re: Password max length limits are dumb (but we need them) VIEW POST

TOP OF THREAD FULL DISCUSSION
re: Except for the form submission limits you are simply wrong. Hashing passwords regardless their length can result in a fixed length hash. Therefore ...
 

Wrong how? And hashing and encryption are two different things that shouldn't be confused.

Yes hashing does mean that it will end up a fixed length, but before you get the hash you have:

  • The users browser/app
  • Any Web Application Firewalls between you and the user
  • The server application receiving the password
  • The frameworks you are using
  • The hashing algorithm

You should be testing that all of them support the longest password you allow, which without max limit set is infinite and impossible to test.

Password Strength Meters - I think these should be indicative, rather than absolute. A minimum length password of all lowercase letters should be marked as insecure. Something more complex is better. Long and randomly generated is best. Disallowing previously breached and common passwords is more important than the password strength meter, but using them both together is a good way to give users visual, understandable feedback.

code of conduct - report abuse