I personally get very frustrated if websites reject my 128 character random generated passwords with some error message like "Password too long, maximum of 16 characters".<p>Are there any (legit) reasons for doing this? I couldn't come up with one as they should hash them, and it doesn't matter for the hash function whether the input is 1 or 1000 characters long. Performance loss is minimal.<p>It really feels like they are using encryption, instead of hashing. Which would be a major security issue.
If it was in fact 1-1000 then some nerd would be complaining about <i>muh 1024 convention</i>. Next, the 1MB guy.<p>I don't see how where the line is drawn (and realistically it has to be drawn somewhere for a public service) necessarily implies anything about whether proper hashing is being done.
I am sure you are quite correct - any limitation (within reasonable bounds for a web page control) is a strong indication that a web site is not hashing you password. At best they are encrypting it - and that is bad bad bad.
Depends what you mean by "legit". I once asked a project manager if the client had and legally-mandated rules for passwords. The response from the client was (paraphrased) "no legal requirement. Let's go with 6-12 characters, at least one number and one symbol". I suggested a higher (or no) upper limit, but I was told to just give them what they wanted.<p>"It's what the client wants" is a rather legit reason, whether the rules come from a legal standard for their industry or completely out of their rear end.
Maybe they are storing your password in plain text in a VARCHAR(16) field, which is a scary thought. It is also likely that enforcing a short password encourages users to choose passwords that are easy to remember...longer passwords would encourage users to write them down or keep them in a text file.
I never thought about your situation. As a kid web dev I used to limit password size for db issues as 'byoung2' said: like using a VARCHAR(42) or something like taht depending on the way I store the hash!
Anyway, next time I'll think about you and allow user more space for password! :)
My bank required that I could only use a 6 character alphanumeric password when signing up. Kind of scary, but then again, it made me choose a super random PW like v3Ff78 whereas most all people in that situation would use their same password for everything, such as baseball. Thats my theory anyway
the only limit that comes to mind is 16kB (IIRC some servers limit at that) for an HTTP header parameter (since presumably it will be posted).<p>but as others have said, the reason is likely to be blind following of poorly thought-out specs.