It’s infuriating to create a “strong password” with letters, numbers, upper and lowercase, symbols, and non-repeating text… but it has to be only 8 to 16 characters long.

That’s not a “strong” password, random characters or not.

Is there a limitation that somehow prevents these sites from allowing more than 16 characters?

I’m talking government websites, not just forums. It seems crazy to me.

  • sugar_in_your_tea@sh.itjust.works
    2·
    7 days ago

    Which is dumb because passwords should be treated as opaque bytes then salted and hashed. If your code breaks due to invalid unicode, your code is broken.

    • jagged_circle@feddit.nlEnglish
      1·
      6 days ago

      No. If you’re salting and hashing your passwords, you’re doing it wrong.

      We have password specific memory hard functions like argon that you should be using