Why do so many companies and people say that your password has to be so long and complicated, just to have restrictions?

I am in the process of changing some passwords (I have peen pwnd and it’s the password I use for use-less-er sites) and suddenly they say “password may contain a maximum of 15 characters“… I mean, 15 is long but it’s nothing for a password manager.

And then there’s the problem with special characters like äàáâæãåā ñ ī o ė ß ÿ ç just to name a few, or some even won’t let you type a [space] in them. Why is that? Is it bad programming? Or just a symptom of copy-pasta?

  • dog@suppo.fi
    link
    fedilink
    arrow-up
    0
    arrow-down
    1
    ·
    edit-2
    1 year ago

    Hashing on client side is both more private, and secure. All the user ever submits is a combined hash (auth/pubkey) of their username + password.

    If the server has that hash? Check the DB if it requires 2FA, and if the user sent a challenge response. If not, fail the login.

    Registering is pretty much the same. User submits hash, server checks DB against it, fail if exists.

    Edit: If data is also encrypted properly in the DB, it doesn’t even matter if the entire DB is completely public, leaked, or secured on their own servers.