Shouldn't the password length be irrelevant since they are hashed anyway? Is a service enforcing a maximum length a sign of plain text passwords being stored or are there legitimate reasons?
I can't explain the artificially low restrictions some banks have beyond using outdated tech or poorly designed database schemas. If I had to guess it could having an upper limit based on some formula consisting of average number of registering users combined with hashing CPU cost. That is why OpenSSH has limits on how big of a RSA public key may be accepted. It was set to 32K, not sure what it is currently set to. Unlimited would be a DDoS vulnerability and could potentially get a CVE unless some other mitigating control were in place. But I don't know if that same logic is being used for password hashing and limits, it's just a guess. I could also think of a dozen ways to mitigate such risks and I am not a developer so maybe its something simpler like the answer for crypt [1] <i>answer was reused for this topic, was originally used for crypt using DES. I've been that chimp.</i><p>[1] - <a href="https://security.stackexchange.com/a/33471" rel="nofollow noreferrer">https://security.stackexchange.com/a/33471</a>
As others have said, their are infrastructure reasons to limit password length. But that limit should be set at 128 characters or more. There's no reason, apart from incompetence, why a password length is set to 12 that some banks use.
You have to limit the content length on the server side to prevent requests from choking up. So usually instead of having to sync up requirements between client and server, lazy devs just choose a simple number and enforce it globally. Especially for a lot of enterprise apps the login forms are scattered across multiple systems built by various devs. Some random contractor might just add a length validation for cargo cult. Also some databases require you to specify specific string length for entries and inexperienced devs may not understand that hashes have a constant length output.
The one I hate is for supplemental nutritional assistance program in America. Their login system has a limit on character types, length, and it expires after a couple months, and if you fuck up entering it too many times (3) you can only reset by calling them.<p>Edit: I entered it right three times on a day that their server was fucked up and now I can't log into my account lol! Fuck that, I'm not calling... Well, unless for some reason that disables the card which it shouldn't...
rzzzwilson nailed it[0] - there <i>has</i> to be a limit so it'll fit in the POST to the server<p>That said, since you can POST absurdly-large quantities of data, that limit ought to be <i>huge</i><p>-------<p>[0] <a href="https://news.ycombinator.com/item?id=37995647">https://news.ycombinator.com/item?id=37995647</a>