Mostly Water is a user on mastodon.xyz. You can follow them or interact with them if you have an account anywhere in the fediverse.
If you don't, you can sign up here.
A website complained at me for trying to make a password too long. Their limit is 40 characters. Oh.
@benhamill Whenever I see a length limit on a password field this tells me one thing "we store your password, not its hash".
@deshipu @benhamill I agree that is true the vast majority of the time. However, note that for some hash algorithms there are DOS attacks that exploit problems encountered when the plaintext pwd is super duper long.
Also, HTML form fields sorta need a length! I set length to something like 200, 300.
@cognish @benhamill I usually solve that by having a limit on the overall post data size, but you are right that *some* limit is useful.
@benhamill @deshipu Here is an interesting example:
https://stedotmartin.wordpress.com/2015/07/09/wordpress-long-password-denial-of-service-cve-2014-9034-apache-mitigation/
I certainly agree, however, that most of the time when a website says "your password is too long", that is a very bad sign. Especially since the maximum length in these cases is almost always less than, say, 20 characters!