Why do so many companies and people say that your password has to be so long and complicated, just to have restrictions?

I am in the process of changing some passwords (I have peen pwnd and it’s the password I use for use-less-er sites) and suddenly they say “password may contain a maximum of 15 characters“… I mean, 15 is long but it’s nothing for a password manager.

And then there’s the problem with special characters like äàáâæãåā ñ ī o ė ß ÿ ç just to name a few, or some even won’t let you type a [space] in them. Why is that? Is it bad programming? Or just a symptom of copy-pasta?

  • dog@suppo.fi
    link
    fedilink
    arrow-up
    0
    ·
    1 year ago

    Well to be fair, if they’re hashing serverside, they were doomed to begin with.

    But yeah, there’s a lot of ways to DDoS, and so many tools that just make it a 1 button click.

    • kevincox@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      1 year ago

      Who isn’t hashing server-side? That just turns the hash into the password which negates a lot of the benefits. (You can do split hashing but that doesn’t prevent the need to hash server-side.)

      • dog@suppo.fi
        link
        fedilink
        arrow-up
        0
        arrow-down
        1
        ·
        edit-2
        1 year ago

        Hashing on client side is both more private, and secure. All the user ever submits is a combined hash (auth/pubkey) of their username + password.

        If the server has that hash? Check the DB if it requires 2FA, and if the user sent a challenge response. If not, fail the login.

        Registering is pretty much the same. User submits hash, server checks DB against it, fail if exists.

        Edit: If data is also encrypted properly in the DB, it doesn’t even matter if the entire DB is completely public, leaked, or secured on their own servers.