Please stop making arbitrary password restrictions
OK so it's 2020, can we please stop with these arbitrary bullshit limits on maximum password length:
There's no reason whatsoever that you should be forcing your users to have a password length less than 16 characters, this is particularly egregious in 2020. When you combine this with "include one number and one letter" you see this is security theatre, this classic XKCD comic explains why limiting password length is not good for security in practice. Security theatre like this is incredibly damaging because of the false sense of security it creates and honestly I wish people would just stop it.
So why does seeing something like this make me this angry? The first reason is that this is a service that provides bookings for a large number of health and wellness companies (over 58000 businesses according to their SEC report), it's not like this is a small business that threw together a prototype in a hurry where a security breach will impact all 15 of their clients. Many thousands or maybe even millions of user accounts could be at risk here in the case of a data breach if their passwords are not stored properly. But aside from scale there's also the question of funding, Mindbody raised millions of dollars at it's IPO and was acquired for $1.9 billion US dollars in 2019. This is just such a large organization that ignorance should be no excuse, not that bad security policies like this should be excusable in the first place.
After multiple years of working with different companies as a consultant on these sorts of matters I've overwhelmingly found that when arbitrary not-best-practices decisions with security are made its a very solid signal that the systems tend to be vastly less secure overall. My mind goes back to the infamous Hotmail password truncation issue1 since this also has a maximum 16 characters limit I wonder if the implementation has the same limitations? Over the years I've seen passwords that were encrypted rather than hashed2, sloppy hashing of passwords, no salting used, passwords stored as plaintext in a database column that was limited to 16 characters3, and many other substandard practices in my own work fixing legacy systems. When I see substandard security choices, I start to ask what else have they done poorly?
So it turns out that my hunch that other things might be done poorly was correct since MindBodyOnline is indeed a plain text offender: https://plaintextoffenders.com/post/4497916345/mindbodyonlinecom-handles-scheduling-and. After many years in the industry you get an intimate understanding that security is hard. Places that get a very basic issue wrong tend to have a lot of problems across the board, this is just one example of many I've seen over the years. This tends to come about because firms either don't take security seriously enough or don't care if there's consequences for breaches. Good security in organizations is only possible in a culture that takes it seriously, so changing this culture is extremely important if you want to see real improvements.
Also these sorts of arbitrary length restrictions make the issue of password reuse a lot worse, users tend to get used to having passwords that are short and contrived just to jump through these arbitrary hoops. You want a password policy that allows easy use of a password manager, since password managers are an increasingly important factor in keeping the internet secure. The reason password reuse has become such a huge issue is that there's a massive proliferation of different websites/service/apps etc that need passwords for logging in. Given that services get compromised regularly attackers can sometimes find it easy to gain access to other accounts by taking the credentials in data breaches and then attempting to log into other services using the same information.
If your clients can't enter in a random dump of 32 characters (or more) in 2020 then the password system is shit and needs fixing because it's actively getting in the way of people using password managers. Not only does this make the security worse for users, with a growing number of people using password managers this creates a UX issue that directly draws attention to the systems security shortcomings. Even if you don't care about security on it's own merits, and you really should with the growing legal implications for neglect in this area, please consider that users will not be net promoters of your product if they have misgivings about the security of your product. As an industry we need to be making it easier for people to use password managers because password reuse is becoming one of the biggest problems in account security due to the huge numbers of data breaches that are happening all over the place. It doesn't matter how secure your systems are if your users have the same passwords across multiple sites and the other sites breaches allow crackers to just enter in via the front door. To be a good citizen of the internet age you need to make it easy for your users to use unique and secure long passwords and making it easy for password managers to be used with your services will help this.
If you wonder why it matters that a password stored just with a SHA hash is a liability I invite you to search up the following:
2d27b62c597ec858f6e7b54e7e58525e6a95e6d8, what did you find? What password could this have been? ↩
https://security.stackexchange.com/questions/41447/why-is-password-hashing-considered-so-important this is a good discussion of why you should hash passwords and not encrypt passwords when you store them. ↩
It's very easy to make a database column called "passwords" or similar that's a
varchar(16), but please don't do this even in development since more than once in my career I've seen prototypes hastily thrown into production by management. ↩