Once upon a time, battle.net passwords weren’t case sensitive. I used upper and lower case letters in my password then one day realized I didn’t hit shift for one of the caps as I hit enter out of habit, but then it still let me in instead of asking for the password again.
It was disappointing because it takes more work to remove case-sensitivity than to leave it. I can’t think of any good reason to remove it. At least the character limit had a technical reason behind it: having a set size for fields means your database can be more efficient. Better to use the size of a hash and not store the password in plaintext, so it’s not a good reason, but at least it’s a reason.
At least the character limit had a technical reason behind it: having a set size for fields means your database can be more efficient.
If that is the actual technical reason behind it, that is a huge red flag. When you hash a password, the hash is a fixed size. The size of the original password does not matter, because it should not be stored anyway.
Correct, hence the sentence after the one you quoted :)
If any service can recover your password and send it back to you rather than just resetting it for you to set a new one, don’t rely on that service for anything you want to keep secure. And certainly don’t reuse a password there, though you shouldn’t be reusing passwords anyways because who knows what they are and aren’t storing, even if they don’t offer password recovery.
Sorry, didn’t want this to look like an attack or disagreement. Just wanted to highlight that point, because arbitrary maximum sizes for passwords are a pet peeve of mine.
It’s possible that the passwords want through an old ass cobalt system or something that forced everything to be capitalized so to solve that they made everything non case sensitive.
But even that sounds insane as the passwords should have been hashed.
Now imagine how many services just silently cut off your password at 8 characters and people never notice.
UltraVNC is very guilty of this.
Once upon a time, battle.net passwords weren’t case sensitive. I used upper and lower case letters in my password then one day realized I didn’t hit shift for one of the caps as I hit enter out of habit, but then it still let me in instead of asking for the password again.
It was disappointing because it takes more work to remove case-sensitivity than to leave it. I can’t think of any good reason to remove it. At least the character limit had a technical reason behind it: having a set size for fields means your database can be more efficient. Better to use the size of a hash and not store the password in plaintext, so it’s not a good reason, but at least it’s a reason.
If that is the actual technical reason behind it, that is a huge red flag. When you hash a password, the hash is a fixed size. The size of the original password does not matter, because it should not be stored anyway.
Correct, hence the sentence after the one you quoted :)
If any service can recover your password and send it back to you rather than just resetting it for you to set a new one, don’t rely on that service for anything you want to keep secure. And certainly don’t reuse a password there, though you shouldn’t be reusing passwords anyways because who knows what they are and aren’t storing, even if they don’t offer password recovery.
Sorry, didn’t want this to look like an attack or disagreement. Just wanted to highlight that point, because arbitrary maximum sizes for passwords are a pet peeve of mine.
It’s possible that the passwords want through an old ass cobalt system or something that forced everything to be capitalized so to solve that they made everything non case sensitive.
But even that sounds insane as the passwords should have been hashed.
Wells Fargo cuts to 14 on their sign in page but not on their change password page, ask me how I know