Why do so many companies and people say that your password has to be so long and complicated, just to have restrictions?

I am in the process of changing some passwords (I have peen pwnd and it’s the password I use for use-less-er sites) and suddenly they say “password may contain a maximum of 15 characters“… I mean, 15 is long but it’s nothing for a password manager.

And then there’s the problem with special characters like äàáâæãåā ñ ī o ė ß ÿ ç just to name a few, or some even won’t let you type a [space] in them. Why is that? Is it bad programming? Or just a symptom of copy-pasta?

  • kevincox@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    1 year ago

    Who isn’t hashing server-side? That just turns the hash into the password which negates a lot of the benefits. (You can do split hashing but that doesn’t prevent the need to hash server-side.)

    • dog@suppo.fi
      link
      fedilink
      arrow-up
      0
      arrow-down
      1
      ·
      edit-2
      1 year ago

      Hashing on client side is both more private, and secure. All the user ever submits is a combined hash (auth/pubkey) of their username + password.

      If the server has that hash? Check the DB if it requires 2FA, and if the user sent a challenge response. If not, fail the login.

      Registering is pretty much the same. User submits hash, server checks DB against it, fail if exists.

      Edit: If data is also encrypted properly in the DB, it doesn’t even matter if the entire DB is completely public, leaked, or secured on their own servers.