That doesn’t help if someone got a list of their hashes somehow. Then an attacker can use their own system to crack them.
And that’s if they aren’t just storing the passwords as clear text to begin with, which length limitations are often a sign of.
Comment on My password is not accepted because it is too long
Crashumbc@lemmy.world 4 weeks ago
What’s the point? no one is brute forcing a 12-15 password if the login system has ANY login attempt protection anyway.
This seems like one of the extreme overkill things…
JcbAzPx@lemmy.world 4 weeks ago
_skj@lemmy.world 4 weeks ago
Such a small max length is a good indicator they aren’t handling passwords correctly. A modern website should be able to send and hash kilobytes of text without the user seeing a significant delay. Having a max size like this sounds like they are storing the password as text instead of a hash.
Or some dumb project manager said passwords longer than 24 characters look bad in the UI and wanted the limit.
Kissaki@feddit.org 4 weeks ago
Do you check on login attempt protection behavior before creating accounts, and then choose your password length accordingly - longer or shorter?