Why do so many companies and people say that your password has to be so long and complicated, just to have restrictions?

I am in the process of changing some passwords (I have peen pwnd and it’s the password I use for use-less-er sites) and suddenly they say “password may contain a maximum of 15 characters“… I mean, 15 is long but it’s nothing for a password manager.

And then there’s the problem with special characters like äàáâæãåā ñ ī o ė ß ÿ ç just to name a few, or some even won’t let you type a [space] in them. Why is that? Is it bad programming? Or just a symptom of copy-pasta?

  • jet@hackertalks.comEnglish
    0·
    1 year ago

    I hope you’re using a password manager, I recommend bit warden if not.

    Password requirements are all attempts at getting people to introduce entropy into their passwords. The length the characters the not allowed characters the allowed characters. All about adding entropy

    Restrictions on allowed characters tend to be based on legacy systems and the input state allow. So if you have an input system that only has Latin characters, it would be foolish to allow non-Latin characters into a password, because then people could get stuck unable to login. So typically they reduce to the safest set of characters that all of their systems use. And for some of the older systems that parse passwords, some of the Meta characters could be problematic.

    Password length is also down to legacy systems. If you have an old school Solaris system somewhere in your back end, that truncates password fields at 15 characters. Then 15 characters is the max.

      • janAkali@lemmy.oneEnglish
        1·
        1 year ago

        While most of the time, I remember my password, I know I could just snap and forget it right there at any point. Happened to me not once. And I’m in my 20s. Sometimes when I forget a password, I just start typing and muscle memory kicks in, sometimes it doesn’t. I guess our brains are not optimized to store long random strings of characters. You could use a long sentence as your master password or do as I do:

        Come up with a way to make up a long seemingly random password from a couple words. Then if/when you forget a password, just remember those words and reconstruct password from them.

        • Don’t use common dictionary words or anything from popular media, as it could be guessed by attackers.
        • You can write down algorithm on a piece of paper and keep it somewhere safe.
        • Words should be related but not directly:
          • two asteroid names - bad
          • asteroid name and it’s greek translation - bad
          • real city name and city name from a book - good
          • two words that both start with S and end with T - good
        • If you forget both words, you should be able to remember/look up at least one of them if you still remember how you came up with the word.