What is the sense of permitting the user to use no passwords longer than xx chars?

It's more like a usability question or maybe database, or even maybe security (consider injection attacks) but what is the sense of permitting the user's password to a be not longer than xx chars? It does not make any sense to me, because longer passwords are mostly considered better and even harder to crack, and some users use password safes, so the password length should not matter.

I understand that passwords with more than 20 chars are hardly to remember, but if you use diceware or password safe you don't have any problem with that. I really cant understand why there are sites that say "your password need to be between 5 and 8 chars"...

also should the password saved as hash, so the length of the field in the database is fixed, so where is the problem?

I think that most of the sites where the password is has to be a fixed length are not even using any hashing method.


Whenever you see an upper limit for your choice of a password, you can guess that they want to store it un-hashed. And that's really bad.

Passwords are 'the longer the better' and they should also be composed of letters from an alphabet as big as possible. The differences are quite well explained here: https://www.grc.com/haystack.htm

Need Your Help

C# start thread with function having delegate parameter

c# multithreading delegates

public delegate bool FunctieCompara(int a, int b); this is the delegate

How to get variables from exception code block

java exception-handling

I want to get user1.name variable from public static void FileRead()to private void jButton1ActionPerformed but It doesn't read user1.name. Can you explain me how can I use that variable.