Please, please, please... do not set maximum lengths on passwords. [1]
It's 2020, you should be hashing [2] your passwords (so the output is constant length no matter what the input). Password strength is based on two things: entropy (randomness) and length. Since people are usually bad at entropy, let them enter long passwords or passphrases if they want to. Also it sucks for people with password managers to have to generate custom rules. Accept any character, even spaces (you're hashing the password, so you can even accept ';-- for that matter), for passphrases.
[1] If you really want to set one to avoid 1GiB passwords, put it at 256 characters, so that password managers can go wild.
[2] Yes, I mean hashing + salting, don't roll it yourself and use bcrypt.
I know this is a training exercise, but cargo cult security is real.
Maybe archaic systems, and also, shorter lengths are easier to make test cases that are easy for inspection. Most programming challenges I know are usually short and sweet (unless we're dealing with huge data deliberately).
Please, please, please... do not set maximum lengths on passwords. [1]
It's 2020, you should be hashing [2] your passwords (so the output is constant length no matter what the input). Password strength is based on two things: entropy (randomness) and length. Since people are usually bad at entropy, let them enter long passwords or passphrases if they want to. Also it sucks for people with password managers to have to generate custom rules. Accept any character, even spaces (you're hashing the password, so you can even accept ';-- for that matter), for passphrases.
[1] If you really want to set one to avoid 1GiB passwords, put it at 256 characters, so that password managers can go wild.
[2] Yes, I mean hashing + salting, don't roll it yourself and use bcrypt.
I know this is a training exercise, but cargo cult security is real.
Maybe archaic systems, and also, shorter lengths are easier to make test cases that are easy for inspection. Most programming challenges I know are usually short and sweet (unless we're dealing with huge data deliberately).
Nice idea but it's not always your choice.
Case in point, you're advocating using bcrypt when bcrypt itself can only support 72 characters maximum, anything larger is truncated.