It's easier for me to remember really long passphrases than even short alphanumeric strings - small maximum password lengths set my teeth on edge. The passwords should be getting hashed anyway right?
replyThe problem is that you never really know what a website operator does with your credentials. Ideally, you have both a unique email and a unique password for each site, because sadly credential stuffing [1] is a thing.
replyShould being the operative word...
replyI bet the rationale would be "anything over 12 characters will be too hard to remember and people will just write down the password."
replyBut it's a maximum. It prevents people that want to use passphrases from doing so.
replyI think we (whoever we is) should start normalizing the concept of passphrases; on sign-up screens they should show the benefits of a passphrase. I'm surprised that Googles PW generator does not use passphrases, and I don't know about ios because I haven't tried theirs yet.
replyI started using passphrases after I saw this xkcd https://xkcd.com/936/
When I'm trying to log into something on a device that has a terrible keyboard, like a TV or giant touchscreen, it's a lot easier to type words I know than gibberish.
correct horse battery staple; knew it before I clicked the link.
replyUntil the late 2010s, the AD account password at my financial institution employer was capped at 12 characters because, for a subset of workers, AD creds were sync'ed to a mainframe application that could only support that many characters.
replyI recommend all my friends and family to use a password manager like Bitwarden, and if they can't do that for some reason, at least use a 3-word passphrase separated by a hyphen.
replyThe amount of times people have complained to me that this doesn't work because of low max-chars on passwords is insane.
One time I had to reset my password with the power company - they had such a system, and the lady had to read me something like:
replyUh4zB4DP55WD!
Apparently I was a bit salty with the system when I set it.
The fact that she shouldn't have even been able to look up the password in the first place due to hashing was lost on her.
That's pretty funny on a few levels, not in the least that they required a "secure" password like that but stored them in plain text.
replyI regularly conduct transactions at the branch of my local bank wherein they ask me for no credentials whatsoever. I also once forgot to bring my account number with me and the teller said "no worries, I'll look it up for you." Kind of horrifying.
replyOh! But that’s safe! Secret question time: What’s your mother’s maiden name.
replyIt helps that it’s a jailable offense to make fraudulent transactions
replyMy bank’s password field is case insensitive. Of course they could have lowercased it before hashing but I doubt it.
replyYeah I was a bit shocked... like... you're not supposed to know that!
reply