Small rant incomming. I just went to look at applying to Walmart, and when going to make an account their password requirements were 8-11 characters. What kinda nonsense is that? Some terribly made backend I’d assume. It’s bad enough I gotta make a million accounts when applying to jobs but then you got my PII sitting behind such terrible password requirements it makes me wonder where else they are cutting corners on security.
You’re absolutely right.
A worse example, pharmacy.amazon.com only uses a 4-digit passcode to log in, and it’s a pharmacy site!
All stored passwords should be salted and hashed. That means each one uses the same amount of space, regardless of original length.
There should definitely be a minimum length but not a maximum (within limits; let’s not break web standards or the laws of thermodynamics).
you mentioned salting and hashing that reminds me of places that use to put companies on blast for storing passwords in plaintext.
… 8-11 characters.
they wanted to one up their retail competitor 7-11, maybe?
… 8-11 characters.
shouldn’t be a problem. take the dwarves and Snow White as a minimum. throw in the evil stepmom, woodsman, and magic mirror if you need them.
If you allow unlimited length inputs of any kind, someone will break your system. 11 is way too short. But you do need some sort of maximum, even if it is very large.
If you’re storing the password in the form the user entered it, you’re doing it wrong already.
Even if you aren’t storing it, if you allow unlimited length someone will break your stuff.
Excuse me what the fuck? You need to make an account in Walmart to apply for a job?
I just went to look at applying to Walmart
I’m assuming they meant online. I don’t know what it’s like where you are, but basically every employer requires an account to submit an application…
That’s fucking cancer ngl
There needs to be a law to forbid passwords not providing 64 character max
Why stop there? 128 or 256 sound much nicer. Actually, while you’re at it, 4096 should be enough to fit a short story.
There are use cases where long passwords could be problematic. 64 would be long enough for most purposes, but short enough not to cause issues for things like microcontrollers.
It should be paired with a strongly recommended larger value, however.
The new NIST recommendations give a recommendation of at least a 64 character maximum.
Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters.
I use my password manager to generate 32 character or 64 character passwords whenever possible.
That’s actually a good part of why I trust cryptocurrency over my bank because my bank has all sorts of personally identifiable information and stupid short password requirements where cryptocurrency has no personally identifiable information and seeds are extremely long and complex.
