Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Devs and PMs: why your passwords are restricted?
1 point by kwanbix on March 9, 2023 | hide | past | favorite | 2 comments
Hello everyone.

Time and time again, whenever I need to open an account on a website (SaaS or otherwise), I find passwords that are restricted in unsecure ways: "no more than 12 characters" (or something between 8 and 20) and only letters and numbers.

I use Bitwarden to store and generate my passwords, and I like all of my passwords to include letter (U/L), numbers, AND symbols, and I want my passwords to be 100 characters long for added security.

What is the reason for these resctrictions? By the way, not all systems have them, but I would say that at minimum 50% do, if not more. Am I missing something?

Thanks!



Usually it's about legacy compatibility. Some system somewhere makes some assumption, this system is hard to change so rather than attempting to change this system, other systems that interact with it have to adjust themselves, as they are easier to change.

For me, restricting the length is a clear indication that they don't properly secure your password. It should be hashed to a consistent length regardless of the actual length of the clear-text, so it shouldn't matter, even for legacy reasons. If I see that, I know that unless the service is vital, try to find an alternative or be prepared for when they finally get broken into, one way or another. Overall their security tends to be weak if they pull stunts like that.


Yeah, that is the weird thing. Hashing makes everything a moot point.

By the way, I have seen the limits in new endeavors, not only in old companies that might have legacy systems.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: