Completely agree on all accounts. For every application and website I've written, authored, and maintained since I was a teenager (I'm 33 now) I've always
The only time I've ever had to ask for a legal name or other identifiable information, was when I wrote an online ordering system and it was required for shipping and billing information. And I've always made sure that data stayed forever changeable.
I fully believe in storing as little information about a user as possible in my databases, sticking strictly to what is needed to make the app do it's thing, and nothing more. I don't even want your passwords if I can help it.
It straight up baffles me when I see anything else. Like MAXIMUM password length for example. Give me a break. But then.. yeah.. my wife has gone through a name change too, she got married to me and took my last name, and getting her online identities matched up to that has been a weird hell and a half.
I can't see why anybody might want a maximum password length, unless they DON'T store the hashed password, that doesn't bode well (even if was encrypted it would be terrible).
Bcrypt is limited to 72 characters. It's the only reasonable limitation, as you would not want password managers to assume the users password was longer than required to authenticate. (especially if you migrated upwards in hash. )
Totally true, anything longer and BCrypt will truncate. I like Argon2's input limit of 4.29b characters much better hehe
That said, 72 characters isn't the worst length limit, but when you're asked by your bank for a max limit of 14 or something similarly pathetic like that
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.