Today I decided to delete my account at PayPal. I'd been meaning to for a while, but they sent me a marketing email which reminded me to finally carry it out.
First this meant resetting my password because I forgot what it was, since the last time I used it was...who knows.
They are Keeping me safer, so this should be easy.
Like any nerdy, security-minded person, I use a password manager so that I don't know the passwords to any sites I sign up for. KeePass is my facilitator of choice here - it's awesome and helps a ton. If you're not using it, you should.
Anyhow, I had KeePass create me a new, strong, secure password and I pasted it into the box.
Whoops. They won't let me copy/paste it.
Okay, sure, this is par for the course for bad security on the internet. Fine, I'll just use correct horse battery staple.
Oh. Yeah, we wouldn't want my password being too long now would we? Okay, shorter sentence:
Surely this one will work
Let's count the security missteps here:
PASSWORD NVARCHAR(20)field in your database, it makes no sense to have a maximum password length. The only thing you're doing here is restricting entropy and reinforcing bad password practices.
If you make websites, please do not do any of these things. It's like a master course in security anti-patterns.