So I've once again come up against a password length upper limit for internet banking, and I'm wondering why.
I really don't know anything about password handling, but I have read that if a password is handled and stored properly, length shouldn't be a factor as properly hashing and salting results in a fixed length string.
All banks I've dealt with seem to have a limit, some more ridiculous than others.
BNZ - 8 max
Kiwibank - 15 max
Westpac - 24 max
So the questions are:
Why is there a limit? surely a longer password is better...
Is the limit a potential security risk? not so much the length, but what it means about the way they're handling the password.