Password Entry Limit - why just why?

[smogsy]

any idea, why some websites, quite a few gaming companies that spring to mind where they only let your passwords be no more than 6-10 characters?

any ideas why they restrict your password lengths?

 

[Scotteh]

What sites do that? I usually see like 6 char minimum, can't remember ever seeing a max like that lol

 

[OldComputerGuy7]

I have seen this on a few sites never understood why they did it, unless its to make people be able to remember there passwords easier.

 

[smogsy]

a few gaming site do it.

might be planetside or mechwarrior some free 2 play i believe.. its very weird

 

[Scotteh]

Yeah I'd imagine it's to prevent some extra support calls/tickets about forgetting password, but don't think that would change much with size really.

Could have a 20 char password that's very simple and a 8 char one that's complex?

Seems very silly.

 

[estebanrey]

I'd suggest it is over-zealous programmers insisting on saving processing/hard drive overheads.

If you limit your passwords to 10 characters - nvarchar(10), it means your database can store more logins that in you used nvarchar(max), or even nvarchar(11). Programmers can be a bit funny about saving milliseconds of time. If they can show that limiting your password to 6 characters will make the website move 0.001 seconds quicker they'll do it.

But in reality to do that and notice the effect you'd need millions of users, all using very long passwords on pretty old hardware. Today's modern servers shouldn't need to limit passwords to anything less than 50 characters even if they have tons of users.

 

[Glaucus]

Fair few do this and it's annoying as hell and has to be less secure as they know theres a limit too passwords.

 

[Destination]

What sites do that? I usually see like 6 char minimum, can't remember ever seeing a max like that lol

National lottery .com has a limit, but it works via truncation.
For years I thought I had a rather long password, and it wasn't until I tried to change it I was made aware that on changing password the extra characters are not automatically truncated so the site wouldn't let me change.

I found it odd, could be worth 93 million that password tonight Unlikely.

 

[Rozzy85]

Never come across any personally. More likely to see sites requiring passwords to be 6 characters or greater.

Only reasons I can see for this are:-

Legacy or out dated systems that are still being used.
Company preference (for whatever reason).
Nobody knows what they're doing (most likely).

 

[Antar Bolaeisk]

Netflix do it, I can never remember my password for Netflix as a result.

 

[PMKeates]

I'd suggest it is over-zealous programmers insisting on saving processing/hard drive overheads.

If you limit your passwords to 10 characters - nvarchar(10), it means your database can store more logins that in you used nvarchar(max), or even nvarchar(11). Programmers can be a bit funny about saving milliseconds of time. If they can show that limiting your password to 6 characters will make the website move 0.001 seconds quicker they'll do it.

People's passwords as nvarchar(10) in the DB?

 

[Trifid]

Don't forget blocking special characters. So annoying!

 

[Cosimo]

I've not come across a limit like this before.

 

[estebanrey]

People's passwords as nvarchar(10) in the DB?

I realised encryption after I posted but even so the input length can affect the size of the encrypted output size (depending on encryption type used) so the principle of my point still stands.

 

[Mynight]

I imagine its to save resources. Hash/salting then checking against the db each time with thousands doing it could in theory be quite resource intensive.

 

[peterwalkley]

Sloppy design. Short passwords are easier to brute force. The other one that is a big red flag to me is when a password reset gives you back the plain text password.

Sites that do this don't get my card or bank details.

 

[Smudge]

Hotmail even does this to some extent. It's a bandwidth thing more than a back end storage issue. You can push a few general checks out to the client (your web browser) but in the end those extra 0's and 1's add up when you have millions of users.

 

[imb4tman]

I find it very annoying. Games for Windows would only accept a 16 digit password and it could only have a letters and number even when your MSN account could be up to 20 with special characters. Gameseek is the latest bad one I've come across. I signed up with a 20 digit password only for login to fail. When I requested password reset it sent me back the first 16 digits (which is why the login was failing) in plain text. Luckily they accept PayPal as I wouldn't leave my password with them.

 

[Antar Bolaeisk]

Sloppy design. Short passwords are easier to brute force. The other one that is a big red flag to me is when a password reset gives you back the plain text password.

Sites that do this don't get my card or bank details.

That's the first thing I check whenever I set up a new account with anything.

 

[Raumarik]

Sloppy design. Short passwords are easier to brute force. The other one that is a big red flag to me is when a password reset gives you back the plain text password.

Sites that do this don't get my card or bank details.

Most sites aren't hacked by brute force or other login attack methods it's by sloppy design (SQL injection etc) or interception of credentials before they reach the site.