I just made a new account with some eGov service (Belgian government). I use LastPass (which generates long, random strings for each site),
But the system told me that the maximum allowed length was 16 ASCII symbols. Why do people do this? If they hash it, then the length should not matter, right?
Is there a reason for this? I cannot see a any good explanation for this. What am I missing something here?
Some hash functions are based on block ciphers like DES. The maximum (effective) input size of these algorithms are limited by the block-size of the internal cipher. See for example:
http://man7.org/linux/man-pages//man3/crypt.3.html
https://en.wikipedia.org/wiki/LM_hash
There is of course a non-negligible possibility (we are talking about eGov) that the password storage of your particular service is fundamentally flawed.
