re: Password max length limits are dumb (but we need them) VIEW POST

TOP OF THREAD FULL DISCUSSION
re: I frequently have my passwords rejected by a web site's max length requirements. Thank you for this article to help explain why the limits exist. A...
 

The OWASP recommendation is to no limit characters that are allowed in a password, but I think you need to have a tradeoff here. You should allow as large a character set as you can, but that means you need to test the character set, unless you want someone's password to take down your system.

I can't think of a good reason to state password rules on a login screen. If you have made your rules open enough, no one should be looking for what special characters are allowed, or a max length limit, or the number of upper case and lower case letters. What rules do you normally see on the sites that do this?

Explaining how you are securely storing data is hard. How much detail do you go into? What information do you leave out? And just because a site is telling you about their security practices, does it mean that they are really doing that?

code of conduct - report abuse