> Edit: Upon further discussion in the replies, with many good points being made, I realized my real question should have been: why do some sites set password parameter limitations? I should be able to input a 25-character complex passphrase with letters, numbers, special characters if i want whether it’s for my Netflix account or Bank account. What I don’t understand is my bank being like, “Nah, you can only use 12 characters, and you can’t use @“. That’s my frustration, and was more my questions because I figured there was a technical reason behind it likely.

Sometimes there are technical reasons. For instance it’s going into some sort of SQL query, and they want to make sure it won’t screw it up somehow. I can expand on this if you like.

Sometimes it’s customer service. You don’t want to deal with people who set up their password on a Russian system and now can’t figure out how to type that on a Mac with a Spanish keyboard. The same goes for unusual characters. On some layouts it’s very easy to get an € or a £. On others you’d have a hard time. So forbidding anything strange reduces the likelihood of somebody running into such issues.

Sometimes it’s some ancient system sitting in the middle that hasn’t been updated in the last 3 decades, and so you have to play by its rules.

And often times it’s just some random standard or “best practice” that’s been inherited from somewhere else and nobody bothered to think about much. The dev just had it burned in their brain that passwords top out at 8 characters on some earlier project, so 8 characters is what gets written into new code.