Been making another login system, and I came across this again.
I honestly have no idea why some services (ie Hotmail, the bastards) limit the length of the password you use. Any reasonable person knows to encrypt passwords before throwing them into the database. And the hash (encrypted password) is (in most cases) of a fixed length, independent of the password that was encrypted.
So why limit the length of a user’s password? You tell the database to have a certain length for the entered string, and you always enter the same length of string (again, due to the encryption). Longer passwords are safer, anyway. It feels dumb to be limited in that.
Or perhaps they don’t store the passwords encrypted in their databases? The result would be them having knowledge of millions of email-password combinations, and with the bad habit of password reuse lots of people have, they could get into quite a few PayPal accounts through that.
Quick everyone, put on your tinfoil hats!