In password security, the longer the better. With a password manager, using more than 24 characters is simple. Unless, of course, the secure password is not accepted due to its length. (In this case, through STOVE.)
Possibly indicating cleartext storage of a limited field (which is an absolute no-go), or suboptimal or lacking security practices.
Explain please, I’m curious
So this is *mathematically correct, but practically not really. Let me give you a longer (but still simplified) answer. There’s essentially two things here that are different:
The reason for #2 in digital systems is because of hashing, which is used to protect your password in the case of a data breach. Essentially, you can think of a hashing algorithm as a one-way algorithm that takes an input, and then always returns the same output for that input. One-way here means that you can’t use the hashed output to reverse-engineer the originally inputted password (you can’t unhash a hashbrown into the original potato 🥔). This is why if someone hacks Facebook, they don’t necessarily have your Facebook password; Facebook never saves your actual password anywhere. To login, the website hashes your password input, and compares it against the hash that they saved from your original password creation.
Usually, the result of these algorithms is saved as a fixed-length string of characters. And so your data is mathematically not more safe if you exceed this length, since a random password combination can theoretically resolve to the same value as your super-long-password. This would depend on the algorithm being used / data being stored, but for example, bcrypt outputs a 184-bit hash (often represented as a 60-character string). So mathematically, your password is not more secure beyond 60 characters.
However in practice, this is a non-issue, because I think that basically the only way that collisions like this are useful are for brute-forcing a password? And the chance of a password collision in this way is something like 1027-or-28 (being hit by lightning every day for 10,000 years)? The much easier solution for gaining access is to get your actual password. So if your password being longer makes it harder for people to guess, I’d say that adding security by way of #1 is still extremely valid.
All passwords longer than eight characters are silently truncated anyway.
Only by very badly designed systems. Most are not truncated but hashed. Those hashes are much longer than 8 characters.
Looks like somebody made a generality out of the Shamir Secret Sharing PayPal implem (read it thought)
good read. TLDR is that Sun Microsystems database software truncated passwords to 8 characters and the OP assumed that others must do that too. I surely hope not, TBH. I thought truncating to 8 characters had to do with computational or storage efficiency back when that mattered. I’m pretty sure most database fields if they’re modern use like a 256 character limit for passwords right?
…
Wasn’t it one of the first us govt encryption algorithms, operated on 8 byte blocks?
Uh? Why?
Only by batshit insane system wreckers. Normal systems don’t do this at all.