Here's another weird restriction: password length limits. I've had websites tell me I can't use more than 8 or 16 characters. Even if they let me use a thousand characters that's just going to get hashed to the same length anyway, right?
Even worse: sites that silently truncate your pasted password to the maximum length. When all you see is those little dots and the password is wider than the text field, it's very difficult or perhaps even impossible to tell how many characters were successfully pasted. And obviously truncation sets you up for disaster when you try to log in using your saved password and it just doesn't work.
> Even if they let me use a thousand characters that's just going to get hashed to the same length anyway, right?
That assumes they're not storing your password in a VARCHAR(16) field, which is what I always assume when I see a max password length restriction like this. Or perhaps they're using the ridiculous LANMan hash algorithm [1].
Even worse: sites that silently truncate your pasted password to the maximum length. When all you see is those little dots and the password is wider than the text field, it's very difficult or perhaps even impossible to tell how many characters were successfully pasted. And obviously truncation sets you up for disaster when you try to log in using your saved password and it just doesn't work.