

Very frustrating that any place where I can store code has way more security than what's more important to me: place where I store my money. Financial companies still using SMS for 2FA!

[tdudhhu]

Sometimes I can understand this because banks work with old software that just has these restrictions.

But modern apps: just give us Unicode support. And maybe a limit of 255 characters, but not less.

[tazu]

Noticed the other day BCrypt has a max input size of 72 bytes.

[tdudhhu]

Ah ofcourse. My bad. I was thinking about other restrictions like usernames. For passwords there should not be any.

[tazu]

That's what I'm saying. Passwords should probably have a reasonable limit like 72 bytes.

[tazu]

Ran into this with TikTok "Creator Marketplace" (for buying ads), password limit of 20 characters... $200B company.