Seriously, what's the point of setting a maximum limit on a password's length...

Seriously, what's the point of setting a maximum limit on a password's length? Do they want to make it not too hard to brute force?

Usually jew companies that are trying to sell you single logon for extra $$$ are doing this, e.g. SAP

Extra characters consume extra space when you save everything in plaintext. Just don't use this piece of shit app instead.

Have to define the length of the value when creating the database. :^)

>inb4 hashes and variable length fields
This is obviously a joke on monkey DBAs that store password in clear text.

ddosing servers by uploading unlimited length passwords

I'm not saying I need a 100+ character password. I just can't believe a limit of 10.

10 is low, 16 is the correct amount.

32 you groid

non-sequitur

good systems store a fixed length hash instead of the actual password, so there's really no good reason to have such abysmally low upper limits

even if for some reason to need to keep the length of the actual password, why not just set aside a byte and have the limit 255?

Because you have to set the max size of a string if you're storing them in a database, which is absolutely the dumbest fucking way of doing authentication ever

If the site poses a restriction on your password length or characters, just guarantee it's a shitty password for site only because its probably stored in plaintext somewhere, and some kid from China is gonna have a look at it and in the same nanosecond try to login into every other site in the web using the same email/password combination

A byte doesn't mean 255 maximum characters, dumbfuck.

but the hash length isn't dependent on the length of the original password is it? and that's what's stored in the database, not the original password.
I thought many hashing functions truncate past a certain bit limit, making password length irrelevant. was true for Win NT passwords (past 14 characters), althought MS upped that to 127 characters in Win 2000 and later.

pajeet used a char (10)

Hash 6million chars for fun and profit.

>but the hash length isn't dependent on the length of the original password is it?
You'd be surprised how many people still store passwords in plain text.

Hell I have copies of old BBS software from the 80s that allowed user passwords to be up to 16 characters long.

okay fegget listen.

current symmetric recommended key length is 128bit to 256bit (Example AES)

if we assume an ASCII encoding every char in your password has 7bit

so 128/7 is about 18 chars.
So keep your password length above or equal to 18 chars.

Just a question of the entropy

he means use the 256th byte to store the length of the rest of the password, nerd

But it doesn't make sense to compare password hashing to symmetric encryption. Password hashing should be multiple order of magnitudes more expensive.

a password is a symmetric key. Plus: thats what i learned in IT Security lesson at my local university

? To do symmetric encryption with a password you should first hash it.

it depends

wtf you still have to bruteforce the actual password and not the hasing algo you brainlet

>store the length of the rest of the password
For what purpose? This is pointless.

Maybe their password input field is only 10 characters wide.

But it is retarded either way and a definite red flag.

Yes and to brute force the password it will take a ridiculous amount of time given a proper hash. Even if you have fewer bits of entropy than 128. Which is why you can't compare cracking a RSA key with cracking a password.

You should be setting a high ceiling. One that doesn't ruin user experience but prohibits dos attacks. Like 512 for example.

Add in the concept of salted hashes and this constitutes a /thread