A website complained at me for trying to make a password too long. Their limit is 40 characters. Oh.
@benhamill Whenever I see a length limit on a password field this tells me one thing "we store your password, not its hash".
@benhamill for the threats I expect (providers getting hacked, mass leaks) I consider using unique passwords that are reasonably long (where I consider reasonable more than, like, 16chars) more important than absolute length. if you think you're subject to targeted attack by v well-resources attacker you might feel differently (but you should be getting better advice than from me if so)
@kelsey Haha. I guess: it's easy to adjust the length slider, so even if the gain is minimal, effort is also minimal. The threats you're worried about are the same ones I feel are mostly likely to get me.
@benhamill if you are using a password manager you are way ahead of the curve already! doing it right!
@benhamill but sure, 72 char couldn't hurt! I just wouldn't use the incredibly common occurrence of max password length (which can be for other reasons as well, like some kind of backward compatibility with older versions of authentication that were upgraded for security reasons) as an indicator that a site is particular untrustworthy--or take the lack of them as a sign of security
@deshipu @kelsey Oh. And I guess this is a reasonable reason to set my password manager to default to generating 72 character passwords, yeah? Or am I failing to understand some more?