The following list of sites, which is far from incomplete, should be ashamed of themselves for bad security policies:
- Marriott Bonvoy (20 char cap) https://www.marriott.com/loyalty.mi **
- StubHub (20 char cap) https://www.stubhub.com/
Justification: I realize that a 20-character password is far more secure than what 99.99999% of the population use on a daily basis. However, this is just plain lazy. To put it into perspective, altering an SQL database password column from 20 to 64 could be as simple as this:
ALTER TABLE users MODIFY password varchar(128);
This would allow any encrypted hash to be stored, without consideration of characters. A sane limit to the number of characters, in my opinion, is 128.
There’s an interesting post written on another blog that talks about password cracking. Estimating Password Cracking Times
** SPG allowed up to 64 char, but after the August 13th, 2018 program merger, those with stronger passwords were required to significantly downgrade their security