Last week, I tried to register for a service and was really surprised by a password limit of 16 characters. Why on earth yould you impose such strict limits? Never heard of correct horse battery staple?

  • cronOP
    link
    fedilink
    arrow-up
    56
    arrow-down
    1
    ·
    4 months ago

    OWASP recommendation is to allow 64 chars at least:

    Maximum password length should be at least 64 characters to allow passphrases (NIST SP800-63B). Note that certain implementations of hashing algorithms may cause long password denial of service.

    The lemmy-UI limit is reasonably close and as everything is open source, we can verifiy that it does hash the password before storing it in the database.

    There is a github issue, too.