[egsec]

"you can enter any arbitrary text afterwards is so that if someone is looking over you shoulder they can't tell that it only accepts 8"

Except it is public knowledge that there is an 8-character limit. Very basic footprinting would make it clear to only pay attention to the first 8 characters.

[deeviant]

Right it would only work if they happen to start looking at you type after you started typing, in which case they wouldn't have your full password any ways.

But in the case they see the full thing, they would write in down, go to try it, maybe type out the whole thing without even noticing there was a restriction, type ok, and bam there in. If they do notice the password could only hold 8 chars, what are the odds they wouldn't try what they have for the hell of it?

The dude must have been talking out of his behind.