Password fields with max character counts

I recall an old version of vBulletin doing this to me, and it frustrated me enough that I wrote a very similar article. I had a very long password generated for my account, which had moderator permissions. But when I tried to login, no dice. After a few back-and-forths, I came to the frustrating realization that the &quot;Set Password&quot; screen had a limit, whereas the frontend &quot;Login&quot; page had a separate, or no, limit.<p>I totally get the need to have a maxlength on your password input, since you don&#x27;t want to be processing KBs of data each time a user logs in. But, one, make it reasonable (1000 is fine), and two, make it consistent wherever passwords are entered.

Max character counts and disallowed characters are a really strong sign that the site is transmitting or storing the password in plain text.<p>It takes essentially no effort to base64 encode a text field of arbitrary length and contents. If you are salting and hashing that password before storing, you would also not care about the contents or length of the password.

There are uses for a maximum length, but it shouldn&#x27;t be that small; maybe 255 bytes is a reasonable maximum length, because you might like long passwords. Some of the other stuff they mention there (other than the maximum password length) are problems with the browser rather than the web design, though.