Gotta love this: if you use a password that registers as “very strong” on this site’s password strength meter (apparently 21 characters or more), you fail password length validation when you submit the form (max 20 characters). 🤦‍♂️

Hmm… and also, if you had an order in your cart when you registered, they lose the order. Nice.

Show thread

@aral "Sorry, it is so strong that even we cannot deal with it"

@xiroux @aral "password seller, i am creating an account and i require one of your strongest passwords"
"my passwords are far too strong for your account, traveller."
"password seller, enough of these games. i am creating an account. i require your strongest passwords."
"you cannot handle my passwords. they are far too strong for you. you should find a weaker password."


Whenever I see a site with a maximum length (or at least a max that's not like, a hundred chars), it tells me there's a very good chance they don't hash passwords and keep them in plain text

Right... I never thought about that! But it can't be that all these sites store the password in plan text, can it?

@aral I once ran into a similar problem with Paypal. The password reset form allowed more characters than the authentication form. It took me weeks of talking to get that changed.

@aral I really, really don't understand why any sites in the 2000s even have max-limits to character lengths (or rather, if they must exist, they should be like about 2048 characters or something similar that nobody realistically would reach) now that a standard recommendations include to not use passwords, but instead use passphrases.
I still see sites with password policies like "must be between 8 to 12 characters".

Sign in to participate in the conversation
Aral’s Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!