Why restrict the length of a password?

I've just signed up to a site to purchase some goods, and when I tried to enter my (reasonably secure) password I was informed it was too long, and that I should enter a password between 5 & 10 characters! What is the point in that? Who makes decisions like this? Surely the ideal password would be a really long and complicated one? Why do people insist on trying to restrict what types of passwords you can use?

Have you had to implement a login to a website? Was the login for secure purposes (e.g. purchasing goods). What (if any) restrictions did you place on the user's password? What were your reasons for the decision?


Solution 1:

Restricting the size of a password is an attempt to save storage space. It pretty much indicates that your password is being stored plainly in their database, so they want to restrict its size. Otherwise it's just a restriction because the implementors don't know any better. Either way it's a bad sign.

You might want to contact the admins of the site and ask them about it. They should be storing hashes, not passwords, which are always the same size no matter how big the password is. There really should be no limit to the size of password you enter, nor the domain of characters you're permitted to input.

Solution 2:

The most common reason for this is because the front-end intgrates with some old legacy system that does not handle more than a given number of characters.

Solution 3:

Seems especially stupid, given that any half decent website does not store plaintext passwords in their database, they store a one way hash of that password (which will always be a set length depending on the algorithm used, for example sha1 is a 160 bit digest) and then rehash that password on login to make sure that the newly hashed password matches the stored one.

Other than for frontend design asthetics - I agree, it doesn't make any sense to enforce a maximum password length. Minimum length is entirely different though for obvious reasons.