A website complained at me for trying to make a password too long. Their limit is 40 characters. Oh.
@benhamill Whenever I see a length limit on a password field this tells me one thing "we store your password, not its hash".
@deshipu @benhamill I agree that is true the vast majority of the time. However, note that for some hash algorithms there are DOS attacks that exploit problems encountered when the plaintext pwd is super duper long.
Also, HTML form fields sorta need a length! I set length to something like 200, 300.
@benhamill @deshipu Here is an interesting example:
I certainly agree, however, that most of the time when a website says "your password is too long", that is a very bad sign. Especially since the maximum length in these cases is almost always less than, say, 20 characters!
