Good passwords have one importand characteristic: They are long. No matter how you do it, generally speaking, a longer password is stronger than a short one. In theory, if you were able to remember passwords such as this one:
then it’d be practically impossible to crack it and would require using more… extreme methods to obtain.
Of course, shorter passwords are easier to remember—that’s why they are so popular, after all. But it doesn’t have to be this way:
A password like, say
Atomreaktor Bildfläche Schreibtischunterlage Leuchtsoffröhre is even longer than the monstrosity shown above, much easier to type (especially if you are at least a halfway decent touch-typist), easy to remember—and, most importantly, quite difficult to guess. At the time of this writing (2016 is on the way out), many sites already accept Unicode characters in their password without fault—problems nowadays are more likely to stem from apps that are coded so badly that they still use abominations such as Latin-1 inside their code. I use a new password for every site—with this approach, I can actually keep many of my most commonly used account passwords in my mid-term memory.
Anyway… a good deal of especially big players don’t really seem to have grasped the concept. It is awfully common to see password fields size-limited to, say, twenty characters. Sometimes even fewer: I think it was acredit card company that forced me to use password between eight and twelve characters. This is probably the most extreme case I can think of. In general there seems to be a trend that banks and similar kinds of shady businesses are especially prone to this nonsense—which keeps baffling me every time I see it.
There is no fundamental technical reason to do so: Those kinds of limits are purely artificial. HTML allows you to specify maximum lengths for form fields—many web developers seem to think that since a maximum length can be imposed, that they have to do so, and set an arbitrary limit. Perhaps they go to some big site and look how their password input fields are coded—this nonsense has to come from somewhere, right?
As far as I know, Symfony, to pick an example, has a default maximum password length of approximately four kilobytes—long enough for whatever kind of passphrase that you want to use. I still have to do some more research, but there are people who do it right—and I want to see more of it.
There are merchants that get it right, though. I’ll try to list a few of them as I encounter them. Of course, this list is not exhaustive.
The following is a (of course non-exhaustive) list of businesses1), loosely ordered by magnitude of their ineptitude.
I’ve made it a habit to look at how the password entry fields are coded before I register an account. For one thing, I have often enough locked myself out of my own accounts by setting a password that is silently truncated to some arbitrary length; also, because I want to see how widespread this bad practice actually is.
I did say that banks are especially bad at it. No matter how they want to be seen, Paypal for all intents and purposes is a bank—and it shows:
So, instead of allowing their customers to use good passwords, they artificially restrict passwords to twenty characters or less, but impose the usual restrictions: at least one digit or ‘special character’: