It follows the vein of some of the password rules and feedback reducing security itself. Like why disallow any characters or set a maximum password length in double digits? If you’re storing a hash of the password, the hash function can handle arbitrary length strings filled with arbitrary characters. They run on files, so even null characters need to work. If you do one hash on the client’s side and another one on the server, then all the extra computational power needed for a ridiculously long password will be done by the client’s computer.
And I bet at least one site has used the error message “that password is already in use by <account>” before someone else in the dev team said, “hang on, what?”.
“Sorry, that password is already in use” ruins it for me. That’s not a realistic message to receive.
Maybe “Your password cannot be one you’ve used previously”.
Should be: “your password cannot be one of your last 24 passwords”
Especially for those places that want your password changed every two weeks.
It follows the vein of some of the password rules and feedback reducing security itself. Like why disallow any characters or set a maximum password length in double digits? If you’re storing a hash of the password, the hash function can handle arbitrary length strings filled with arbitrary characters. They run on files, so even null characters need to work. If you do one hash on the client’s side and another one on the server, then all the extra computational power needed for a ridiculously long password will be done by the client’s computer.
And I bet at least one site has used the error message “that password is already in use by <account>” before someone else in the dev team said, “hang on, what?”.
Should say by who. :)
Now we are talking :)