ArsTechnical looked at why there are all of those stupid limits on password length and, sometimes, what characters cannot be used. There is some good information there, but both the author of the piece and some of the folks interviewed seem to misunderstand one of the bigger problems with these artificial limits.
For example, here’s Microsoft’s Eric Doerr on Microsoft’s 16 character limit,
Microsoft imposes a length limit on the passwords its customers create: passwords can include a mix of upper and lower case letters, numbers, and symbols, but they can be no longer than 16 and no shorter than eight characters. Microsoft says that most attacks on accounts cannot be defended by password length, and the company adds that password cracking is hardly its biggest problem.
“Criminals attempt to victimize our customers in various ways and we’ve found the vast majority of attacks are through phishing, malware infected machines, and the reuse of passwords on third-party sites—none of which are helped by very long passwords,” a Microsoft spokesperson told Ars.
Toward the end, ArsTechnica writer Casey Johnson adds, perhaps a bit whimsically,
If nothing else, the varying password restrictions keep us from being lazy and using the same password for everything, which is itself good practice.
I suspect it’s the opposite–to the extent these arbitrary limits have any effect on overall security, it is to drive people toward reusing the same short passwords on multiple sites.
If the lowest common denominator is 8 characters with no percentage sign allowed, then many people will just make a single password that most of the services they use daily will accept and reuse that.
I prefer to use 20+ character passphrases. For the sites I use on a daily basis, its fairly easy to remember the passphrase outright. For sites I don’t use regularly, I let LastPass keep track of them and then at least when I have to manually type them in they are things that human beings can easily type rather than 7a6waz(4.
But so many sites won’t allow me to use long passphrases and it is tempting to just recycle a number of 8 character passwords I’ve used over the years.
So Doerr is right that securing passwords is hardly on the top rung of security threats, but not allowing longer passwords encourages habits that make the other attacks he’s more worried about even more likely.