Dear EA games.
If you want to tell me my password needs to be “more” secure in your error message, at least tell the fucking truth about it.

- 100 random character password entered on mobile
- response: password needs to be more secure
- WTf!
- loads on pc
- notices password rules
- must be between 8 and 16 characters...
- I think that’s a Wii little Less secure you ass hats, and WHY can’t you show this fucking notice on mobile 😖

Never understood why would someone limit the length of the password (apart from technical limitations of hashing algorithm).

And why the fuck can't you enter a password longer than 16 characters if you want? Maybe because the database field is a VARCHAR(16) and the password is stored in plaintext?

I don't care if that's not really the case: everytime I see password rules enforcing such a low and arbitrary maximum password length, to me there's no difference as actually storing the password in plaintext.

Ubisoft with Uplay does the same exact thing. Same also goes for 2K's My2K

@athlon plottwist:
they use the same table in the same database

If I’m in charge EA, I will charge extra for less secured passwords. Or sell loot box with generated random passwords! 😎

I've had a theory about this.

Think about the most sensible-worst-case scenario. A brute force attack.

Now the computation of the password decryption for the password matching is somewhat expensive during a brute force attack.
Meaning you need to minimize the amount of computation required in matching passwords if you need to return a True or False response for each request of any client.

No limit to a password means a stream which potentially can be infinite, but in theory the stream continues to flow until getting some sort of submit sequence.
In practice most people still use text-based passwords.

But why only 16 characters then?
A single UTF-8 character can be up to 6 bytes (48 bits) which leave 2 bytes for further instructions, retrival or other uses.

You have now limited passwords to process in a single CPU instruction during a brute force attack in a standrad 64 bit OS.

This enables your system to be functionally operating and serving other people while you get brute forced.

Exclusive deal; get 2 more extra password characters for only $4.99. And don't forget to share this deal with your friends to get 1 additional password character with your purchase.
EA Sports - it's all a game.

A good string hashing algorithm is not limited in length.

I read longer the better, no matter how much you use special characters.
;;which means 16 alphabets is better than 8 alphabets+special char combo

@Yamakuzure Bcrypt is considered one of the best for passwords, but it still has a limit of 71 bytes. https://security.stackexchange.com/...

@hitzoR That's their problem. Those limits are either artificial by design, or the underlying algorithm is bad in a sense that it imposes an implicit limit due to the way it was written.

However, there is at least one good reason why string hash algorithms could limit the maximum length used for input: The more characters you have beyond the output range, they more duplicates you might face.

When getting long enough, multiple totally different strings can result in the same hash, which is, obviously, not the best trait for something in the field of security...

Ea is bad ... MKAY