I frequently have my passwords rejected by a web site's max length requirements. Thank you for this article to help explain why the limits exist. A couple of quasi-off-topi comments:
Another password rule you sometimes see is limitations on certain special characters. I once came across a server that would crash when you used a certain special character in your password. Since then, when I run across a site that rejects certain special characters, I just assume they are running similar antiquated code that can't handle it.
One UX improvement I've started to see is websites that will tell you their password rules on their login screen (not just on the password set/change screen).
One thing I'd like to see sites start doing is explaining how they protect my password in the event of a data breach. I don't recycle passwords between sites, but I'd still like to know that my passwords are strongly hashed.
The OWASP recommendation is to no limit characters that are allowed in a password, but I think you need to have a tradeoff here. You should allow as large a character set as you can, but that means you need to test the character set, unless you want someone's password to take down your system.
I can't think of a good reason to state password rules on a login screen. If you have made your rules open enough, no one should be looking for what special characters are allowed, or a max length limit, or the number of upper case and lower case letters. What rules do you normally see on the sites that do this?
Explaining how you are securely storing data is hard. How much detail do you go into? What information do you leave out? And just because a site is telling you about their security practices, does it mean that they are really doing that?
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.