I’ve just found another gem today. You know how everyone keeps saying how we should use unique long complex passwords to improve security? And you’d especially want that with financial services like payment systems, payment processors, banks… Right?
Well, here comes motherfucking PayPal with their password gem:
Now, I applaud them for limiting the minimum password length to minimum of 8 characters. But for fucks sake, why do you have to limit it to 20 characters as maximum? WHY? You’re literally telling the whole world brute forcing any users account will never ever have more than 20 characters long password. And just from sheer perspective of limiting users with the most important and basic things when it comes to account security.
What if user wants to use 25 characters long password? Tough luck. 40 characters or maybe even 150 characters? Users should NEVER be limited on the upper end of length. Only limit that I can accept as reasonable limit is something like 128 characters. If you can’t technically deliver something like this, then what are you even doing with your company?
I’ve ranted at smaller services than PayPal for nonsense like this, but there is absolutely NO excuse that I can accept with PayPal limiting passwords like this. They are simply too big, used by too many people and handle real frigging money to be allowed to do bullshit like this. Limiting password length to 20 characters is simply UNACCEPTABLE! Get your shit together PayPal and remove this absurd limit NOW!