Since my first article about a financial institution’s policy on password length I’ve encountered a couple of examples. All of which were not really worse than the one I had mentioned before but today I was happily signing up for Microsoft’s new online services offering and was prompted to change my password (n.b. I was in the trial). I whip out my Keypass, make an entry and get presented with the following:
Why oh why would you ever put a maximum length on the password field? Even if the database size is a concern (really?) would it make sense to bump the limit to something much longer like 100 or 200 characters. Even the default security setting for KeyPass (which I’m sure many people use) is longer than 16 characters.
I may be Microsoft-friendly and it won’t keep me from using the service, but come on Microsoft. Ask the guys who wrote the (ludicrously long) method: HashPasswordForStoringInConfigFile